Need some help with dnsmasq crash and maybe, caused by invasion

topsbr · January 30, 2025, 12:33am

Hello all...

I was here at home in Sao Paulo, Brazil, attending class when a few minutes ago, I simply lost my Internet connection...

I started checking my router with an uptime of 117 days and noticed some strange information that I share with you below:

In other words, I see several crashes and then the error "Possible SYN flooding on port 53"...

So I ask for your help to try to understand if I suffered a possible invasion or flood attempt on port 53 (DNS) and that's why it crashed or if it crashed for some reason (maybe a hardware error) and the flooding error was due to machines on my local network making DNS requests?

Anyway, I tried restarting dnsmasq and unbound several times, and only unbound responded correctly, until I restarted the router completely and it started working correctly again, but only IPV6 still doesn't work, but I'll look into that later...

It's really strange...

Some informations...

root@horus:~# uname -a
Linux horus 5.15.162 #0 SMP Mon Jul 15 22:14:18 2024 x86_64 GNU/Linux
root@horus:~# uptime
 21:30:57 up 23 min,  load average: 0.14, 0.21, 0.24
root@horus:~# free
              total        used        free      shared  buff/cache   available
Mem:        1922192      136660     1638916       28768      146616     1697540
Swap:             0           0           0
root@horus:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                28.7G    211.9M     28.5G   1% /
tmpfs                   938.6M     28.1M    910.5M   3% /tmp
/dev/mmcblk0p1           16.0M      6.1M      9.8M  38% /boot
/dev/mmcblk0p1           16.0M      6.1M      9.8M  38% /boot
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/sdb1                 7.0G     39.4M      6.6G   1% /mnt/sdb1
root@horus:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "horus",
        "system": "Intel(R) Celeron(R) CPU  N2808  @ 1.58GHz",
        "model": "ULTRATOP ULTRATOP Liva",
        "board_name": "ultratop-ultratop-liva",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "x86/64",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@horus:~#

Some log...

Wed Jan 29 20:42:31 2025 kern.info kernel: [10191150.464846] dns listen[23841]: segfault at 7f42c4de1f13 ip 00007f425d6bb4d0 sp 00007f425d5ab870 error 4 in libpcap.so.1.10.4[7f425d6a8000+1d000]
Wed Jan 29 20:42:31 2025 kern.info kernel: [10191150.493036] Code: 89 fa 44 29 e2 39 c2 0f 4e c2 89 44 24 0c 83 7c 24 0c 00 0f 84 c4 00 00 00 83 7d 2c 00 0f 85 ba 00 00 00 4c 8b ab 80 00 00 00 <41> 8b 45 24 66 85 c0 75 0c be 00 81 00 00 41 f6 45 14 40 74 03 0f

Wed Jan 29 20:43:52 2025 daemon.info procd: Instance dnsmasq::horus s in a crash loop 6 crashes, 1 seconds since last crash


Wed Jan 29 20:47:10 2025 daemon.crit dnsmasq[1]: failed to create listening socket for 191.255.136.7: Address in use
Wed Jan 29 20:47:10 2025 daemon.crit dnsmasq[1]: FAILED to start up
Wed Jan 29 20:47:14 2025 daemon.warn miniupnpd[7085]: SSDP packet sender [::ffff:169.254.201.214]:57490 (if_index=-1) not from a LAN, ignoring
Wed Jan 29 20:47:16 2025 daemon.crit dnsmasq[1]: failed to create listening socket for 191.255.136.7: Address in use
Wed Jan 29 20:47:16 2025 daemon.crit dnsmasq[1]: FAILED to start up

Any help is appreciate.

brada4 · January 30, 2025, 2:00am

System is unstable after drop_caches. Can you explain wha the ai it is trying to achieve?
Add

cat /etc/config/firewall
cat /proc/self/maps
cat /etc/config/network

trendy · January 30, 2025, 8:57am

It seems that something else is occupying port 53.
Post also the uci export dhcp; netstat -lnp | grep :53

topsbr · January 30, 2025, 9:36am

Hello @brada4 ...

