Setting up DNS interception with snapshot issues

I'm following the instructions here:

I was able to get to the NAT6 section without a problem, but when I run the script there I get:

Section nat6 option 'reload' is not supported by fw4
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

Since I couldn't figure out how to resolve these messages, I ignored them and went on to the second section, DNS over HTTPS.

The package installation at the start of the script is fine, but then I get the following output:

udhcpc: started, v1.35.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
Reference error: left-hand side expression is null
In [anonymous function](), file /usr/share/ucode/fw4.uc, line 2294, byte 72:
  called from function [arrow function] (/usr/share/ucode/fw4.uc:703:65)
  called from function foreach ([C])
  called from function [anonymous function] (/usr/share/ucode/fw4.uc:703:66)
  called from function render_ruleset (/usr/share/firewall4/main.uc:54:24)
  called from anonymous function (/usr/share/firewall4/main.uc:138:28)

 `            ipset = filter(this.state.ipsets, s => (s.name == rule.ipset.name))[0];`
  Near here ----------------------------------------------------------------------^


Unable to read firewall state - do you need to start the firewall?
Downloading 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains.txt'
Connecting to 2606:50c0:8002::154:443
Writing to stdout
-                    100% |*******************************|  3164   0:00:00 ETA
Download completed (3164 bytes)
ipset v7.15: No command specified: unknown argument setup
Try `ipset help' for more information.

The same "Reference error" now occurs whenever I run:

/etc/init.d/firewall restart

I'll keep looking for the cause of these errors, but I would like to know if I am doing something wrong here? Are these errors because of something I didn't install? Or is the guide out of date?

Any help or pointers much appreciated.

FYI, my router (TP-Link Archer C6 v3) otherwise works flawlessly with OpenWRT, and I installed a fresh snapshot (about an hour before writing this message), before trying to setup interception.

On further investigation, it seems most of my issues are cause by my release using fw4 and not fw3.

I'm still trying to figure out how to setup ipset with my router, and not having much luck.

As a test, I tried adding the following to /etc/config/firewall:

config    ipset
    option    name        'dropcidr'
    option    match        'src_net'
    option    enabled        '1'
    list    entry        '42.56.0.0/16'
    list    entry        '180.178.160.0/20'
    list    entry        '79.133.43.0/24'
    list    entry        '27.44.0.0/15'
    list    entry        '192.168.3.0/24'

config    rule
    option    src        'wan'
    option    ipset        'dropcidr'
    option    dest_port    '25'
    option    target        'DROP'
    option    name        'DROP-SMTP-WAN-LAN'
    option    enabled        '1'

Based on the Wiki guide here: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset

When running /etc/init.d/firewall restart I don't receive any errors, however the output of ipset list is empty. I know the above instructions are for fw3. Is there something I have to do differently for my release?

Here is my version information:

Linux version 5.10.131 (builder@buildhost) (mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.3.0 r20151-a0b7fef0ff) 11.3.0, GNU ld (GNU Binutils) 2.37) #0 SMP Wed Jul 20 19:52:06 2022

Sorry to keep replying to my own thread, but I have another update.

It seems that ipset is not used by fw4, and ipsets are added directly to nftables. Using nft list ruleset I could see my updates to /etc/config/firewall reflected properly:

table inet fw4 {
	set dropcidr {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 8.8.8.8, 27.44.0.0/15,
			     79.133.43.0/24, 180.178.160.0/20,
			     192.168.3.0/24 }
	}
    ...

So it's starting to make sense to me. The next step is to get DNS hijacking working.

I found this site rather useful: https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes, as there is literally zero help/manuals for nft within OpenWRT itself.

1 Like

Another update. I was able to get port 443 (DoH) rejections working with the following:

# Filter 443 DNS queries

# DNS IP set, IPv4
uci -q delete firewall.dns_ipv4_set
uci set firewall.dns_ipv4_set="ipset"
uci set firewall.dns_ipv4_set.name="IPSet-DNS-IPv4"
uci set firewall.dns_ipv4_set.match="dest_ip"
uci set firewall.dns_ipv4_set.family="ipv4"
uci set firewall.dns_ipv4_set.loadfile="/etc/ipsets/dns_ipv4.set"
uci set firewall.dns_ipv4_set.enabled="1"
uci commit firewall
/etc/init.d/firewall restart

# DNS IP set, IPv6
uci -q delete firewall.dns_ipv6_set
uci set firewall.dns_ipv6_set="ipset"
uci set firewall.dns_ipv6_set.name="IPSet-DNS-IPv6"
uci set firewall.dns_ipv6_set.match="dest_ip"
uci set firewall.dns_ipv6_set.family="ipv6"
uci set firewall.dns_ipv6_set.loadfile="/etc/ipsets/dns_ipv6.set"
uci set firewall.dns_ipv6_set.enabled="1"
uci commit firewall
/etc/init.d/firewall restart

uci -q delete firewall.reject_doh_ipv4
uci set firewall.reject_doh_ipv4="rule"
uci set firewall.reject_doh_ipv4.name="Deny-DoH-IPv4"
uci set firewall.reject_doh_ipv4.ipset="IPSet-DNS-IPv4"
uci set firewall.reject_doh_ipv4.src="lan"
uci set firewall.reject_doh_ipv4.dest="wan"
uci set firewall.reject_doh_ipv4.dest_port="443"
uci set firewall.reject_doh_ipv4.proto="tcp udp"
uci set firewall.reject_doh_ipv4.target="REJECT"
uci set firewall.reject_doh_ipv4.family="ipv4"
uci set firewall.reject_doh_ipv4.enabled="1"
uci commit firewall
/etc/init.d/firewall restart

uci -q delete firewall.reject_doh_ipv6
uci set firewall.reject_doh_ipv6="rule"
uci set firewall.reject_doh_ipv6.name="Deny-DoH-IPv6"
uci set firewall.reject_doh_ipv6.ipset="IPSet-DNS-IPv6"
uci set firewall.reject_doh_ipv6.src="lan"
uci set firewall.reject_doh_ipv6.dest="wan"
uci set firewall.reject_doh_ipv6.dest_port="443"
uci set firewall.reject_doh_ipv6.proto="tcp udp"
uci set firewall.reject_doh_ipv6.target="REJECT"
uci set firewall.reject_doh_ipv6.family="ipv6"
uci set firewall.reject_doh_ipv6.enabled="1"
uci commit firewall
/etc/init.d/firewall restart

There is much to improve upon here. Automatic IPv4/6 rule creation, downloading up to date IP lists etc. But for now, I'm just happy to have it working. It seems that is all it takes for fw4.

Apologies if this is obvious information, but it took me quite some time to figure it out.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.