Allow Isolated Guest network to access Pi-Hole?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 205

PostPosted: Fri May 03, 2019 8:21    Post subject: Allow Isolated Guest network to access Pi-Hole? Reply with quote
It's probably an easy task but for some reason it can't get it to work.

I created a isolated Guest network using this Wiki page
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network

I did not use the new DNSMasq method (yet) because it would mean more work for me but will be done later if needed.

So i have this isolated Guest network on br1 with subnet 20.0.0.1 /24

And my private network 192.168.1.0/24 (br0)

I was reading some guides and iptable documents and i thought it should look something like this but it doesn't seem to work and have no idea how to easy troubleshoot this.

# Allow Guest Network to access Pi-Hole
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p tcp --dport 53 -m state --state NEW -j ACCEPT

Any ideas?

_________________
D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3665
Location: Netherlands

PostPosted: Fri May 03, 2019 9:20    Post subject: Reply with quote
For that we have to see all your rules:
telnet to your router and do:
iptables -vnL FORWARD

You can leave out the
Code:
-o br0
and the
Code:
-m state --state NEW
although these should not be the problem

Furthermore you can not use 20.0.0.1 as subnet that is not a private subnet

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Fri May 03, 2019 19:47    Post subject: Reply with quote
The following should suffice.

Code:
iptables -I FORWARD -i br1 -d 192.168.1.130 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.130 -p tcp --dport 53 -j ACCEPT


Are you sure the pi-hole knows how to route back to the Guest network? When the pi-hole is on the same network as the client, that's not an issue. The pi-hole and client are bridged; no routing required. But in order for the pi-hole to work w/ the guest network, that requires routing. And that's only going to work if the pi-hole is using the same default gateway as the rest of the network.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5079
Location: Akershus, Norway

PostPosted: Sat May 04, 2019 8:20    Post subject: Reply with quote
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p udp --dport 53 -m state --state NEW -j ACCEPT

This rule does not work because there is no state on UDP. It's a connectionless protocol.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat May 04, 2019 10:49    Post subject: Reply with quote
Per Yngve Berg wrote:
iptables -I FORWARD -i br1 -o br0 -d 192.168.1.130 -p udp --dport 53 -m state --state NEW -j ACCEPT

This rule does not work because there is no state on UDP. It's a connectionless protocol.


Correct. The udp protocol is in fact stateless. However, the SPI firewall in conjunction w/ connection tracking *will* track udp packets in and out and provide it w/ (pseudo) state, and thus using the state machine/module w/ udp should work. Obviously it's not as effective as tracking state on tcp packets. Unlike tcp where there is an actual field in the packets to track state and determine the formal end of a connection, you can only track state w/ udp via connection tracking itself (basically matching up source and destination IP, ports, etc.), and determine the end of a udp conversation/connection (using those terms loosely) based on some arbitrary timeout. That's what makes udp by its very nature not quite as secure as tcp. That's also why when using udp applications, it's particularly important to use some form of keepalive between the endpoints. Otherwise stateful firewalls might eventually block your udp connection.

If you want to see this in action, perhaps the best example I know is to add the following rules to the firewall script.

Code:
iptables -I OUTPUT -p udp -d 91.227.222.7 --dport 5353 -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p udp -d 91.227.222.7 --dport 5353 -m state --state NEW -j ACCEPT


That destination IP and port happen to be the remote IP and port of my OpenVPN provider (adjust as necessary). Now enable the OpenVPN client and monitor the OUTPUT chain.

Code:
while :; do clear; iptables -vnL OUTPUT; sleep 3; done


What you'll likely see is an initial NEW udp packet, followed by a flood of ESTABLISHED udp packets as you use the OpenVPN client's tunnel. And w/ the OpenVPN keepalive directive in place, that NEW packet count won't likely increase, but stay pegged at one (1) packet.

And if you dump connection tracking, you won't see the word ESTABLISHED for that connection like you do w/ tcp connections, but it will report ASSURED, indicating that it has seen traffic in both directions.

Code:
while :; do clear; cat /proc/net/ip_conntrack | grep 91.227.222.7; sleep 3; done


(note, some newer builds might need to use nf_conntrack rather than ip_conntrack; the former has supplanted the latter in more current versions of the router)

I'm only going through this much detail because I know a lot of ppl think that using the state machine/module w/ udp packets doesn't actually work. But it does, as long as the stateful firewall is enabled.

In the case of the OP, checking state is just overkill, so he can drop it.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5079
Location: Akershus, Norway

PostPosted: Sat May 04, 2019 12:16    Post subject: Reply with quote
Do you get the same results between br1 and br0?
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 205

PostPosted: Sat May 04, 2019 13:40    Post subject: Reply with quote
Thanks for all the answers, will do some test when home later today.
_________________
D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 205

PostPosted: Tue May 07, 2019 12:50    Post subject: Reply with quote
eibgrad wrote:
The following should suffice.

Code:
iptables -I FORWARD -i br1 -d 192.168.1.130 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.1.130 -p tcp --dport 53 -j ACCEPT


Are you sure the pi-hole knows how to route back to the Guest network? When the pi-hole is on the same network as the client, that's not an issue. The pi-hole and client are bridged; no routing required. But in order for the pi-hole to work w/ the guest network, that requires routing. And that's only going to work if the pi-hole is using the same default gateway as the rest of the network.


Thanks eibgrad for this post it worked.
Also thanks for your explanantion.

_________________
D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum