Need help setup a firewall config (DNAT?) to forward requesting IP to upstream router (DNS related only)

AcidSlide · July 18, 2023, 2:59am

To help understand my query, below is the setup

I want all DNS request from the devices under the downstream router (highlighted in light blue) to show as the actual IP requester in the primary router for all DNS request. Right now, DNS sees them as 192.168.10.1 which is correct by default but I want the actual IP of the devices under the downstream router to be logged/showed instead.

I know this has been answered before but I've been looking for a few hours but can't find it. I hope somebody can help me with this.

darksky · July 18, 2023, 6:07am

Have you configured your “downstream” OpenWRT router as a dumb AP? I recommend that setup over what you’re showing here. You can also likely fold VLAN segregation into the mix

AcidSlide · July 18, 2023, 6:33am

No this is not what I'm aiming for. The downstream router is a sub-network (and it has it's own devices and mesh routers connected to it, and it actually has VLANs setup). And this is the design/setup i've been using for almost a year now and I don't plan on changing the network topology.

I just want to log the DNS queries from the sub-network with it's original IP's and in turn use statistics to monitor actual usage of each devices including devices in the sub-network.

AcidSlide · July 22, 2023, 12:02am

Still looking for a solution..

I think the solution might be related to setting up DNAT and PREROUTING (or POSTROUTING). I can't still figure out how to make this work or even if it is possible to make it work.

lleachii · July 22, 2023, 1:17am

I assume you don't wish to turn off masquerade and have all traffic route?

Then the SRC IP will be seen on the query.

AcidSlide · July 22, 2023, 3:05am

This is one route I'm thinking of but as much as possible (hoping) not to remove masquerading.

Yes, see the actual SRC IP from the subnetwork 192.168.10.x that queries the DNS in 10.0.0.1. Is this even possible. I know i've read this somewhere before but can't to seem to find it anymore.

egc · July 22, 2023, 6:03am

I agree with @ lleachii, turn of Masquerading on the WAN of your downstream router could do the trick.

For that you also need to set a static route on your primary router e.g.
ip route add 192.168.10.0/24 via 10.0.0.X where 10.0.0.X is the WAN address of the downstream router

Which would translate to:

config route
        option interface 'lan'
        option target '192.168.10.0/24'
        option gateway '10.0.0.X'

This has the added benefit that traffic is quicker going out of the downstream router as you do not have to NAT.

Take note that if you added anything else to the WAN zone e.g. VPN which do need masquerading you need to make a separate zone for that,

AcidSlide · July 22, 2023, 7:03am

Thanks for the recommendations @egc and @lleachii. I'm considering this as my possible setup but I'm still open for other suggestions.

If I do go this setup, I would also need to add the routes for 192.168.20.x and 192.168.30.x respectively.

I'll play around this setup when almost everybody is asleep.

pavelgl · July 22, 2023, 2:41pm

If masquerading is that important to you, you could keep it but exclude 10.0.0.1 from the process.

#/etc/config/firewall (downstreem router)

config zone
        option name 'wan'
        ...
        list masq_dest '!10.0.0.1'

Note that you will still need that static route on the primary router for network 192.168.10.0/24.

AcidSlide · July 22, 2023, 2:45pm

Thanks! Didn't know that can be done. I'll also try this. Thanks again!

AcidSlide · July 22, 2023, 11:05pm

Thanks to all of your inputs @egc, @lleachii and @pavelgl

So below is my final setup (masquerade is still enabled in downstream router)

#/etc/config/firewall (downstreem router) c/o @pavelgl

config zone
        option name 'wan'
        ...
        list masq_dest '!10.0.0.1'

# /etc/config/network (upstream/primary router) c/o @egc
# 10.0.0.2 is the downstream router's IP (statically assigned)
# for those configuring via LuCi select "unicast" for the "type"

# route for downstream main IPs
config route
	option interface 'lan'
	option target '192.168.10.0/24'
	option gateway '10.0.0.2'

# route for downstream guest network
config route
	option interface 'lan'
	option target '192.168.20.0/24'
	option gateway '10.0.0.2'

# route for downstream IoT/other devices
config route
	option interface 'lan'
	option target '192.168.30.0/24'
	option gateway '10.0.0.2'

# /etc/config/dhcp (upstream/primary router)
# disable Local Service (enabled by default)

option dnsmasq
       ...
       ...
       option localservice '0'

system · August 1, 2023, 11:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.