After rebooting the router, it seems to be working fine... nothing has changed, maybe it could have been caused by a power surge? Unfortunately I don't have a UPS...
Here are the files:

cat /etc/config/firewall

root@horus:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'onu_vsol'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch-NAT_A'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.15.30'
        option dest_port '45000-65535'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV4'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '192.168.15.1'
        option dest_port '80'
        list proto 'tcp'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV6'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '2804:7f0:7a01:5b8a:518f:9771:11c:a1c8'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option name 'Transmission'
        option src 'wan'
        option src_dport '1111'
        option dest_ip '192.168.15.1'
        option dest_port '1111'
        option dest 'lan'

config rule
        option name 'Allow-Transmission'
        option src 'wan'
        option dest_port '1111'
        option target 'ACCEPT'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config rule
        option name 'Allow_Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '1195'
        option target 'ACCEPT'

root@horus:~#

cat /proc/self/maps

root@horus:~# cat /proc/self/maps
00400000-00406000 r--p 00000000 b3:02 15                                 /bin/busybox
00406000-0044e000 r-xp 00006000 b3:02 15                                 /bin/busybox
0044e000-00462000 r--p 0004e000 b3:02 15                                 /bin/busybox
00462000-00463000 r--p 00062000 b3:02 15                                 /bin/busybox
00463000-00464000 rw-p 00063000 b3:02 15                                 /bin/busybox
005bc000-005bd000 ---p 00000000 00:00 0                                  [heap]
005bd000-005be000 rw-p 00000000 00:00 0                                  [heap]
7f18d855f000-7f18d8563000 r--p 00000000 b3:02 349                        /lib/libgcc_s.so.1
7f18d8563000-7f18d8572000 r-xp 00004000 b3:02 349                        /lib/libgcc_s.so.1
7f18d8572000-7f18d8575000 r--p 00013000 b3:02 349                        /lib/libgcc_s.so.1
7f18d8575000-7f18d8576000 r--p 00015000 b3:02 349                        /lib/libgcc_s.so.1
7f18d8576000-7f18d8577000 rw-p 00016000 b3:02 349                        /lib/libgcc_s.so.1
7f18d8577000-7f18d858b000 r--p 00000000 b3:02 347                        /lib/libc.so
7f18d858b000-7f18d85d7000 r-xp 00014000 b3:02 347                        /lib/libc.so
7f18d85d7000-7f18d85ec000 r--p 00060000 b3:02 347                        /lib/libc.so
7f18d85ec000-7f18d85ed000 r--p 00074000 b3:02 347                        /lib/libc.so
7f18d85ed000-7f18d85ee000 rw-p 00075000 b3:02 347                        /lib/libc.so
7f18d85ee000-7f18d85f1000 rw-p 00000000 00:00 0
7ffe06f50000-7ffe06f71000 rw-p 00000000 00:00 0                          [stack]
7ffe06f8e000-7ffe06f92000 r--p 00000000 00:00 0                          [vvar]
7ffe06f92000-7ffe06f93000 r-xp 00000000 00:00 0                          [vdso]
root@horus:~#

cat /etc/config/network

root@horus:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'onu_vsol'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch-NAT_A'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.15.30'
        option dest_port '45000-65535'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV4'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '192.168.15.1'
        option dest_port '80'
        list proto 'tcp'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV6'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '2804:7f0:7a01:5b8a:518f:9771:11c:a1c8'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option name 'Transmission'
        option src 'wan'
        option src_dport '1111'
        option dest_ip '192.168.15.1'
        option dest_port '1111'
        option dest 'lan'

config rule
        option name 'Allow-Transmission'
        option src 'wan'
        option dest_port '1111'
        option target 'ACCEPT'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'
root@horus:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0b:4bce:7eb5::/48'
        option packet_steering '1'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        list ipaddr '192.168.15.1/26'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'cliente@cliente'
        option password 'cliente'
        option ipv6 'auto'

config interface 'onu_vsol'
        option proto 'static'
        option device 'eth0'
        list ipaddr '192.168.1.2/30'
        option ip6assign '64'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'edited'
        option listen_port '1195'
        option ip6assign '64'
        list addresses '192.168.17.1/24'
        list addresses 'fd00:17::1/64'

config wireguard_wireguard
        option description 'Cel_POCOX3PRO_RR'
        option public_key 'edited'
        option private_key 'edited'
        list allowed_ips '192.168.17.2/32'
        option persistent_keepalive '25'

root@horus:~#

topsbr · January 30, 2025, 9:38am

Hello @trendy

Maybe... Here I have dnsmasq, unbound and I don't remember if I have any other software...

In any case, here is the requested file:

root@horus:~# cat /etc/config/firewall

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun+'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'onu_vsol'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NintendoSwitch-NAT_A'
        list proto 'udp'
        option src 'wan'
        option src_dport '45000-65535'
        option dest_ip '192.168.15.30'
        option dest_port '45000-65535'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV4'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '192.168.15.1'
        option dest_port '80'
        list proto 'tcp'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV6'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '2804:7f0:7a01:5b8a:518f:9771:11c:a1c8'
        option dest_port '80'

config redirect
        option target 'DNAT'
        option name 'Transmission'
        option src 'wan'
        option src_dport '1111'
        option dest_ip '192.168.15.1'
        option dest_port '1111'
        option dest 'lan'

config rule
        option name 'Allow-Transmission'
        option src 'wan'
        option dest_port '1111'
        option target 'ACCEPT'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'
root@horus:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0b:4bce:7eb5::/48'
        option packet_steering '1'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        list ipaddr '192.168.15.1/26'
        option ip6assign '64'
root@horus:~# uci export dhcp; netstat -lnp | grep :53
package dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '42'
        option limit '20'
        option leasetime '1h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'
        list dhcp_option '44,192.168.15.1/26'
        option ra_useleasetime '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dnsmasq 'horus'
        option authoritative '1'
        option local '/hsh/'
        option domain 'hsh'
        option expandhosts '1'
        option rebind_protection '1'
        option localservice '1'
        option sequential_ip '1'
        option allservers '1'
        option domainneeded '1'
        option rebind_localhost '1'
        option localise_queries '1'
        option dhcpleasemax '62'
        option dnsforwardmax '300'
        option cachesize '5000'
        option readethers '1'
        option confdir '/tmp/dnsmasq.d'
        list server '127.0.0.1#5453'
        list server '0::1#5453'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option noresolv '1'
        option doh_backup_noresolv '1'
        list doh_backup_server '127.0.0.1#5453'
        list doh_backup_server '0::1#5453'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'

config domain
        option name 'onu'
        option ip '192.168.1.1'

config domain
        option name 'horus'
        option ip '192.168.15.1'

config domain
        option name 'anubis'
        option ip '192.168.15.2'

config domain
        option name 'osiris'
        option ip '192.168.15.3'

config domain
        option name 'toth'
        option ip '192.168.15.4'

config host
        option name 'NintendoSwitch'
        option ip '192.168.15.30'
        list tag 'VideoGame'
        option leasetime 'infinite'
        list mac '20:0B:CF:E4:75:54'

config host
        option name 'an4'
        option ip '192.168.15.5'
        option leasetime 'infinite'
        list tag 'DecoderTVaCabo'
        list mac 'B6:D4:67:CD:CD:B2'

config domain
        option name 'an4'
        option ip '192.168.15.5'

config host
        option name 'tesla'
        option dns '1'
        list mac '40:8D:5C:78:51:51'
        option ip '192.168.15.10'
        option leasetime 'infinite'
        option duid '000100012dd84203408d5c785151'
        list tag 'admin_pc'
        option instance '0'
        option broadcast '1'

config host
        option ip '192.168.15.61'
        option mac '60:21:C0:97:FE:BB'
        option name 'GT-N8000'

tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      12071/dnsmasq
tcp        0      0 192.168.17.1:53         0.0.0.0:*               LISTEN      12071/dnsmasq
tcp        0      0 191.255.136.7:53        0.0.0.0:*               LISTEN      12071/dnsmasq
tcp        0      0 192.168.15.1:53         0.0.0.0:*               LISTEN      12071/dnsmasq
tcp        0      0 192.168.16.1:53         0.0.0.0:*               LISTEN      12071/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      12071/dnsmasq
tcp        0      0 fd00:17::1:53           :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fe80::b05f:d636:4414:56d:53 :::*                    LISTEN      12071/dnsmasq
tcp        0      0 2804:7f0:7a02:5658::1:53 :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fe80::b4e9:ecb4:d6ca:e466:53 :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fe80::baae:edff:fe86:c506:53 :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fd0b:4bce:7eb5:2::1:53  :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fd0b:4bce:7eb5:1::1:53  :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fe80::2e0:4cff:fe76:961:53 :::*                    LISTEN      12071/dnsmasq
tcp        0      0 fd0b:4bce:7eb5::1:53    :::*                    LISTEN      12071/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      12071/dnsmasq
tcp        0      0 2804:7f0:703c:14f5:b4e9:ecb4:d6ca:e466:53 :::*                    LISTEN      12071/dnsmasq
udp        0      0 191.255.136.7:53        0.0.0.0:*                           12071/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           12071/dnsmasq
udp        0      0 192.168.1.2:53          0.0.0.0:*                           12071/dnsmasq
udp        0      0 192.168.15.1:53         0.0.0.0:*                           12071/dnsmasq
udp        0      0 192.168.17.1:53         0.0.0.0:*                           12071/dnsmasq
udp        0      0 192.168.16.1:53         0.0.0.0:*                           12071/dnsmasq
udp        0      0 192.168.15.1:5351       0.0.0.0:*                           10481/miniupnpd
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           3558/avahi-daemon:
udp        0      0 2804:7f0:7a02:5658::1:53 :::*                                12071/dnsmasq
udp        0      0 2804:7f0:703c:14f5:b4e9:ecb4:d6ca:e466:53 :::*                                12071/dnsmasq
udp        0      0 fe80::b4e9:ecb4:d6ca:e466:53 :::*                                12071/dnsmasq
udp        0      0 ::1:53                  :::*                                12071/dnsmasq
udp        0      0 fd0b:4bce:7eb5:1::1:53  :::*                                12071/dnsmasq
udp        0      0 fe80::2e0:4cff:fe76:961:53 :::*                                12071/dnsmasq
udp        0      0 fd0b:4bce:7eb5::1:53    :::*                                12071/dnsmasq
udp        0      0 fe80::baae:edff:fe86:c506:53 :::*                                12071/dnsmasq
udp        0      0 fd0b:4bce:7eb5:2::1:53  :::*                                12071/dnsmasq
udp        0      0 fd00:17::1:53           :::*                                12071/dnsmasq
udp        0      0 fe80::b05f:d636:4414:56d:53 :::*                                12071/dnsmasq
udp        0      0 :::5351                 :::*                                10481/miniupnpd
udp        0      0 :::5353                 :::*                                3558/avahi-daemon:
root@horus:~#

topsbr · January 30, 2025, 9:42am

I also have installed https-dns-proxy...

root@horus:~# cat /etc/config/https-dns-proxy
config main 'config'
        option canary_domains_icloud '1'
        option canary_domains_mozilla '1'
        option dnsmasq_config_update '*'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
# ports listed below are used by some
# of the dnscrypt-proxy v1 resolvers
#       list force_dns_port '553'
#       list force_dns_port '1443'
#       list force_dns_port '4343'
#       list force_dns_port '4434'
#       list force_dns_port '5443'
#       list force_dns_port '8443'
        option procd_trigger_wan6 '0'

config https-dns-proxy
        option bootstrap_dns '1.1.1.1,1.0.0.1'
        option resolver_url 'https://cloudflare-dns.com/dns-query'
        option listen_addr '127.0.0.1'
        option listen_port '5053'
        option user 'nobody'
        option group 'nogroup'

config https-dns-proxy
        option bootstrap_dns '8.8.8.8,8.8.4.4'
        option resolver_url 'https://dns.google/dns-query'
        option listen_addr '127.0.0.1'
        option listen_port '5054'
        option user 'nobody'
        option group 'nogroup'
root@horus:~#

I´m in attention with this...

Thu Jan 30 07:31:31 2025 daemon.info procd: Instance unbound::unbound s in a crash loop 7 crashes, 0 seconds since last crash

brada4 · January 30, 2025, 10:45am

What in your networksent ton of dns (or you had fw stopped and dns open on wan)?

trendy · January 30, 2025, 1:12pm

topsbr:

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV4'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '192.168.15.1'
        option dest_port '80'
        list proto 'tcp'

config redirect
        option target 'DNAT'
        option name 'DDNS_IPV6'
        option family 'ipv6'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8181'
        option dest_ip '2804:7f0:7a01:5b8a:518f:9771:11c:a1c8'
        option dest_port '80'

This is a very bad idea to expose the unencrypted web interface to the internet.
Someone may have already logged into the router and created your problems.
You have a VPN server which should be used for that.

topsbr:

config redirect
        option target 'DNAT'
        option name 'Transmission'
        option src 'wan'
        option src_dport '1111'
        option dest_ip '192.168.15.1'
        option dest_port '1111'
        option dest 'lan'

config rule
        option name 'Allow-Transmission'
        option src 'wan'
        option dest_port '1111'
        option target 'ACCEPT'

Also not a good idea to run the Transmission on the router.

Your wireguard is listening to 1195 but the firewall allows 1194.

Finally, limit the dnsmasq instance to not listen on the wan interface

uci set dhcp.chorus.interface='lan'
uci commit dhcp
service dnsmasq restart

topsbr · January 30, 2025, 3:55pm

Hello @trendy, thanks for your help...

I adjusted the settings mentioned for you, but if I change the wireguard port, it stops working... so, I kept it as it was...

I remove the DNAT entries for DDNS service from firewal....

About transmission, I rarely use it, so when it's not being used, I leave the service disabled. Do you see any problem with this?

About dnsmasq, I limited the dnsmaq instance to no longer listen on the wan interface, only on the lan... I adjusted the command because I believe you added an extra "c" to it...

"uci set dhcp.chorus.interface='lan' "

When I think it should be

"uci set dhcp.horus.interface='lan' "

Let's take a look, I'm finding my internet slow for the 700/350 link I have, but I'll keep you posted here...

Now I'm "fighting" with IPV6, which doesn't want to work for anything...

I'm following the settings I made myself and it worked, posted in this topic => [Solved] Help to config IPV6 correctly on my router - Installing and Using OpenWrt - OpenWrt Forum and nothing is working...

For now, thank you very much for your help!

trendy · January 30, 2025, 10:03pm

Then it can't be working from the wan, as you don't allow 1195 in the firewall.

Yup, right.

topsbr · January 31, 2025, 11:22pm

Partially solved the IPV6 problem...

I uninstalled mwan3 and it worked right away!

I'm going to compare the configuration, network and firewall files with it installed and uninstalled.

The sad thing is that for now, my 2 internet links are in "manual mode", lol...

topsbr · February 1, 2025, 5:10pm

Hello @brada4 and @trendy, fine?

I noticed that I can no longer browse my VPNs (I have OpenVPN and Wireguard configured) and this, worked correctly!

I think it has to do with DNS, because I can connect to the router, but when I try to access it via name (horus//), it doesn't work, but when I enter the IP address (192.168.15.1), it works correctly.

This wouldn't be a problem if I only accessed the router for occasional maintenance/configuration, but sometimes I browse the internet via the VPN.

How could I fix this little problem? Can you help me with this?

Thanks!

trendy · February 1, 2025, 10:17pm

Better start a new topic for that and post the configurations as before:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

topsbr · February 2, 2025, 1:19pm

Thanks @trendy

I will open a new topic => Cannot resolve DNS while connected to WireGuard VPN

system · February 12, 2025, 1:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.