PiHole HA, Wireguard client no access to Nord VPN DNS

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
MaxiHP
DD-WRT Novice


Joined: 19 Apr 2019
Posts: 21

PostPosted: Fri Aug 04, 2023 15:57    Post subject: PiHole HA, Wireguard client no access to Nord VPN DNS Reply with quote
Basic set up Main router Netgear R7000 Firmware Version DD-WRT v3.0-r51530 std (01/29/23)
to VPN router Netgear R7000 Firmware Version DD-WRT v3.0-r52569 std (05/15/23)

I believe my issue lies in this ball of string but I am clearly out of my league. This is a total cobble job from going from my old set up 3 dedicated PiHoles one on each subnet and interweb searches...

I get a connection in the Tunnel hitting F5 so I do connect but it won't host to the devices. I have tried many settings in PIHole... Listen Interface and Conditional Forwarding I can see all the DNS calls in the PIHole for the entire network (3 subnets). HA IP is 10.0.20.20 from the PIHoles on 10.0.20.250 and 10.0.20.249.

via Main 10.0.20.253 to WAN VPN 10.0.21.0/24
VPN to NORD via IFace oet1

Below are the 2 routing tables from Advance Network -- XX are the external IPs
Main 10.0.20.1
Destination Gateway Table Scope Metric IF Source
10.0.20.0/24 default link 0 LAN & WLAN 10.0.20.1
10.0.21.0/24 10.0.20.1 default 0 LAN & WLAN
10.0.22.0/24 10.0.20.1 default 0 LAN & WLAN
127.0.0.0/8 default link 0 lo
XX.XX.XX.0/22 default link 0 WAN 76.230.104.202
default XX.XX.XX.XX default 0 WAN

VPN 10.0.21.1
Destination Gateway Table Scope Metric IF Source
0.0.0.0/1 default link 0 oet1
default 10.0.20.1 default 0 WAN
10.0.20.0/24 default link 0 WAN 10.0.20.253
10.0.21.0/24 default link 0 LAN & WLAN 10.0.21.1
103.86.96.100 default link 0 oet1
103.86.99.100 default link 0 oet1
XX.XX.XX.XX 10.0.20.1 default 0 WAN
127.0.0.0/8 default link 0 lo
128.0.0.0/1 default link 0 oet1

Below are the Firewall rules -- ECHO MAC = I couldn't get that bugger to stay off my main network
Main 10.0.20.1

iptables -t nat IPOSTROUTING-s 10.8.0.0/24-o $(nvram get wan_iface)-j MASQUERADE
#pihole 250 only
#iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.250 -p tcp --dport 53 -j DNAT --to 10.0.20.1
#iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.250 -p udp --dport 53 -j DNAT --to 10.0.20.1
#pihole HA servers
iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.20 -p tcp --dport 53 -j DNAT --to 10.0.20.20
iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.20 -p udp --dport 53 -j DNAT --to 10.0.20.20
iptables -I OUTPUT -m mac --mac-source ECHO MAC -j DROP

iptables -I FORWARD -s 10.0.22.0/24 -d 10.0.20.0/24 -j DROP
iptables -I FORWARD -s 10.0.21.0/24 -d 10.0.20.0/24 -j DROP
#iptables -I FORWARD -s 10.0.22.0/24 -d 10.0.20.250 -j ACCEPT
#iptables -I FORWARD -s 10.0.21.0/24 -d 10.0.20.250 -j ACCEPT


iptables -I INPUT 1 -p tcp -m tcp --dport 4711 -i lo -j ACCEPT

# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT



VPN 10.0.21.1

iptables -t nat IPOSTROUTING-s 10.5.0.2/32-o $(nvram get wan_iface)-j MASQUERADE

iptables -I FORWARD -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

#iptables -t nat -I PREROUTING -i br0 -s ! 10.0.21.250 -p tcp --dport 53 -j DNAT --to 10.0.21.1
#iptables -t nat -I PREROUTING -i br0 -s ! 10.0.21.250 -p udp --dport 53 -j DNAT --to 10.0.21.1

#iptables -I FORWARD -s 10.0.0.0/16 -j ACCEPT

iptables -I FORWARD -s 10.0.20.0/24 -j ACCEPT

iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6778
Location: UK, London, just across the river..

PostPosted: Fri Aug 04, 2023 19:26    Post subject: Reply with quote
iptables -t nat IPOSTROUTING-s 10.8.0.0/24-o $(nvram get wan_iface)-j MASQUERADE
this rules has a typo Cool

must be
iptables -t nat -I POSTROUTING -s 10.8.0.0/24-o $(nvram get wan_iface)-j MASQUERADE

i haven't read your post deeply enough for

wireguard docs here https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 58184 WAP
TP-Link WR1043NDv2 -DD-WRT 59369 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 59369 Gateway/DoT,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 59468 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 59369 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 59369
Broadcom
Netgear R7000 --DD-WRT 59468 Gateway/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
MaxiHP
DD-WRT Novice


Joined: 19 Apr 2019
Posts: 21

PostPosted: Sat Aug 05, 2023 15:33    Post subject: Reply with quote
Thanks I did not see that twice...

