Should I open a bug report or the like about the mis-mapped ports?
No, as they're not mis-mapped. That's why I mentioned the reversed ports (and to use 2 and 3 for configuration). Ports tend to be identified by LEDE in reverse-order from the instructions provided by the router's OEM (this is because the OEM can configure their firmware and molded plastic casing to make the ports appear in ascending-counting order from Left-to-Right of the consumer's view). Some devices even have a phantom 6th port (for fiber SFPs or other PHYs to be added to the board, that causes more confusion).
If you have access to the Wiki, you may want to contribute that information, though.
I updated the comments on this page.
...I just noticed a behavior change now that we have the subset configured. With the out-of-the-box LEDE setup, If I ran the following nmap command on a device connected to the lan (not guestzone), the IP addresses would also return hostnames. Currently, the hostnames are omitted. Any thoughts?
% sudo nmap -sn 10.9.8.0/24 -oG - # Nmap 7.60 scan initiated Sat Oct 21 09:53:40 2017 as: nmap -sn -oG - 10.9.8.0/24 Host: 10.9.8.1 () Status: Up Host: 10.9.8.103 () Status: Up Host: 10.9.8.124 () Status: Up Host: 10.9.8.131 () Status: Up # Nmap done at Sat Oct 21 09:53:42 2017 -- 256 IP addresses (4 hosts up) scanned in 1.79 seconds
the original LAN also wasn't a 10.0.0.0/8 IP..so I'm unsure...
If your DHCP is default, and you configured the same, you should see hostnames.
The n argument in a lot of softwares denotes "do not resolve hostnames"...maybe that's it...?
-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.
I changed the original lan from 192.168.1.0 to 10.9.8.0. The option for nmap isn't actually -n it's -sn (Ping Scan - disable port scan) ... if you run the corresponding nmap stanza on your network, do you get hostnames?
Nmap is not installed by default.
But i can do an nslookup on all IPs on my network with nostnames, and receive its reverse address...
Ah... I didn't run that on the LEDE router, I ran it on a linux box on the lan.
What DNS server are you giving the device?
I stand corrected...
if I use the pihole box as my DNS entry (recall the pihole box resides on my guestzone modifying) accomplished by modifying Network>Interfaces>LAN>DHCP server>Advanced settings with '6,172.17.1.250', I get no hostnames.
If however, I use the default of DNS, no modification to Network>Interfaces>LAN>DHCP server>Advanced settings, AND if I restart the network on my machine to insure these settings are applied, I am able to see the hostnames just fine.
...what traffic rule shall I create
If I understand you correctly, there's no rule that will fix this; but..
- you should be able to configure your Pi's DNS server so that your router is the next (AND ONLY) upstream resolver
This is because the router get's hostnames during the DHCP process, it then adds those names to its DNS resolver's reverse PTR zone. So making the Pi a downstream resolver of your router's DNS should fix the issue with reverse resolution.
I will look into that... the pi is just using dnsmasq. Thank again for the insights.
OK... on the pihole box, I edited /etc/dnsmasq.d/01-pihole.conf and simply appended the router's IP in a server= statement under the other two... after restarting dnsmaq on the pihole box, I am getting name resolution again from the nmap command... what I don't know is if I inadvertently introduced a problem
cat /etc/dnsmasq.d/01-pihole.conf addn-hosts=/etc/pihole/gravity.list addn-hosts=/etc/pihole/local.list addn-hosts=/etc/pihole/black.list localise-queries no-resolv cache-size=10000 log-queries log-facility=/run/log/pihole/pihole.log local-ttl=300 log-async server=18.104.22.168 server=22.214.171.124 server=172.17.1.1 interface=eth0
No problem introduced, you just have to use the DNS server that knows your local hostnames (since they certainly aren't found in the Global DNS)...this leads me to...
You may recall above, I noted to make your router's DNS your ONLY upstream resolver of the PI. You can add 126.96.36.199 and 188.8.131.52 into the router's Dnsmasq (under DHCP and DNS page or WAN Interface) instead. If all 3 servers were the same distance, your setup would fail approximately 66% of the time...your config above only works for one reason...
You Pi happens to be closer (Internet-wise) then the other 2 servers.
Making a 2nd Dnsmasq resolver on your network just seems to add an unnecessary level of complexity...since your router runs Dnsmasq anyways.
I got it now... and you were correct, running the nmap command multiple times led to different results... some times no names, other times some names.
I now have the DNS servers defined on LEDE and I have the router's IP assigned as the only server= statement on the pi's dnsmasq config. Ads seem to be blocked as expected and nmap seems to be working as expected.