Posted: Tue Jan 22, 2019 21:32 Post subject: pihole + guest acess = help with iptables please
So my iptables are blocking my guest bridges from making dns lookups.
I'm running a pihole server off of an old laptop plugged into a wireless bridge (Linksys WRT300N v1) "the bridge has two clients and both are fully functional".
br0 which is in the same subnet as the pi-hole server and of the main router (R6400) can complete lookups. br1 and br2 cannot.
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Wed Jan 23, 2019 3:49 Post subject:
Seems a little redundant for pointing the br1 and br2 interfaces in both FORWARD and PREROUTING chains, but if it is working, and you can surf the 'net, then I don't see an issue. I probably need to brush up some myself.
Seems a little redundant for pointing the br1 and br2 interfaces in both FORWARD and PREROUTING chains, but if it is working, and you can surf the 'net, then I don't see an issue. I probably need to brush up some myself.
negaive this is not correct and you keep suggesting it...i can do that using the iptables in most of the cases...but cannot do that only on Wi-Fi it will be regarding a particular bridge...
also ebtables are not present on all the routers as well they are quite CPU demanding too... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
negaive this is not correct and you keep suggesting it...i can do that using the iptables in most of the cases...but cannot do that only on Wi-Fi it will be regarding a particular bridge...
also ebtables are not present on all the routers as well they are quite CPU demanding too...
If you can do it on DD-WRT on Broadcom (mips, specifically)**, I'd love to see it. I have tried every incarnation of iptables rules given and suggested to block those services on eth* and wl* and not a damn thing worked. But it's working with ebtables just fine. Broadcom is not Atheros, IPQ, Ralink, MediaTek, etc., so unless you are saying you can do it on BROADCOM successfully and can prove it, I ain't buying it. Give me the exact configs, I'll even try it if you're so sure.... oh, wait, I think I have even used iptables rules YOU have suggested / posted, and it didn't work...
Since we are a little of topic in here... pi-hole is nice surprisingly you don't really notice anything in the network expect the lack of ads and an occasional speed boost whilst loading things. I currently have 1,5XX,XXX domains in my blocklist
@Alozaros
Are you saying my service blocking iptables will work?
that's what i have on my Broadcom unit and its working well to prevent from GUI access
for the record i always use Kong builds...
back in the days it was possible to change microserver (GUI) port and use different port instead but now its impossible
ebtables are not a go anyway...
on my R7800 i have the same iptables lines and its ok too
the only case when this is not working is if you have a DSL modem with PPPoE interface before your router in a bridge mode as some DSL modems use port 80 local too...that's why i use to change it to something else...
alternative to mac address is via IP
iptables -I INPUT -i br0 -p tcp --dport 8083 -j DROP
iptables -I INPUT -i br0 -p tcp -s 192.168.1.101 --dport 8083 -j ACCEPT
do notice i changed the port to 8083 back in the days it was possible via CLI now i use port 80 as it is
nvram set http_lanport 8083 (<---- Or whatever port you want)
nvram commit
reboot
p.s. as i stated ebtables are CPU demanding and slow down the unit...
Usually you use ebtables when you need access to some layer 2 component, such as the MAC address, and even then, you can usually load the MAC module in iptables..
also im not aware of there use that much as iptables..
that's what i have on my Broadcom unit and its working well to prevent from GUI access
for the record i always use Kong builds...
back in the days it was possible to change microserver (GUI) port and use different port instead but now its impossible
ebtables are not a go anyway...
I will try that particular combination, but it negates how the function is supposed to work via the webUI, that was the whole problem to begin with as best I understand it. Explain why ebtables are not a go, because that is what the functionality is SUPPOSED to use.... and I don't think ebtables functionality has been removed in any kernels?
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Thu Jan 24, 2019 8:05 Post subject:
@Alozaros -
Your two linked posts pretty much proved why I have suggested ebtables. Because trying to do it with iptables for any other connection but DHCP breaks it or doesn't work. I've tried even using the destination ip address of the router for br0, eth1, eth2, wl* and that doesn't work because that is not how it is supposed to work. I'd have to dig up the function for WAN access, but it is different (and disabling it works as advertised, last I knew). I still am not understanding why you're saying that ebtables loads the cpu any more than iptables -- they are both kernel space functions, ebtables is strictly for the ethernet bridge(s) and the interfaces on the bridge(s). It's also the default function from OEM firmware to block wireless access to the webUI AFAIK.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Jan 24, 2019 10:08 Post subject:
ok than show us how ...??? you do it in your way ...!!! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Thu Jan 24, 2019 17:06 Post subject:
Alozaros wrote:
ok than show us how ...??? you do it in your way ...!!!
https://svn.dd-wrt.com/ticket/3544#comment:26 < -- if you had read the ticket link I posted earlier all the way down to the last couple of comments. I haven't quite figured out ipv6 fix, but for ipv4, that is what works for me. I only have a single wired anything to the device, so not worried about wired clients cracking in from the lan side.
jwh7 wrote:
kernel-panic69 wrote:
I still am not understanding why you're saying that ebtables loads the cpu any more than iptables
I recall there was an issue in BS builds where ebtables caused 100% cpu, while Kong builds were fine. But I thought this was fixed in 5861.
That is if you're using QoS or OpenVPN, as best I can tell. I don't have either enabled, and the ticket tatsuya opened was for Atheros. I *did* have a random weird spike to 100+% cpu last night, however. It happened after updating the browser I use to access the webUI and re-logging into the webUI, and wound up rebooting the router, but otherwise, I have not seen any such behavior.
I can dig through GPL, HyperWRT, Tomato, etc. code and find the function. I just know that trying to use iptables per wireless interface via CLI or firewall script doesn't work (which is the advanced wireless function, it is per interface, not both at the same time). Alozaros' method, however, does seem to work (to restrict access to only one wired lan client, unless you add a rule per ip/mac address) -- tested it on one of the others I was using to test K2.6 builds running r35531. People can feel free to test/use either method and figure out a fix for ipv6... it's all whatever to me.