I have 3 vlans(10, 20, 40). Each vlan is on a different subnet(10, 20, 1 resp) & has a separate interface & SSID for access. Using PBR I'm routing traffic appropriately and it works just fine.
But the DNS resolution is something I'm not getting right. I need custom DNS per vlan/interface.interface1 <> DNS1, interface2 <> DNS2 so on and so forth.
Using the solution from here , I added DHCP option 6 with DNS address. Clients pick up DNS but don't have internet. Although a ping to IP address works
What else can I do? I can provide my network, DHCP and firewall config if it helps. Please help
Edit: Running OpenWrt 22.03.2 on Linksys 3200ACM
Welcome to the commmunity!
Please verify that Internet worked on the VLAN before setting DHCP Option No. 6
Please show DHCP config
cat /etc/config/dhcp
Internet works on VLAN before DHCP option 6 if DNS is set on anyone of the interface's advance setting. if not, no internet
Here is my dhcp config
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list rebind_domain 'plex.direct'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
option logqueries '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option start '10'
option limit '100'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'torrent'
option interface 'torrent'
option leasetime '12h'
option start '10'
option limit '100'
list dhcp_option '6,45.61.49.203'
config host
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.10.xx'
option name 'nas'
option dns '1'
config dhcp 'india'
option interface 'india'
option leasetime '12h'
option start '10'
option limit '100'
list dhcp_option '6,103.13.112.251'
config host
option ip '192.168.10.xx'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'mini'
option dns '1'
config host
option ip '192.168.10.xx'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'pi'
option dns '1'
config host
option name 'macbookpro'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.1.xx'
I've unset Use DNS servers advertised by peer on WAN since setting it uses ISP's DNS
Try with "list dhcp_option '6,1.1.1.1" first, see if it works like that, then figure out how to specify more than one DNS.
1 Like
Tried with just one DNS server 6,1.1.1.1. Same result, No internet. Its as if none of my clients (apple, android) like the DHCP option.
Only if I set DNS on the advance settings I can access internet. but this also causes DNS leaks on the other interfaces since my aim is to isolate DNS servers per interface
Let's see the complete configuration:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
Here is the config
{
"kernel": "5.10.146",
"hostname": "router_main",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "mvebu/cortexa9",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.40'
option ipv6 '0'
option delegate '0'
option peerdns '0'
option defaultroute '0'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'wan'
option ipv6 '0'
option proto 'pppoe'
option username 'xxxx'
option password 'xxxx'
option peerdns '0'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan1:t'
list ports 'lan4'
config interface 'torrent'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option peerdns '0'
config interface 'wg_torrent'
option proto 'wireguard'
option private_key 'xxx'
list addresses 'xx.xx.xx.xx'
list addresses 'xxx'
option peerdns '0'
list dns 'xx.xx.xx.xx'
list dns 'xx:xx:xx:xx:xx'
config wireguard_wg_torrent
option description 'Imported peer configuration'
option public_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '15'
option endpoint_host 'xx.xx.xx.xx'
option endpoint_port 'xxxx'
config interface 'india'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option peerdns '0'
option defaultroute '0'
config interface 'tun_in'
option proto 'none'
option device 'tun0'
option peerdns '0'
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel '36'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
option network 'torrent'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option band '2g'
option htmode 'HT40'
option channel 'auto'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option channel '34'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'xxxx'
option encryption 'none'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
option network 'india'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list rebind_domain 'plex.direct'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
option logqueries '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv4 'server'
option start '10'
option limit '100'
list dhcp_option '6,1.1.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'torrent'
option interface 'torrent'
option leasetime '12h'
option start '10'
option limit '100'
list dhcp_option '6,45.61.49.203'
config host
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.10.xx'
option name 'nas'
option dns '1'
config dhcp 'india'
option interface 'india'
option leasetime '12h'
option start '10'
option limit '100'
list dhcp_option '6,103.13.112.251'
config host
option ip '192.168.10.xx'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'mini'
option dns '1'
config host
option ip '192.168.10.xx'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'pi'
option dns '1'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'xxxx::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'DROP'
list network 'torrent'
option name 'inf_tor'
option input 'DROP'
config redirect
option target 'DNAT'
option name 'torrent_intercept_dns'
option src_dport '53'
option src 'inf_tor'
config rule
option target 'ACCEPT'
option name 'torrent_dhcp_dns'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'
option src 'inf_tor'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'DROP'
list network 'wg_torrent'
option name 'tun_wg_tor'
option input 'DROP'
config forwarding
option dest 'wan'
option src 'tun_wg_tor'
config forwarding
option src 'inf_tor'
option dest 'tun_wg_tor'
config redirect
option target 'DNAT'
option name 'in_dns_intercept'
option src_dport '53'
option src 'inf_ind'
config redirect
option target 'DNAT'
option name 'lan_dns_intercept'
option src 'lan'
option src_dport '53'
config zone
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'india'
option name 'inf_ind'
option input 'DROP'
config zone
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'tun_in'
option name 'tun_ind'
option input 'DROP'
config forwarding
option src 'inf_ind'
option dest 'tun_ind'
config forwarding
option dest 'wan'
option src 'tun_ind'
config rule
option name 'in_dhcp_dns'
option dest_port '53 67 68'
option target 'ACCEPT'
option src 'inf_ind'
config redirect
option target 'DNAT'
option name 'plex'
option src_dport 'xxxxx'
option dest_ip '192.168.10.xx'
option dest_port 'xxxxx'
option dest 'inf_tor'
option src 'tun_wg_tor'
config redirect
option target 'DNAT'
option name 'qbittorrent'
option src_dport 'xxxx'
option dest_ip '192.168.10.xx'
option dest_port 'xxxxx'
option dest 'inf_tor'
option src 'tun_wg_tor'
Remove the peerdns line from each of the networks other than the wan (keep it on the wan).
roofussummers:
option peerdns '0'
On the wan, it is recommended that you include the desired dns server for the system to use. This is for the router itself, and does not need to be the same as what you want the individual lans to use.
Add this line to the torrent and india dhcp server stanzas (it's already in your lan which is good)
roofussummers:
option dhcpv4 'server'
Turn off masquerading and mtu_fix on all zones other than the wan zone.
Then reboot and try again.
1 Like
Some progress.
Removed option peerdns '0' from network(lan, torrent, wg_torrent, india, tun_in)
Added a different DNS on WAN Advance Settings --> Custom DNS
masquerading and mtu_fix turned off on zone(inf_tor, tun_wg_tor, inf_ind, tun_ind`
I can now access internet on LAN (192.168.1.x) with its custom DNS set with DHCP options. However no internet on torrent and india interface
Edit: LAN interface talks to DNS set in DHCP. No DNS leaks so far (Doesn't talk to DNS set on WAN)
pavelgl
October 24, 2023, 6:30pm
11
roofussummers:
config dhcp 'torrent'
option interface 'torrent'
option leasetime '12h'
option start '10'
option limit '100'
list dhcp_option '6,45.61.49.203'
config dhcp 'india'
option interface 'india'
option leasetime '12h'
option start '10'
option limit '100'
list dhcp_option '6,103.13.112.251'
If you want to use custom DNS servers for the torrent and india interfaces, do not intercept and redirect the DNS requests originating from those interfaces to the router itself.
Remove these firewall rules:
1 Like
So after removing DNS intercept rule, I could still not connect to internet via torrent,india(These are VPN endpoints). So I temporarily disabled VPN and updated firewall rules accordingly. Good news is I have internet from all interfaces and DNS resolution works as expected with DHCP option #6 . Verified with ipleak.net and there is no DNS leaks.
Next challenge is to introduce VPN and see what's up with that. I have a feeling, I'm messing up tunnels and firewall logic.
Edit: Replies helped with solution --> reply1 , reply2
1 Like
You probably need to use policy based routing if you are trying to send data selectively via the regular wan and/or multiple VPNs.
PBR (Policy-Based Routing) See also: Routing and PBR basics, Multi-WAN PBR is a technique used to make routing decisions based on policies set by the network administrator. There are different methods to implement PBR with their own pros and cons,...
Got it working with Split traffic. Couldn't figure out what was wrong so just deleted the interfaces and re-did with everything suggested in this thread. I now have 3 different interfaces each connecting to different endpoint with it's own DNS servers. Thank you all for helping. Much appreciated!
Edit: Replied helped with solution: reply1 and reply2
1 Like
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
system
November 3, 2023, 8:20pm
16
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
