RESOLV.CONF has Router/Gateway Adrs, Not DNS ! in CB/RB

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
atErik
DD-WRT Novice


Joined: 25 Apr 2019
Posts: 26

PostPosted: Fri Apr 03, 2020 21:38    Post subject: RESOLV.CONF has Router/Gateway Adrs, Not DNS ! in CB/RB Reply with quote
in CB/RB mode the /tmp/resolv.conf contains secondary router/gateway address
as a DNS "nameserver 192.168.1.251" address !
it is not what i have specified in Local-DNS box in BASIC < SETUP
in router ip-adrs config gui/web interface/webpage !

DDWRT > SETUP > BASIC SETUP:
Local IP Address: 192.168.1.251 <-- my DDWRT "Router" (RTR-2)
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1 <-- ip-adrs of WiFi "Gateway" router (RTR-1)
DNS: 192.168.1.253

and DDWRT RTR-2 /tmp/resolv.conf now has:
nameserver 192.168.1.251 <-- error+bug
it suppose to be below DNS ip-adrs:
nameserver 192.168.1.253

( i'm using DDWRT router Firmware: DD-WRT v3.0-r42747 giga (03/20/20) )

even if i overwrite /tmp/resolv.conf with 192.168.1.253 (manually
or by using a script), it auto REVERT backs-to 192.168.1.251,
after few seconds or after few minutes !! Sad


how to keep/remain /etc/resolv.conf set with my DNS 192.168.1.253 & 192.168.1.252 ?


is there a file which i can overwrite/change during startup by using the STARTUP-SCRIPT
to MANUALLY specify DNS/NAMESERVERs for br0 or LAN network-interface ?
how can i specify/configure network-interfaces with info shown here /etc/config/network ?


Currently DHCP working for WL1.2 wifi users/clients, can get DHCP
allotment from RTR-2 bridge br1 provided by the DNSMASQ app) Smile
DNS-resolving is NOT-WORKING inside the ddwrt RTR-2 or for any wifi(WL1.2) or wired(vlan12) client-devices Sad
DHCP not-working for RTR-2 vlan12 clients Sad
( only "vlan1"(wired "LAN-4" connected) client-devices in RTR-2
can (wirelessly) get dhcp+dns from RTR-1 )



EXTRA-INFO:

Before i switched the DDWRT router RTR-2 into CB(Client-Bridge)/RB(Repeater-Bridge) mode,
in earlier i configured DDWRT to use below two DNS-servers,
under DHCP config in SETUP > BASIC-SETUP webpage:
DHCP/LAN IP ... 192.168.1.251
Subnet-mask(SM): 255.255.255.0 (aka, CIDR /24)
DNS1: 192.168.1.253
DNS2: 192.168.1.252
DNS3: 0.0.0.0

after above settings were done+saved+applied+rebooted,
then i switched RTR-2 into CB/RB mode,
and then, above DHCP-section disappeared from BASIC-SETUP page.

but that DNS-settings still remained in DNSMASQ RESOLV.config file,
in /tmp/resolv.dnsmasq:
nameserver 192.168.1.253
nameserver 192.168.1.252


even earlier (before i switched into CB/RB mode),
i have created a BRIDGE br4, its address is set to 192.168.1.253
its functioning as one of the DNS-server.

( i have also created a bridge br1, and joined WiFI VAP WL1.2 under br1,
br1 has different subnet 192.168.20.x/24, and DHCP-Service is enabled,
VAP wifi users can get DHCP allotments from bridge br1 via WL1.2,
dhcp/gw ip is 192.168.20.1 )

i have also changed one of the physical network-switch/port
(externally marked-as "LAN-3", and internally shown-as "Port-2")
from default-"vlan1"-group into "vlan12",
by using the DDWRT gui/web > SETUP > SWITCH-CONFIG(vlan.asp)
then selected "Unbridged" (in "Networking" config webpage),
and specified 192.168.1.252 as its ip-address, & 255.255.255.0 is SM.
this is functioning as 2nd DNS server.

to configure DDWRT, i connect ( into LAN-3 port = vlan12 of DDWRT router ) with my laptop.
my laptop has multiple network adapters.
in laptop i use static/fix ip-adrs 192.168.1.201, gw 192.168.1.1 with 1 nic.
i can access ddwrt RTR-2 web config via https://192.168.1.251/

i want wifi vap WL1.2 users & direct computers connected with vlan12,
to use those two DNS-Servers running in RTR-2:
192.168.1.253 (br4) & 192.168.1.252 (vlan12)

i have created DHCP-SERVICEs (in "Networking" config webpage) for br4 & vlan12:
br4 ip-adrs 192.168.1.253 , dhcp-range 192.168.1.240-to-249
vlan12 ip-adrs 192.168.1.252 , dhcp-range 192.168.1.230-to-239

( btw, RTR-1 uses dhcp-range 192.168.1.1-to-127, sm: 255.255.255.0 )

when computers connect with vlan1 (physical network-switch/port "LAN-4"),
then they get DHCP allotted ip-adrs from RTR-1 bcuz of CB/RB mode.
But when computers connect with vlan12 ("LAN-3") they suppose to get DHCP allotted
ip-adrs/etc from RTR-2, but now they are not Sad
( i have to find out why , i guess a different SM/cidr needs to be used in RTR-2 side, ... )

CB/RB mode creates the br0, and joins eth1,eth2,vlan1,etc under br0,
and CB/RB mode also links vlan1-group under WL0.
in my-side i have configured RTR-2 to perform/function in CB/RB mode,
in any of the CB or RB mode, the WL0 wifi (internal)-device inside RTR-2
can be configured to wirelessly connect (via WiFi) with a remote WiFI AP,
i connected with my WiFi router RTR-1,
and the 2nd WiFi (internal)-device WL1 inside RTR-2 is configured to
create WiFi (virtual)-AP WL1.2, WL1.1 for my-side client-devices, near the RTR-2.
in my side/case in RTR-2, br3 is a bridge which does not need any DHCP or DNS services from DNSMASQ.
tun1 is used when OpenVPN-client app connects with remote VPN server,
DNSMASQ also does-not need to listen for DHCP/DNS service request from tun1 interface ip-adrs.
in my case, br2 is a bridge which is used by WL1.1 users to get DHCP ip/etc (not DNS),
WL1.1 users reach internet via VPN-tunnel by using "Policy-Based-Routing" in OpenVPN-Client,
so it uses a remote DNS-Server 10.10.53.1 which is inside the VPN-tunnel.

To use my those two DNS-SERVERS, this is what i've specified
(via "Services" config webpage) for Additional-DNSMASQ settings:
Quote:
# ---- Below Options Added By DDWRT-USER
# Lines that begins with # symbol, are disabled lines, aka "comment line",
# such lines are not-needed, remove them before saving into your router.
#
# Allow DNSMASQ to Listen both DHCP & DNS:
#interface=br0,br1,br2
#interface=br0,br1,br2,br4,vlan12
# Do Not Allow DNSMASQ to Listen for DHCP or DNS:
except-interface=br3,tun1
# Allow DNSMASQ to Listen only DNS, no DHCP:
#no-dhcp-interface=br4,vlan12
#
log-dhcp
#
# Listen-addresses:
listen-address=192.168.1.253,192.168.1.252,192.168.1.251,192.168.20.1,127.0.0.1
#
# Allow other NameServer on same machine, (other than ip-adrs of DNSMASQ running machine)
bind-interfaces
#bind-dynamic
#
#dns-loop-detect
#
# Enable DNSSEC based DNS-Record Validating DNS-resolver:
dnssec
#trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# Allow DNS-Replies which r not DNSSEC signed but may still be legitimate (bcuz domain is unsigned), or may be forgeries.
dnssec-check-unsigned
#
dhcp-option=option:ntp-server,USE.IP.NEAR.UR.ROUTER
#
# Override default route to below (with option3), instead of ip-adrs of machine running dnsmasq
dhcp-option=3,192.168.1.1
# Override default DNS to below (with option6), instead of ip-adrs of machine running dnsmasq
dhcp-option=6,192.168.1.253,192.168.1.252
#
dhcp-option=br1,3,192.168.20.1
dhcp-option=br1,6,192.168.1.253,192.168.1.252,192.168.20.1
#
dhcp-option=br2,3,192.168.30.1
dhcp-option=br2,6,10.10.53.1
#
dhcp-option=br4,6,192.168.1.253,192.168.1.252
#
dhcp-option=vlan12,6,192.168.1.253,192.168.1.252

