I did not use the new DNSMasq method (yet) because it would mean more work for me but will be done later if needed.
So i have this isolated Guest network on br1 with subnet 20.0.0.1 /24
And my private network 192.168.1.0/24 (br0)
I was reading some guides and iptable documents and i thought it should look something like this but it doesn't seem to work and have no idea how to easy troubleshoot this.
# Allow Guest Network to access Pi-Hole
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p tcp --dport 53 -m state --state NEW -j ACCEPT
Are you sure the pi-hole knows how to route back to the Guest network? When the pi-hole is on the same network as the client, that's not an issue. The pi-hole and client are bridged; no routing required. But in order for the pi-hole to work w/ the guest network, that requires routing. And that's only going to work if the pi-hole is using the same default gateway as the rest of the network.
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p udp --dport 53 -m state --state NEW -j ACCEPT
This rule does not work because there is no state on UDP. It's a connectionless protocol.
Correct. The udp protocol is in fact stateless. However, the SPI firewall in conjunction w/ connection tracking *will* track udp packets in and out and provide it w/ (pseudo) state, and thus using the state machine/module w/ udp should work. Obviously it's not as effective as tracking state on tcp packets. Unlike tcp where there is an actual field in the packets to track state and determine the formal end of a connection, you can only track state w/ udp via connection tracking itself (basically matching up source and destination IP, ports, etc.), and determine the end of a udp conversation/connection (using those terms loosely) based on some arbitrary timeout. That's what makes udp by its very nature not quite as secure as tcp. That's also why when using udp applications, it's particularly important to use some form of keepalive between the endpoints. Otherwise stateful firewalls might eventually block your udp connection.
If you want to see this in action, perhaps the best example I know is to add the following rules to the firewall script.
Code:
iptables -I OUTPUT -p udp -d 91.227.222.7 --dport 5353 -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p udp -d 91.227.222.7 --dport 5353 -m state --state NEW -j ACCEPT
That destination IP and port happen to be the remote IP and port of my OpenVPN provider (adjust as necessary). Now enable the OpenVPN client and monitor the OUTPUT chain.
Code:
while :; do clear; iptables -vnL OUTPUT; sleep 3; done
What you'll likely see is an initial NEW udp packet, followed by a flood of ESTABLISHED udp packets as you use the OpenVPN client's tunnel. And w/ the OpenVPN keepalive directive in place, that NEW packet count won't likely increase, but stay pegged at one (1) packet.
And if you dump connection tracking, you won't see the word ESTABLISHED for that connection like you do w/ tcp connections, but it will report ASSURED, indicating that it has seen traffic in both directions.
Code:
while :; do clear; cat /proc/net/ip_conntrack | grep 91.227.222.7; sleep 3; done
(note, some newer builds might need to use nf_conntrack rather than ip_conntrack; the former has supplanted the latter in more current versions of the router)
I'm only going through this much detail because I know a lot of ppl think that using the state machine/module w/ udp packets doesn't actually work. But it does, as long as the stateful firewall is enabled.
In the case of the OP, checking state is just overkill, so he can drop it.
Thanks for all the answers, will do some test when home later today. _________________ D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)
Are you sure the pi-hole knows how to route back to the Guest network? When the pi-hole is on the same network as the client, that's not an issue. The pi-hole and client are bridged; no routing required. But in order for the pi-hole to work w/ the guest network, that requires routing. And that's only going to work if the pi-hole is using the same default gateway as the rest of the network.
Thanks eibgrad for this post it worked.
Also thanks for your explanantion. _________________ D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)