Need nft masquerade rule for lan installed

I need the following rule installed in NFTables from firewall4:

nft insert rule inet fw4 srcnat_lan udp dport 53 masquerade

This is the companion rule necessary to make this redirect rule work:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Redirect DNS internally'
	option src 'lan'
	option src_dport '53'
	option dest_ip '10.75.22.247'
	option dest_port '53'

The goal of all of this is to redirect DNS queries from the LAN that are going to any other zone (usually WAN, from devices hard-coded to use 8.8.8.8, etc.) to the DNS server that is on the LAN (which is not the OpenWRT router in this case).

The above two things work. I just am not sure if there is any firewall4 configuration syntax that will result in the desired nft rule.

I can of course simply use:

config include
	option path '/etc/firewall.user'
	option fw4_compatible 1

and stick my rule in /etc/firewall.user but I am trying to avoid these kinds of work-arounds as much as possible as they usually come back to bite you in the future.

See: https://jeff.vtkellers.com/posts/technology/force-all-dns-queries-through-pihole-with-openwrt/

Yeah, that is the solution to my original question, thank-you very much!

The unfortunate part is that you can only list a single address to exempt (!192.168.1.101 in your solution) from the redirection.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.