my-side DNSMASQ settings:
Quote:
Dnsmasq: ◉ Enable ◎ Disable.
Cache DNSSEC data: ◎ Enable ◉ Disable.
Local DNS: ◉ Enable ◎ Disable.
No DNS Rebind: ◎ Enable ◉ Disable.
Query DNS in Strict Order: ◉ Enable ◎ Disable.
Add Requestor MAC to DNS Query: ◎ Enable ◉ Disable.
RFC4039 Rapid Commit support: ◎ Enable ◉ Disable.
Maximum Cached Entries: 1500.


for testing purpose i have kept dnssec-caching disabled,
so that it pull records directly each time,
once DNS resolving is working back, then i will enable it.

i have noticed after i enabled "vlan12" in my side,
that "default" route changes into vlan12 interface! Sad
so i have specified these (via Startup-script) to override+fix:
Quote:
...
ifconfig br4 192.168.1.253 netmask 255.255.255.0 broadcast 192.168.1.255
ifconfig vlan12 192.168.1.252 netmask 255.255.255.0 broadcast 192.168.1.255
ip route delete default via 192.168.1.1 dev vlan12
ip route add default via 192.168.1.1 dev br0
route add -net 192.168.20.1 netmask 255.255.255.0 gw 192.168.1.1
...



( btw, my actual gateway/router/dns adrs in RTR-2 are different,
i'm using shown above addresses as example )
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5798
Location: Romerike, Norway

PostPosted: Fri Apr 03, 2020 21:56    Post subject: Reply with quote
Is the interface VLAN12 bridged or un-bridged?

br4 and vlan12 have IP addresses on the same sub-net, so something is wrong here.
atErik
DD-WRT Novice


Joined: 25 Apr 2019
Posts: 26

PostPosted: Sat Apr 04, 2020 1:30    Post subject: Reply with quote
vlan12 is unbridged ( i've specified it in extra-info)

cc = 192.168
cc.1.1 = 192.168.1.1

does "vlan12" being "unbridged" or being "bridged/default" affect the DDWRT-firmware
to use RTR ip-adrs(cc.1.251) as DNS-adrs in resolv.conf ?

i think, because of "vlan12" being unbridged & that its being assigned
ip-adrs from same subnet as br0,
is causing the router/LAN-side's default route to switch from br0 into vlan12 device,
so i have applied routing commands to fix that,
shown in previous EXTRA-INFO.

should i specify another private (class-b) ip-adrs (i.e) 172.16.1.252
for the "vlan12" ( or br4 ) ?


EXTRA-INFO-2:
( sorry, some are repeat info )

vlan12 ip-adrs: cc.1.252, it is used as 2nd DNS-server in RTR-2.

br4 ip-adrs: cc.1.253, this is used as 1st DNS-server inside RTR-2.
br4 has no device/interface attached under it.

Some changes i have done now:
* removed DHCP service/ranges from both br4 & vlan12.
* added the line "no-dhcp-interface=br4,vlan12" in additional-dnsmasq settings,
so DHCP-service from DNSMASQ is disabled
& DNS-service from DNSMASQ is kept enabled,
for br4 & vlan12 net-interface.

Some changes i have done earlier, even before switching into CB/RB wireless-mode :
* changed/assigned LAN-1 physical switch-port to vlan4,
* changed/assigned LAN-2 physical switch-port to vlan3.
* changed/assigned LAN-3 physical switch-port to vlan12.
( by default all LAN switch-ports are pre-assigned to "vlan1"-group initially )
( so only LAN-4 physical-switch-port remained pre-assigned to "vlan1" )

now, inside the RTR-2:
ping to (i.e) 9.9.9.9 (ip-adrs on internet) still works, (like earlier).
ping to (i.e) dns9.quad9.net still does not work, (like earlier).
nslookup cannot resolve dns9.quad9.net, (also like earlier).
resolv.conf still auto reverting back to RTR-2 ip-adrs,
instead of specified-Local-DNS-in-GUI ! Sad


SSH/telnet/GUI connection from my Laptop to Router:
* sometime (externally-marked) LAN-1 ethernet switch/port (vlan4<->br1<->br0) works,
& sometime does-not.
* sometime (externally-marked) LAN-3 ethernet switch/port (vlan12) works,
& sometime does-not.

now, DHCP-service from DNSMASQ is not-working Sad

so DHCP allotment via vlan4/WL1.2 <-> from br1, is not-working Sad

but with a manual static ip for laptop, in br1 subnet,
laptop can connect/ssh with RTR-2 & gui access also works.
but ping into domain-name, nslookup of domain-name,etc
into internet, does not work from laptop.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7244
Location: Texas, USA

PostPosted: Sat Apr 04, 2020 3:06    Post subject: Reply with quote
I don't think dnsmasq even functions in bridged modes? I am testing CB on my E4200 and it is using the DNS servers from the upstream router, which is ISP provided.
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5798
Location: Romerike, Norway

PostPosted: Sat Apr 04, 2020 6:46    Post subject: Reply with quote
VLAN12 can be any sub-nets as long is not used on another interface. Because of the duplicate sub-net, you have routing issues.
atErik
DD-WRT Novice


Joined: 25 Apr 2019
Posts: 26

PostPosted: Mon Apr 06, 2020 3:24    Post subject: Reply with quote
RESOLV.CONF is still reverting/changing back to Router/Gateway ip-adrs automatically,
instead of remaining on specified local-DNS.



i found out, when CB/RB mode is enbaled, then br0/vlan1/wl0 changes/reverts the "resolv.conf"
auto into Router/Gateway IP-adrs, instead of using the
user-specified LOCAL-DNS address.
When CB/RB mode is off/disabled/not-selected,
then changes done by user/script into "resolv.conf" remains intact.


Per Yngve Berg , Thanks , i've used smaller subnets, this helped,
i needed (for more testing) to connect with br0 ip-adrs via
entering the LAN-3/port(vlan12/br4), while still in sub-subnet
of RTR-1 or RTR-2-br0 subnet.

kernel-panic69 , sorry i could not understand what you meant.
i was able to use DNS+DHCP for+from bridge provided by DNSMASQ.


EXTRA-INFO:

my problem is now partially-solved by using OTHER way/solution,
where RESOLV.CONF will remain in (mentioned-above) wrong settings:


NIF = network-interface . cc = 192.168
cc.1.1 = 192.168.1.1
subnet netmask : /24 = 255.255.255.0 , /28 = 255.255.255.240 , /29 = 255.255.255.248

* i have reset the DDWRT router RTR-2 again.
* connected RTR-2-WAN nif with wire with another Secondary-wifi-router
  (which is also in Client-Bridge/Repeater-Bridge wireless-mode,
  under my primary router RTR-1).
* i have done DDWRT BASIC-SETUP of RTR-2 with a smaller subnet in same net :
  as RTR-1 is using 192.168.1.0/24 subnet,
  & RTR-1 allots fixed/static-ip-adrs 192.168.1.250 to RTR-2-WAN net-interface,
  & allots fixed/static-ip-adrs 192.168.1.251 to RTR-2-WLAN-5GHz-WL0 net-interface,
  so i have chosen a /28 smaller subnet ID,
  FOR-EXAMPLE: Subnet-ID: 192.168.1.240, host range: 192.168.1.241 - 192.168.1.254,
  broadcast: 192.168.1.255, subnet-mask: 255.255.255.240 ( /28 )
  (So i had to re-adjust/assign IP-Adrs from RTR-1 accordingly).
* "Gateway" in RTR-2 is set with 192.168.1.1 (it is RTR-1 LAN side gateway ip-adrs),
  Local-DNS in RTR-2 is same, 192.168.1.1
* Under DHCP, the DNS1 DNS2 DNS3 remained as 0.0.0.0, changed dhcp begin-ip-adrs
  as (192.168.1.)240 , max host: 12
* created 4 bridges: br0 (specified it's ip-adrs 192.168.1.251 / 24 in BASIC-SETUP),
  in NETWORKING page: br1 (192.168.20.1 /24), br2 (192.168.30.1 /24), br3(192.168.31.1 /24),
  br4 has different smaller subnet (192.168.1.17 /29)
  subnet-ID: 192.168.1.16 /29 , usable IP begins with cc.1.17 & ends with cc.1.22 (total usable IP: 6,
  total IP: 8 , broadcast 192.168.1.23 )
* re-assigned physical-ethernet-LAN-port-1 to "vlan4", LAN-2 to "vlan3", LAN-3 to "vlan12",
  & LAN-4 remained with "vlan1" (default-group).
* "unbridged" the "vlan12" & assigned ip-adrs 192.168.1.18 /29 in NETWORKING page,
* created 3 DHCP-services: br1 , br2 , br4
* created 2 VAP "WL1.1" , "WL1.2" under WL1 WiFi radio.
* assigned "vlan4" & vap "WL1.2" to "br4" , assigned "vlan3" & vap "WL1.1" to "br3",
  assigned "vlan12" to "br4" bridge.
* below dnsmasq additional-settings were added:
Quote:
# ---- Below Options Added By DDWRT-USER ----
# Remove Comment-Lines Which Starts With # symbol, Before SAVING into Router
#
# Allow DNSMASQ to Listen both DHCP & DNS:
#interface=br0,br1,br2,br4
# Do Not Allow DNSMASQ to Listen for DHCP or DNS:
except-interface=br3,tun1,teql0
# Allow DNSMASQ to Listen only DNS, no DHCP:
#no-dhcp-interface=br5
#
log-dhcp
#
listen-address=192.168.1.17,192.168.1.18,192.168.1.251,192.168.20.1,127.0.0.1
#
# Allow other NameServer on same machine, (other than ip-adrs of DNSMASQ running machine)
#bind-interfaces
#bind-dynamic
#
#dns-loop-detect
#
#dnssec
# trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
#trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
#trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
# Allow DNS-Replies which r not DNSSEC signed but may still be legitimate (bcuz domain is unsigned), or may be forgeries.
#dnssec-check-unsigned
#
dhcp-option=option:ntp-server,USE.IP.NEAR.UR.RTR
#
# Override default route to below (with option3), instead of ip-adrs of machine running dnsmasq
#dhcp-option=3,192.168.1.1
#dhcp-option=br0,3,192.168.1.1
dhcp-option=6,192.168.1.17,192.168.1.18
#dhcp-option=br0,6,192.168.1.17,192.168.1.18
#
# Below 2-lines are default, so no need to enable them:
#dhcp-option=br1,3,192.168.20.1
#dhcp-option=br1,6,192.168.20.1
# I will use above default values, so not enabling below line:
#dhcp-option=br1,6,192.168.1.17,192.168.1.18
#
# Overriding DNS with option-6, sending into DNS inside VPN-Tunnel
dhcp-option=br2,3,192.168.30.1
dhcp-option=br2,6,10.10.5.1
#
# Below 2-Lines are default, so no need to enable them:
#dhcp-option=br4,3,192.168.1.17
#dhcp-option=br4,6,192.168.1.17
# I will use above default values, so not enabling below line:
#dhcp-option=br4,6,192.168.1.17,192.168.1.18
#

* Disbaled DNSSEC in dnsmasq additional settings,
  ( when it was enabled/specified then DNSMASQ stopped working,
  so DNS & DHCP services turned off )
* set RTR-2 into "Router" operating-mode from "Advanced-Routing" page
etc

DNS resolving functionality (from DNSMASQ), internet-access/ping, etc etc
works inside the DDWRT router RTR-2,
and also worked from computers/client-devices under DDWRT router RTR-2.

The WAN appears as "vlan2" in "ip route show" command,
& shows "default via 192.168.1.1 dev vlan2"
Client-devices can get DHCP allotments from RTR-2,
SSH/Telnet into DDWRT works, DDWRT config GUI works, etc.

* Setup the WL0 WiFi-radio in DDWRT router RTR-2 to connect with RTR-1 WAP 5GHz,
  in Repeater-Bridge or in Client-Bridge wireless-mode.
* rebooted RTR-2


inside the DDWRT router RTR-2:

no default route is shown in "ip route show" command !
"ping dns9.quad9.net -c 2" <-- does not work !

* Changed the subnet mask from /28 into /24 in BASIC-SETUP.
* reboot.

after that, default route is now shown in "ip route show" command:
default via 192.168.1.1 dev br0
and default route did not change into or attached with vlan12, like b4 Smile


But even after above,
initially the "ping dns9.quad9.net -c 2" <-- does not work !


But after waiting a while, while trying ping/etc/etc , again:

the "ping 192.168.1.1 -c 2" <-- works !

the "ping 1.1.1.1 -c 2" <-- works !

the "ping one.one.one.one -c 2" <-- also works
nslookup one.one.one.one 192.168.1.17 (br4) works Smile
nslookup dns9.quad9.net 192.168.1.18 (vlan12) works Smile


Reboot . test again.
main functions work inside ddwrt RTR-2.


In computer/client-devices (which are connected with RTR-2 vlan12(LAN-3-ethernet-port),
ping/nslookup does not-work Sad no internet access Sad
but ping can show resolved-ip in 1st-line when a domain-name is given,
but ping/ICMP net-packet itself does not succeed !
client-devices can obtain DHCP settings/allotments correctly,
so DNSMASQ is working in RTR-2.


so some portions(functionalities) inside the DDWRT is working
& some portions are not.


At this point to test DNSSEC when i enabled DNSSEC related 4-lines
in DNSMASQ, then DNS functionality stopped working Sad
so now dnssec is still kept disabled.
Dnsmasq is using rtr-1 dns 192.168.1.1 as primary DNS in RTR-2,
and 192.168.1.1 is not DNSSEC enabled. Sad
At some point, i was able to keep DNS working in RTR-2 while DNSSEC options were also still enbaled,
then i've noticed ISC/BIND dig command can show signed resource-record,
but they are not-validated/not-authenticated (the "AD" bit is not present/shown) Sad

another problem is DDWRT/firmware's DNSMASQ keeps adding back the 192.168.1.1 DNS
as a 3rd DNS-server even when i specify two public domain dnssec enabled DNS-servers !
so DNSSEC-disabled 192.168.1.1 will/can create problem... DNSSEC related AD/etc bit
will be missing incorrectly, etc.

So we/USER need to be able to specify+use their CHOICE of DNS-SERVER(s)
in "resolv.conf" & "resolv.dnsmasq" without being overwritten/changed by DDWRT firmware+apps"
.


To enable internet-access for external client-devices...
Specified below firewall/iptables rules in ddwrt:
Quote:
# FIREWALL / IPTABLES RULES:
# Do not Save Lines Which Starts With The # symbol, in Router. (Save in ur own Notes)
#
i="/usr/sbin/iptables";
INP="INPUT"; FWD="FORWARD"; PRR="PREROUTING"; PSR="POSTROUTING";
dp="--dport";
DHCP="$dp 67:68";
DNS="$dp 53";
SC="$dp 22";
SSH="$dp 10022";
HTTPS="$dp 443";
HTTP="$dp 80";
TN="$dp 23";
Cur="--state ESTABLISHED,RELATED"; New="--state NEW";
cc="192.168"; c="$cc.1";
YL="logaccept"; NL="logdrop";
UD="-p udp"; TC="-p tcp"; C4="-p icmp";
#
# global : "insert"(-I) rules entered here 1st, but goes to bottom side, function as Less-PRIORITY/Checked-Last
# ...
#
# br3 : cc.31.1/24 : NO-DHCP
n="br3";
# $i -I INPUT -i $n -j $NL
$i -I INPUT $C4 -i $n -j $YL
# $i -I FORWARD -i $n -j $NL
$i -I FORWARD -i $n -o br0 -m state $Cur -j $YL
$i -I FORWARD -i $n -o br0 -m state $New -j $NL
$i -t nat -I $PSR -s $cc.31.0/24 -o br0 -j MASQUERADE
#
# br2 : cc.30.1/24 : DHCP
n="br2";
# $i -I INPUT -i $n -j $NL
$i -I INPUT $C4 -i $n -j $YL
$i -I INPUT $UD -i $n $DHCP -j $YL
$i -I INPUT $TC -i $n $DNS -j $YL
$i -I INPUT $UD -i $n $DNS -j $YL
# $i -I FORWARD -i $n -j $NL
$i -I FORWARD -i $n -o br3 -m state $Cur -j $YL
$i -I FORWARD -i $n -o br3 -m state $New -j $NL
$i -t nat -I $PSR -s $cc.30.0/24 -o br3 -j MASQUERADE
#
# br1 : cc.20.1/24 : DHCP
n="br1";
# $i -I INPUT -i $n -j $NL
$i -I INPUT $C4 -i $n -j $YL
$i -I INPUT $UD -i $n $DHCP -j $YL
$i -I INPUT $TC -i $n $DNS -j $YL
$i -I INPUT $UD -i $n $DNS -j $YL
$i -I INPUT $TC -i $n $HTTPS -j $YL
$i -I INPUT $TC -i $n $HTTP -j $YL
$i -I INPUT $TC -i $n $SSH -j $YL
$i -I INPUT $TC -i $n $SC -j $YL
$i -I INPUT $TC -i $n $TN -j $YL
# $i -I FORWARD -i $n -j $NL
# $i -I FORWARD -i $n -o br0 -m state $Cur -j $YL
# $i -I FORWARD -i $n -o br0 -m state $New -j $NL
$i -t nat -I $PSR -s $cc.20.0/24 -o br0 -j MASQUERADE
#
# vlan12 : cc.1.18/29 : under br4
n="vlan12";
# $i -I INPUT -i $n -j $NL
$i -I INPUT $C4 -i $n -j $YL
$i -I INPUT $UD -i $n $DHCP -j $YL
$i -I INPUT $TC -i $n $DNS -j $YL
$i -I INPUT $UD -i $n $DNS -j $YL
$i -I INPUT $TC -i $n $HTTPS -j $YL
$i -I INPUT $TC -i $n $HTTP -j $YL
$i -I INPUT $TC -i $n $SSH -j $YL
$i -I INPUT $TC -i $n $SC -j $YL
$i -I INPUT $TC -i $n $TN -j $YL
# $i -I FORWARD -i $n -j $NL
# $i -I FORWARD -i $n -o br0 -m state $Cur -j $YL
# $i -I FORWARD -i $n -o br0 -m state $New -j $NL
# $i -t nat -I $PSR -s $c.16/29 -o br0 -j MASQUERADE
#
# br4 : cc.1.17/29 : DHCP
n="br4";
# $i -I INPUT -i $n -j $NL
$i -I INPUT $C4 -i $n -j $YL
$i -I INPUT $UD -i $n $DHCP -j $YL
$i -I INPUT $TC -i $n $DNS -j $YL
$i -I INPUT $UD -i $n $DNS -j $YL
$i -I INPUT $TC -i $n $HTTPS -j $YL
$i -I INPUT $TC -i $n $HTTP -j $YL
$i -I INPUT $TC -i $n $SSH -j $YL
$i -I INPUT $TC -i $n $SC -j $YL
$i -I INPUT $TC -i $n $TN -j $YL
# $i -I FORWARD -i $n -j $NL
# $i -I FORWARD -i $n -o br0 -m state $Cur -j $YL
# $i -I FORWARD -i $n -o br0 -m state $New -j $NL
$i -t nat -I $PSR -s $c.16/29 -o br0 -j MASQUERADE
#
# br0 : DHCP : when wl0/vlan1/br0 is wan then br0=c.1.251/24
# when vlan2 is wan then br0=c.1.251/28
n="br0";
# $i -I INPUT -i $n -j $NL
$i -I INPUT $C4 -i $n -j $YL
$i -I INPUT $UD -i $n $DHCP -j $YL
$i -I INPUT $TC -i $n $DNS -j $YL
$i -I INPUT $UD -i $n $DNS -j $YL
$i -I INPUT $TC -i $n $HTTPS -j $YL
$i -I INPUT $TC -i $n $HTTP -j $YL
$i -I INPUT $TC -i $n $SSH -j $YL
$i -I INPUT $TC -i $n $SC -j $YL
$i -I INPUT $TC -i $n $TN -j $YL
# $i -I FORWARD -i $n -j $NL
# $i -I FORWARD -i $n -o br0 -m state $Cur -j $YL
# $i -I FORWARD -i $n -o br0 -m state $New -j $NL
# $i -t nat -I $PSR -s $c.240/28 -o br0 -j MASQUERADE
$i -t nat -I $PSR -s $c.1/24 -o br0 -j MASQUERADE
#
# global : "insert"(-I) rules entered here last, but goes to top-side, function as High-PRIORITY/Checked-First
# ...
#
unset i;
unset n c cc dp;
unset DHCP DNS SC SSH HTTPS HTTP TN;
unset Cur New;
unset YL NL;
unset INP FWD PRR PSR;
unset UD TC C4;
# END of firewall / iptables rules.

