[Solved] How to configure Firewall Prerouting

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
readones
DD-WRT Novice


Joined: 12 Aug 2020
Posts: 4

PostPosted: Thu Aug 13, 2020 3:05    Post subject: [Solved] How to configure Firewall Prerouting Reply with quote
Hi,

I am currently using firmware DD-WRT v3.0-r44048 std (08/02/20) on TP-LINK WR740N V4.
I have searched a lot but still unable to find how to configure Firewall Prerouting to other than port 53 on my DD-WRT to using AdGuard DNS.

Could anyone please help us regarding this matter?

Thanks.


Last edited by readones on Mon Sep 14, 2020 9:28; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 13, 2020 3:36    Post subject: Reply with quote
How 'bout describing what you're trying to accomplish first, then we'll see if the PREROUTING chain even applies, and if so, how to use it.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
readones
DD-WRT Novice


Joined: 12 Aug 2020
Posts: 4

PostPosted: Thu Aug 13, 2020 3:44    Post subject: Reply with quote
eibgrad wrote:
How 'bout describing what you're trying to accomplish first, then we'll see if the PREROUTING chain even applies, and if so, how to use it.

Ok,

The point is, I don't want to get ads when browsing. As my ISP here is always redirected any site I browse in browser to their site then redirect me again to the website I want.

And I have told this issue to guys in a forum of my ISP, and they said that I should use the DD-WRT Firewall Prerouting feature with AdGuard DNS other than port 53 to accomplish this. But he is not giving me how to it.

I also asked him twice but still no response. And there is no response from anybody there.

So I search here, but still unable to find one. Then I create this thread, hope someone can help me with this.

Thanks for your response.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 13, 2020 4:02    Post subject: Reply with quote
Instead of messing w/ the PREROUTING chain, why not use the DNSCrypt Resolver option in DNSMasq on the Services page? You can choose among *many* DNS providers, including AdGuard. This way, your DNS queries remain invisible to the ISP and can't be intercepted. But I'm not sure every build has this feature (mine does, but I'm using the x86 version of dd-wrt at the moment).

If that isn't an option w/ your build, you can instead add the following to the Additional DNSMasq Options field on that same Services page.

Code:
no-resolv
server=176.103.130.130
server=176.103.130.131


This will prevent the router from using the ISP's DNS server, and only those of AdGuard. However, unlike using DNSCrypt, it's visible to the ISP, and *might* still be intercepted. And you can't just change the port these servers are expecting (53) to something else using the PREROUTING chain (which it sounds like you might be trying to do to avoid catching the eye of the ISP).

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Thu Aug 13, 2020 7:13    Post subject: Reply with quote
Indeed using DNScrypt resolver is the best way.

Another possibility is listed below, this is a quote from "DNS leak or No DNS with Policy Based Routing" ( https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686 )

Code:
In case your DNS queries are rerouted /hijacked by your DNS provider you can specify a port redirection, quad nine also listens on port 9953, and Adguard also listens on port 5353 in that case enter in the Additional DNSMasq options:
no-resolv
server=9.9.9.9#9953
server=176.103.130.130#5353

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
readones
DD-WRT Novice


Joined: 12 Aug 2020
Posts: 4

PostPosted: Thu Aug 13, 2020 8:27    Post subject: Reply with quote
eibgrad wrote:
Instead of messing w/ the PREROUTING chain, why not use the DNSCrypt Resolver option in DNSMasq on the Services page? You can choose among *many* DNS providers, including AdGuard. This way, your DNS queries remain invisible to the ISP and can't be intercepted. But I'm not sure every build has this feature (mine does, but I'm using the x86 version of dd-wrt at the moment).

If that isn't an option w/ your build, you can instead add the following to the Additional DNSMasq Options field on that same Services page.

Code:
no-resolv
server=176.103.130.130
server=176.103.130.131


This will prevent the router from using the ISP's DNS server, and only those of AdGuard. However, unlike using DNSCrypt, it's visible to the ISP, and *might* still be intercepted. And you can't just change the port these servers are expecting (53) to something else using the PREROUTING chain (which it sounds like you might be trying to do to avoid catching the eye of the ISP).

Sorry for the late response, I was still working, so I can't do that, afraid that disturb my works.

That was the suggestion from that forum.

I don't have that DNSCrypt Resolver option listed in my DNSMasq on the Services page.

Also, I have tried these, but still not working:
Code:
no-resolv
server=176.103.130.130
server=176.103.130.131


egc wrote:
Indeed using DNScrypt resolver is the best way.

Another possibility is listed below, this is a quote from "DNS leak or No DNS with Policy Based Routing" ( https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686 )

Code:
In case your DNS queries are rerouted /hijacked by your DNS provider you can specify a port redirection, quad nine also listens on port 9953, and Adguard also listens on port 5353 in that case enter in the Additional DNSMasq options:
no-resolv
server=9.9.9.9#9953
server=176.103.130.130#5353

WOW, great thank you very much for your help.
It just works very great.
(is it https://prnt.sc/tyufaw mean working great, right?)
(should I configure something somewhere else?)

Thank you again for your help! Very Happy

Btw, I don't know that will work with just adding #9953 and #5353 like that. I think I was should configure it somewhere else, but I don't know it, since I am new into this DD-WRT.
Glad that it worked very great on my old router.


Thanks again.


Last edited by readones on Thu Aug 13, 2020 11:29; edited 4 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Thu Aug 13, 2020 11:04    Post subject: Reply with quote
Make a new thread about QoS

Adding in additional DNSMasq options is enough.

no-resolv tells it to no use resolv.dnsmasq (where your DNS servers are stored), but instead use the servers from: server=

behind the # is the port DNSMasq uses to query the DNS server so instead of the default port 53 use 9953 for quad nine and 5353 for Adguard.

Not all DNS servers listen on alternate ports check with the DNS providers

So you should be good

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1446
Location: Appalachian mountains, USA

PostPosted: Thu Aug 13, 2020 12:44    Post subject: Reply with quote
FWIW, just in case it wasn't obvious, the DNSCrypt option in the DNSMasq section is called "Encrypt DNS." If you don't have it but are comfortable with the CLI (ssh or PuTTY access to router admin) and still interested in using DNSCrypt, in the CLI do ls -l /usr/sbin/dnscrypt-proxy to check whether you actually do have the underlying code on your router. For about half of last year, builds were coming out that had the code but no button to enable it. Here's how that check should look.
Code:
root@YourRouter:~# ls -l /usr/sbin/dnscrypt-proxy
-rwxr-xr-x    1 root     root        217691 Aug  1 20:41 /usr/sbin/dnscrypt-proxy

The number of bytes may differ from router to router, but if you are missing the code, you'll not get that line at all but will get something like No such file or directory.

If you have the code and want to try DNSCrypt, see my posts on the subject at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094&start=6. It's actually pretty easy. It requires one line of startup code and two lines of Additional DNSMasq Options. Note that in recent builds the nonfamily Adguard DNS server is specified as adguard-dns-ns1 or adguard-dns-ns1, not just adguard-dns. Look at the first field of the first few lines in /etc/dnscrypt/dnscrypt-resolvers.csv to see for sure what they are called in your build. Look with the tool of your choice, or just copy/paste this line into the CLI:

awk -F, '{print $1}' /etc/dnscrypt/dnscrypt-resolvers.csv | sed -n '2,5p'

Here this gives me this list of the four options:

adguard-dns-family-ns1
adguard-dns-family-ns2
adguard-dns-ns1
adguard-dns-ns2

Just pick one to use in the startup invocation of dnscrypt-proxy.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum