Posted: Thu Aug 13, 2020 3:05 Post subject: [Solved] How to configure Firewall Prerouting
Hi,
I am currently using firmware DD-WRT v3.0-r44048 std (08/02/20) on TP-LINK WR740N V4.
I have searched a lot but still unable to find how to configure Firewall Prerouting to other than port 53 on my DD-WRT to using AdGuard DNS.
Could anyone please help us regarding this matter?
Thanks.
Last edited by readones on Mon Sep 14, 2020 9:28; edited 1 time in total
How 'bout describing what you're trying to accomplish first, then we'll see if the PREROUTING chain even applies, and if so, how to use it.
Ok,
The point is, I don't want to get ads when browsing. As my ISP here is always redirected any site I browse in browser to their site then redirect me again to the website I want.
And I have told this issue to guys in a forum of my ISP, and they said that I should use the DD-WRT Firewall Prerouting feature with AdGuard DNS other than port 53 to accomplish this. But he is not giving me how to it.
I also asked him twice but still no response. And there is no response from anybody there.
So I search here, but still unable to find one. Then I create this thread, hope someone can help me with this.
Instead of messing w/ the PREROUTING chain, why not use the DNSCrypt Resolver option in DNSMasq on the Services page? You can choose among *many* DNS providers, including AdGuard. This way, your DNS queries remain invisible to the ISP and can't be intercepted. But I'm not sure every build has this feature (mine does, but I'm using the x86 version of dd-wrt at the moment).
If that isn't an option w/ your build, you can instead add the following to the Additional DNSMasq Options field on that same Services page.
In case your DNS queries are rerouted /hijacked by your DNS provider you can specify a port redirection, quad nine also listens on port 9953, and Adguard also listens on port 5353 in that case enter in the Additional DNSMasq options:
no-resolv
server=9.9.9.9#9953
server=176.103.130.130#5353
Instead of messing w/ the PREROUTING chain, why not use the DNSCrypt Resolver option in DNSMasq on the Services page? You can choose among *many* DNS providers, including AdGuard. This way, your DNS queries remain invisible to the ISP and can't be intercepted. But I'm not sure every build has this feature (mine does, but I'm using the x86 version of dd-wrt at the moment).
If that isn't an option w/ your build, you can instead add the following to the Additional DNSMasq Options field on that same Services page.
This will prevent the router from using the ISP's DNS server, and only those of AdGuard. However, unlike using DNSCrypt, it's visible to the ISP, and *might* still be intercepted. And you can't just change the port these servers are expecting (53) to something else using the PREROUTING chain (which it sounds like you might be trying to do to avoid catching the eye of the ISP).
Sorry for the late response, I was still working, so I can't do that, afraid that disturb my works.
That was the suggestion from that forum.
I don't have that DNSCrypt Resolver option listed in my DNSMasq on the Services page.
In case your DNS queries are rerouted /hijacked by your DNS provider you can specify a port redirection, quad nine also listens on port 9953, and Adguard also listens on port 5353 in that case enter in the Additional DNSMasq options:
no-resolv
server=9.9.9.9#9953
server=176.103.130.130#5353
WOW, great thank you very much for your help.
It just works very great.
(is it https://prnt.sc/tyufaw mean working great, right?)
(should I configure something somewhere else?)
Thank you again for your help!
Btw, I don't know that will work with just adding #9953 and #5353 like that. I think I was should configure it somewhere else, but I don't know it, since I am new into this DD-WRT.
Glad that it worked very great on my old router.
Thanks again.
Last edited by readones on Thu Aug 13, 2020 11:29; edited 4 times in total
Joined: 04 Aug 2018 Posts: 1420 Location: Appalachian mountains, USA
Posted: Thu Aug 13, 2020 12:44 Post subject:
FWIW, just in case it wasn't obvious, the DNSCrypt option in the DNSMasq section is called "Encrypt DNS." If you don't have it but are comfortable with the CLI (ssh or PuTTY access to router admin) and still interested in using DNSCrypt, in the CLI do ls -l /usr/sbin/dnscrypt-proxy to check whether you actually do have the underlying code on your router. For about half of last year, builds were coming out that had the code but no button to enable it. Here's how that check should look.
Code:
root@YourRouter:~# ls -l /usr/sbin/dnscrypt-proxy
-rwxr-xr-x 1 root root 217691 Aug 1 20:41 /usr/sbin/dnscrypt-proxy
The number of bytes may differ from router to router, but if you are missing the code, you'll not get that line at all but will get something like No such file or directory.
If you have the code and want to try DNSCrypt, see my posts on the subject at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094&start=6. It's actually pretty easy. It requires one line of startup code and two lines of Additional DNSMasq Options. Note that in recent builds the nonfamily Adguard DNS server is specified as adguard-dns-ns1 or adguard-dns-ns1, not just adguard-dns. Look at the first field of the first few lines in /etc/dnscrypt/dnscrypt-resolvers.csv to see for sure what they are called in your build. Look with the tool of your choice, or just copy/paste this line into the CLI:
awk -F, '{print $1}' /etc/dnscrypt/dnscrypt-resolvers.csv | sed -n '2,5p'
Just pick one to use in the startup invocation of dnscrypt-proxy. _________________ Netgear XR500 and 4x Linksys WRT1900ACSv2 on 52955: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