( i want to access DDWRT router RTR-2 thru SSH, web-browser(HTTPS/443) easily + directly
via LAN-3 (vlan12<->br4), so above firewall reflects those expectations+needs,
br2 & nifs under it, are for VPN usage,
br4+vlan12 is for direct-access & local DNS/nameserver,
br1 is for my wifi+wired devices,
vlan1/br0 is used by my wired computer (to connect to RTR-1 directly),
br3 is in middle of br2 & br0, VPN's tun1 uses Policy-based-Routing to intercept from br2,
etc )

Now internet-access, DNS, ping, nslookup, etc works inside the DDWRT router RTR-2 Smile
and, those also works from computers/client-devices which are connected to/with RTR-2 Smile Smile
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5798
Location: Romerike, Norway

PostPosted: Mon Apr 06, 2020 7:08    Post subject: Reply with quote
Use a class B network. Much easier than calculating small netmasks.

172.16.0.0

then divide up into

172.16.1.0/24
172.16.2.0/24
172.16.3.0/24

All netmasks can stay at 24.

All networks 172.16-32 are private address space.
robbieinc
DD-WRT Novice


Joined: 29 Oct 2012
Posts: 18

PostPosted: Tue Aug 04, 2020 17:07    Post subject: Reply with quote
Confirmed issue with 44048.

Attempting to use Local DNS in network and dnsmasq continues to revert /tmp/resolv.conf to the routers IP. I have the new "Ignore WAN DNS" checked, Local DNS field populated, and "Use DNSMasq for DNS" unchecked.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7244
Location: Texas, USA

PostPosted: Tue Aug 04, 2020 17:13    Post subject: Reply with quote
I guess I need to edit the dnsmasq wiki. This is not difficult.
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
robbieinc
DD-WRT Novice


Joined: 29 Oct 2012
Posts: 18

PostPosted: Tue Aug 04, 2020 17:18    Post subject: Reply with quote
kernel-panic69 wrote:
I guess I need to edit the dnsmasq wiki. This is not difficult.


If I'm missing something, please elaborate.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6360
Location: Netherlands

PostPosted: Tue Aug 04, 2020 17:45    Post subject: Reply with quote
Perhaps you are confusing resolv.conf and resolv.dnsmasq?
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
robbieinc
DD-WRT Novice


Joined: 29 Oct 2012
Posts: 18

PostPosted: Tue Aug 04, 2020 17:52    Post subject: Reply with quote
The router is serving the correct DNS address via DHCP to clients, I am attempting to resolve names on the router itself via the specified local DNS address. When I update /tmp/resolv.conf manually it works fine, when dnsmasq is restarted /tmp/resolv.conf reverts back to the routers IP which doesn't have a DNS service running.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7244
Location: Texas, USA

PostPosted: Tue Aug 04, 2020 20:47    Post subject: Reply with quote
Do you have anything besides quad zeros in the static DNS server entries on the Setup->Basic Setup page?
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
robbieinc
DD-WRT Novice


Joined: 29 Oct 2012
Posts: 18

PostPosted: Wed Aug 05, 2020 0:40    Post subject: Reply with quote
kernel-panic69 wrote:
Do you have anything besides quad zeros in the static DNS server entries on the Setup->Basic Setup page?


I don't, static DNS is all zeros. Fixing resolv.conf in the startup command section corrects the issue temporarily but dnsmasq and a few other services restart themselves once an hour for some reason. Is that normal?

Side note, I reverted back to 41874 and this issue does not occur.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7244
Location: Texas, USA

PostPosted: Wed Aug 05, 2020 1:11    Post subject: Reply with quote
https://wiki.dd-wrt.com/wiki/index.php/Repeater_Bridge

https://wiki.dd-wrt.com/wiki/index.php/Client_Bridged

Obviously, there is a configuration issue.

_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum