Hi!
I want to create a flexible firewall rule – port forwarding – using LuCI.
The rule is for DNS hijacking – I want to redirect all DNS traffic to my DNS servers.
In short – the rule in its current state:
config redirect
option dest 'guest'
option target 'DNAT'
option name 'DNS-over-GUEST'
option src 'guest'
option src_dport '53'
option dest_ip '192.168.2.250'
option src_ip '!192.168.2.250'
192.168.2.250 is my DNS server.
However, I also have a second DNS server on my network, as a backup, with the address 10.0.0.250.
Both servers are distributed on the GUEST interface using DHCP option 6,192.168.2.250,10.0.0.250.
If the device is using DNS at 192.168.2.250, the rule does not apply because the src_ip is !192.168.2.250.
If a device attempts to use a DNS server other than 192.168.2.250, the rule applies and the query is redirected to 192.168.2.250.
If the DNS server at 192.168.2.250 is temporarily down, DHCP option 6 should redirect queries to the DNS server at 10.0.0.250. Unfortunately, the rule in its current form does not allow this. I would need to extend src_ip to include the address !10.0.0.250.
I think I need to use IPSET to do this.
So I created IPSET:
config ipset
option name 'DNS'
option family 'ipv4'
list entry '192.168.2.250'
list entry '10.0.0.250'
list match 'src_ip'
Unfortunately, I don't know how to use LuCI to add a negation for the ipset DNS in the src_ip section of a firewall rule.
Is this even possible? If so, how?
PS. I know that if the DNS server at 192.168.2.250 is down, devices attempting to use their DNS servers will not work because the rule will redirect traffic to the downed DNS server – I'm aware of this.