Just to clairify I had a dedicated pihole fully functional on the VPN 21 subnet. When I updated to the network wide 2 Primanry+Backup PiHole HA is when it stopped functioning. I still have the dedicated pihole and switched back pointing the VPN 21 router at it as the DNS. The PiHole HA works for the Main 20 and the IoT 22 subnets just cant get the VPN 21 to play.

I believe it is in the NordVPN oet1 IFace I am having the issue. Somewhere between the Firewall and the PiHole since it works on 2 but not all I am stuck, a bit clueless when it comes to Firewall IP Tables Advance Routing and Conditional Forwarding...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13532
Location: Netherlands

PostPosted: Sat Aug 05, 2023 15:46    Post subject: Reply with quote
Are you pointing the VPN router e.g. in Static DNS 1 to the PiHole?

If so take note that a DNS setting in the WG interface takes precedence.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MaxiHP
DD-WRT Novice


Joined: 19 Apr 2019
Posts: 21

PostPosted: Sat Aug 05, 2023 16:13    Post subject: Reply with quote
The settings that work VPN 21 router Services Tab Additional Options

dhcp-option=6,10.0.21.250 Dedicated pihole on subnet

doesnt work

dhcp-option=6,10.0.20.20 (HA IP)

Based on your comment is this the issue is HA is a "vurtual" IP
and it should be the dedicated so I need the
dhcp-option=6,10.0.20.249,10.0.20.250 the real IP addresses
or to set them in the Basic Tab see image
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13532
Location: Netherlands

PostPosted: Sat Aug 05, 2023 16:44    Post subject: Reply with quote
Are these rule set on the VPN router, if so to what purpose?:
Quote:
WAN_IF=`nvram get wan_iface`
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset


If so do you have internet when you disable the VPN tunnel?

note: I think the rules are also redundant/wrong I doubt there is a udp-reset

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MaxiHP
DD-WRT Novice


Joined: 19 Apr 2019
Posts: 21

PostPosted: Sat Aug 05, 2023 18:11    Post subject: Reply with quote
Closed the Tunnel and no intranet, Open the Tunnel and intranet

It is from not knowing what I am doing but trying anyway...

I believe it is from older set-up maybe a kill switch - reconnect or when I had pivpn or nas I basically followed instructions from the apps I installed and ended up with what you see. amazingly it worked at all, based on what you are telling me. I'm not skilled in set-ups like these, I am however willing to learn.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13532
Location: Netherlands

PostPosted: Sat Aug 05, 2023 18:52    Post subject: Reply with quote
MaxiHP wrote:
Closed the Tunnel and no intranet, Open the Tunnel and intranet

It is from not knowing what I am doing but trying anyway...

I believe it is from older set-up maybe a kill switch - reconnect or when I had pivpn or nas I basically followed instructions from the apps I installed and ended up with what you see. amazingly it worked at all, based on what you are telling me. I'm not skilled in set-ups like these, I am however willing to learn.


It certainly looks like an old and outdated/wrong kill switch.
Remove it.

First about your tunnel to NordVPN, it has an oet1 interface so I assume you are using WireGuard and not OpenVPN?
Both have a kill switch in the GUI no need to set it manually.
BUT a kill switch stops FORWARD traffic going out of the WAN so will block the route to your Pi in all cases, unless you make an exception for your Pi which can also be done in the GUI with destination routing.

Make sure you do not set a DNS server in the WG interface!

For your VPN router setup, do not set a gateway just keep it at its default 0.0.0.0 (it should translate to the value you have set it as it is the next hop (IP address of the upstream router)).

For DNS, make sure to enable/tick "Ignore WAN DNS"
either set local DNS or Static DNS to the Pi so that your router also uses your Pi as DNS server.

It is late so I might have overlooked something but I hope this will get you going.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
MaxiHP
DD-WRT Novice


Joined: 19 Apr 2019
Posts: 21

PostPosted: Tue Aug 08, 2023 10:27    Post subject: [Solved] -- PiHole HA, Wireguard client no access to Nord VP Reply with quote
First I updated the IP table per your suggestions. Then things got a bit sketchy. I noticed that of the 3 subnets 1 was set up in advance routing as a router and the others a gateway. When I set them all as gateway things worked but had issues. After I made a few other changes upgrading the Main 20 router to DD-WRT v3.0-r52569 std (05/15/23) which brought them all to the same firmware but locked up the Main 20. I re-flashed and went to the back up I pulled from the previous R51530, loaded it back on and then everything worked as expected.

I wish I could provide the red x I don't know if it is in the firmware or my old age learning new tricks. Regardless I sincerely appreciate your time supporting my problem.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 2074

PostPosted: Tue Aug 08, 2023 13:31    Post subject: Reply with quote
Probably a matter of don't load a backup from an older release / take the time to wipe nvram and start from scratch. There should be no reason outside of hardware or power adapter issue that would cause a lock-up.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
MaxiHP
DD-WRT Novice


Joined: 19 Apr 2019
Posts: 21

PostPosted: Tue Aug 08, 2023 14:05    Post subject: Reply with quote
Whats crazy the old settings in the back up fixed it at least all the issues I had are gone.

Updated to 52569 couldn't get in then did the reset 30,30,30 and loaded the back up from 51530
The point is not lost on me, just did not expect it to work but gave it a shot.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum