[SOLVED] Configuring out-of-subnet DNS for guest network

alibrarydweller · December 14, 2021, 2:54pm

First let me say that I like running things in a 'configuration as code' manner, so I opt to update config files and restart services rather than use luci or the gui.

My primary lan is configured to 192.168.1.0/24, and all DNS is handled by a pihole at 192.168.1.70.

#/etc/config/network
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

I'm setting up a guest network on 192.168.4.0/24, and if I let it use the openwrt device (and my ISP) then everything works just fine:

#/etc/config/network
config interface 'guest_br'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

#/etc/config/wireless
config wifi-iface 'wifinet5'
        option network 'guest_br'
        option ssid 'GuestVAP'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option key 'PASSCODE'

I want the guest network to be separated from my primary lan, and also to use the pihole for DNS, gateway for DHCP:

#/etc/config/firewall
config zone 'guest'
        option name 'guest'
        option network 'guest_br'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option dest_ip '192.168.1.70'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

#/etc/config/dhcp
config dhcp 'guest'
        option interface 'guest_br'
        option start '100'
        option limit '150'
        option leasetime '24h'
        list dhcp_option '6,192.168.1.70'

Even so, when I'm on the guest network I can't seem to query the pihole for DNS.


me@laptop$ systemd-resolve --status | grep Current
      Current Scopes: none
      Current Scopes: none
      Current Scopes: DNS         
  Current DNS Server: 192.168.1.70
      Current Scopes: none
me@laptop$ nslookup debian.org 192.168.1.70
;; connection timed out; no servers could be reached

What could I be doing wrong?

pavelgl · December 14, 2021, 4:47pm

alibrarydweller:

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option dest_ip '192.168.1.70'
        option proto 'tcp udp'
        option target 'ACCEPT'

You missed the destination zone (option dest 'lan'), which makes the rule part of the iptables INPUT chain, instead of the FORWARD one.

alibrarydweller · December 15, 2021, 4:22am

This did it, thank you!

system · December 25, 2021, 4:23am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.