Nmap returns ip addresses but not hostnames/firewall zone confusion

darksky · September 7, 2021, 10:19am

When I run a scan using nmap, I only get IP addresses back but not hostnames. What setting on the OW router would be needed to also get back names?

On a LAN client:

# nmap -sn 10.9.8.0/24 -oG -
# Nmap 7.92 scan initiated Tue Sep  7 06:16:32 2021 as: nmap -sn -oG - 10.9.8.0/24
Host: 10.9.8.1 (router)	Status: Up
Host: 10.9.8.2 ()	Status: Up
Host: 10.9.8.103 ()	Status: Up
Host: 10.9.8.104 ()	Status: Up
Host: 10.9.8.105 ()	Status: Up
Host: 10.9.8.106 ()	Status: Up

trendy · September 7, 2021, 10:23am

Does the lan client use the OpenWrt as the DNS server?
The same command used on my OpenWrt and a lan host returns the names as well.

darksky · September 7, 2021, 10:32am

In my case, it is using a pi-hole box on the LAN. If I switch it to the OpenWRT router, I get the expected result. I need to re-think how I have things setup.

trendy · September 7, 2021, 10:38am

Then you need to enable conditional forwarding in Pihole. Settings-> DNS

darksky · September 7, 2021, 4:44pm

I had that setup so it must be something misconfigured on the router's firewall. Can you suggest what might be lacking?

I have 5 interfaces: LAN, WAN, GUEST, LXC, and WG0.
I am using VLANs and a dumb access point if that matters.
I have 4 firewall zones: lan, guest, virtual, and wan.

The pihole box is on the LXC interface and virtual firewall zone. It needs to be accessible by all other zones except wan.

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list device 'br-main.1'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list device 'br-wan'
	list network 'wan'
	option input 'DROP'
	option forward 'DROP'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list device 'br-main.3'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'guest'
	list network 'wg0'

config zone
	option name 'virtual'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'LXC'
	option forward 'ACCEPT'

config rule
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest dhcp and dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'guest'
	option dest 'virtual'

config forwarding
	option src 'lan'
	option dest 'virtual'

config forwarding
	option src 'virtual'
	option dest 'wan'

config forwarding
	option src 'virtual'
	option dest 'guest'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1a:184b:b879::/48'
	option packet_steering '1'

config device
	option name 'br-main'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option proto 'static'
	option ipaddr '10.1.20.1'
	option netmask '255.255.255.0'
	option device 'br-main.1'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option device 'br-wan'

config bridge-vlan
	option device 'br-main'
	option vlan '1'
	list ports 'eth0'

config bridge-vlan
	option device 'br-main'
	option vlan '3'
	list ports 'eth0:t'

config device
	option name 'br-main.1'
	option type '8021q'
	option ifname 'br-main'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-main.3'
	option type '8021q'
	option ifname 'br-main'
	option vid '3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth1'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-main.3'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option name 'wg0'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config bridge-vlan
	option device 'br-main'
	option vlan '4'
	list ports 'eth0:t'

config device
	option type 'bridge'
	option name 'br-lxc'
	list ports 'br-main.4'
	option ipv6 '0'

config interface 'LXC'
	option proto 'static'
	option device 'br-lxc'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config device
	option name 'br-main.4'
	option type '8021q'
	option ifname 'br-main'
	option vid '4'
	option ipv6 '0'

anon50098793 · September 7, 2021, 4:48pm

-n: Never do DNS resolution

darksky · September 7, 2021, 5:08pm

I think the nmap command might be a little misleading... I cannot even ping other devices by hostname so I'm thinking I am missing something simple in my firewall rules?

darksky · September 7, 2021, 6:54pm

I got it, it was a firewall rule. I needed to allow input access from the virtual zone to the input zone as well as assign virtual --> lan forwarding. Everything works as expected now I think.!

trendy · September 8, 2021, 11:18am

All is needed is to create a rule to allow input from virtual zone, udp port 53.
You don't need to allow all input and the forwarding from virtual to lan.

darksky · September 8, 2021, 12:26pm

Thanks @trendy - I setup it up like this and seem to have all functionality (including working on my wireguard interface which is part of guest).

Zone forwarding:

These two rules where needed:
85.rules

darksky · September 8, 2021, 12:49pm

@trendy - I spoke too soon... pihole is listing hostnames for clients on my lan zone, but it is listing ip addresses for clients on my guest zone (so no dns there). I created a third rule to allow 53/udp to and from virtual/guest but that doesn't seem to do it. Thoughts?

85.oops

EDIT: it seems to resolve the hostnames only for the IP range I define in pi-hole's Settings>DNS>Use Conditional Forwarding.

LAN = 10.x.x.x
Guest = 172.x.x.x

What traffic rule is needed to allow cross talk there? Or perhaps I need a CIDR that covers both? If that's the case, might be easier for me to change the Guest to a 10.x.x.x also.

trendy · September 8, 2021, 1:28pm

There is no need for the third rule. Only the pihole needs to communicate with OpenWrt to query the names. Guests will query the pihole for name resolution, which is covered with second rule.
Since pihole allows only one reverse, you'll have to create the second manually.

cat << EOF > /etc/dnsmasq.d/03-guest.conf
server=/guest/10.0.2.1
rev-server=172.30.30.0/24,10.0.2.1
EOF
service dnsmasq restart

Change 10.0.2.1 to the IP of OpenWrt, 172.30.30.0/24 to the guest subnet, and guest to the domain suffix.

darksky · September 8, 2021, 1:46pm

Thanks for the feedback. I removed the third rule. I also changed the LAN and GUEST IP ranges thinking I could change pi-hole's Settings>DNS>Use Conditional Forwarding accordingly.

LAN = 10.9.8.*
GUEST = 10.9.7.*

I setup pi-hole like this, but still, the 10.9.7.* addresses are not resolved to hostnames:

I added the following per your suggestion:

# cat /etc/dnsmasq.d/03-guest.conf 
server=/lan/10.9.8.1
rev-server=10.9.7.0/24,10.9.8.1

I found that I needed to restart pihole-FTL for everything to take effect. Thank you for you help, @trendy

system · September 18, 2021, 1:46pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.