Author
Message
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Mon Mar 18, 2024 21:16 Post subject: [RESOLVED] Force DNS redirect for untrusted VLAN with Pihole
edit - jump to solution https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1298865#1298865
I need some help figuring out iptable rules to force pihole DNS for br1 which is my untrusted VLAN.
Following firewall rules seems to work fine for br0 by forcing all DNS traffic through pihole if device has hardcoded DNS.
10.10.10.1 = dd-wrt router
10.10.10.254 = pihole server
Code: iptables -t nat -I PREROUTING -i br0 -p tcp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I PREROUTING -i br0 -p udp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I POSTROUTING -o br0 -p tcp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
iptables -t nat -I POSTROUTING -o br0 -p udp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
However when I attempt to apply same configuration for br1 (replacing br0 with br1) then I get no connection for devices connected to br1
br1 runs separate dhcp server with IP range 172.16.10.1 - 172.16.10.254
Any advice how to approach this? I assume I need to adjust IP or it is something more complicated?
I found above rules same forum (adjusted to my needs) so please bear with me as I don't have deep knowledge about iptables.
Thank you in advance. Last edited by rnix on Wed Mar 20, 2024 22:12; edited 1 time in total
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Tue Mar 19, 2024 16:55 Post subject:
Thanks for your response, egc
egc wrote: Assuming the Pihole is not on br1 you do not need to exclude the piholes address.
Correct, pihole is on br0
Quote:
You probably have the subnets isolated from each other so besides a DNAT rule you do need a FORWARD rule to allow traffic.
Do you have any practical examples how this FORWARD rule would look?
I have following fw rules to fully isolate br0 (trusted) and br1 (untrusted) networks. I hope it doesn't somehow conflict with iptables I posted above, but I'm no expert to say for certain.
Code:
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j DROP
Quote:
The POSTROUTING rule is usually not necessary but does not hurt.
It could be necessary as this traffic can be classified as invalid because of the asymmetric routing
After removing POSTROUTING I couldn't resolve anything so I guess it is required.
I unsuccessfully attempted force DNS via webif by enabling Forced DNS Redirection under Networking > Network configuration br1 and setting pihole IP, it did not work.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Tue Mar 19, 2024 17:10 Post subject:
Forced DNS Redirection from the webif forces the redirection to the router so is not applicable to your case.
If this is setup as a regular router and not as an WAP you can simply enable the isolation of br1 by enabling "Net Isolation" in the GUI.
But if you are happy with the way it is just leave it as is.
Just add as last rules to your firewall rules:
Quote: iptables -I FORWARD -i br1 -p tcp -d 10.10.10.254 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 10.10.10.254 --dport 53 -j ACCEPT
_________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Tue Mar 19, 2024 18:42 Post subject:
egc wrote:
Just add as last rules to your firewall rules:
Quote: iptables -I FORWARD -i br1 -p tcp -d 10.10.10.254 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 10.10.10.254 --dport 53 -j ACCEPT
It didn't seem to work unfortunately.
I can still bypass pihole on br1 when I manually assign PC with static DNS (eg. google or cloudfare)
Devices connected to br0 are properly forced through pihole with my rules I included in original post.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Wed Mar 20, 2024 18:07 Post subject:
Those are my current firewall rules.
I added FORWARD rule in very end, but it didn't make difference and I can still bypass pihole DNS on br1
10.10.10.1 = dd-wrt router
10.10.10.254 = pihole server
10.4.0.0/24 = wireguard
Code: iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j DROP
iptables -t nat -I PREROUTING -i br0 -p tcp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I PREROUTING -i br0 -p udp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I POSTROUTING -o br0 -p tcp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
iptables -t nat -I POSTROUTING -o br0 -p udp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
iptables -I FORWARD -i br1 -p tcp -d 10.10.10.254 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 10.10.10.254 --dport 53 -j ACCEPT
Output for iptables -vnL FORWARD
I redacted WAN IP to 1.2.3.4
Code:
0 0 ACCEPT all -- oet1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- br1 * 0.0.0.0/0 10.10.10.254 udp dpt:53
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 10.10.10.254 tcp dpt:53
0 0 DROP all -- br1 * 0.0.0.0/0 172.16.0.0/12 state NEW
0 0 DROP all -- br1 * 0.0.0.0/0 10.0.0.0/8 state NEW
0 0 DROP all -- br1 * 0.0.0.0/0 192.168.0.0/16 state NEW
0 0 ACCEPT udp -- br1 * 0.0.0.0/0 10.10.10.254 udp dpt:53
0 0 ACCEPT tcp -- br1 * 0.0.0.0/0 10.10.10.254 tcp dpt:53
0 0 DROP all -- br1 * 0.0.0.0/0 172.16.0.0/12 state NEW
0 0 DROP all -- br1 * 0.0.0.0/0 10.0.0.0/8 state NEW
0 0 DROP all -- br1 * 0.0.0.0/0 192.168.0.0/16 state NEW
0 0 DROP all -- vlan3 * 0.0.0.0/0 10.10.10.0/24 state NEW
0 0 DROP all -- wl0.1 * 0.0.0.0/0 10.10.10.0/24 state NEW
0 0 DROP all -- br1 * 0.0.0.0/0 10.10.10.0/24 state NEW
22231 16M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 40 DROP tcp -- * vlan2 !1.2.3.4 0.0.0.0/0 state INVALID
1625 188K upnp all -- * * 0.0.0.0/0 0.0.0.0/0
453 76192 lan2wan all -- br1 * 0.0.0.0/0 0.0.0.0/0
1625 188K lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
697 48018 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * vlan2 10.10.10.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 47 -- * vlan2 10.10.10.0/24 0.0.0.0/0
0 0 TRIGGER all -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
475 64051 trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- br0 vlan3 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan3 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan3 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan3 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- br0 wl0.1 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 wl0.1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- wl0.1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- br0 br1 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 br1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
453 76192 trigger_out all -- br1 * 0.0.0.0/0 0.0.0.0/0
453 76192 ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0 state NEW
475 64051 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br0 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br1 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Output for iptables -vnL -t nat
Code:
Chain PREROUTING (policy ACCEPT 4578 packets, 954K bytes)
pkts bytes target prot opt in out source destination
3002 229K DNAT udp -- br0 * !10.10.10.254 0.0.0.0/0 udp dpt:53 to:10.10.10.254
0 0 DNAT tcp -- br0 * !10.10.10.254 0.0.0.0/0 tcp dpt:53 to:10.10.10.254
0 0 DNAT udp -- br0 * !10.10.10.254 0.0.0.0/0 udp dpt:53 to:10.10.10.254
0 0 DNAT tcp -- br0 * !10.10.10.254 0.0.0.0/0 tcp dpt:53 to:10.10.10.254
124 3472 DNAT icmp -- * * 0.0.0.0/0 1.2.3.4 to:10.10.10.1
340 19586 TRIGGER all -- * * 0.0.0.0/0 1.2.3.4 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT 201 packets, 15945 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 208 packets, 17631 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 16 packets, 3970 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * br+ 10.4.0.0/24 0.0.0.0/0
0 0 SNAT all -- * vlan2 10.4.0.0/24 0.0.0.0/0 to:1.2.3.4
3197 243K SNAT udp -- * br0 !10.10.10.254 0.0.0.0/0 udp dpt:53 to:10.10.10.1
0 0 SNAT tcp -- * br0 !10.10.10.254 0.0.0.0/0 tcp dpt:53 to:10.10.10.1
0 0 SNAT udp -- * br0 !10.10.10.254 0.0.0.0/0 udp dpt:53 to:10.10.10.1
0 0 SNAT tcp -- * br0 !10.10.10.254 0.0.0.0/0 tcp dpt:53 to:10.10.10.1
1449 171K SNAT all -- * vlan2 10.10.10.0/24 0.0.0.0/0 to:1.2.3.4
1158 154K SNAT all -- * vlan2 172.16.10.0/24 0.0.0.0/0 to:1.2.3.4
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Posted: Wed Mar 20, 2024 18:58 Post subject:
I'll help a little so that we don't keep going round in circles
Code: iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j DROP
---- snip----
Code: # force dns redirection br0
iptables -t nat -I PREROUTING -i br0 -p tcp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I PREROUTING -i br0 -p udp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
# force dns redirections br1
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 10.10.10.254
iptables -I FORWARD -i br1 -p tcp -d 10.10.10.254 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 10.10.10.254 --dport 53 -j ACCEPT
_________________ Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Wed Mar 20, 2024 19:40 Post subject:
Hi ho1Aetoo,
Unfortunately it didn't work. After applying those I cannot resolve anything anymore.
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Posted: Wed Mar 20, 2024 20:20 Post subject:
With the best will in the world, I don't see any mistakes.
So the redirection seems to work if the DNS resolution in your isolated VLAN no longer works.
I would now check the Pi-Hole settings and firewall settings, maybe the Pi-Hole itself rejects the connection.
There is a setting in the WebIF
"Allow only local requests" or "Respond only on interface eth0"
and post "iptables -vnL FORWARD" again and we'll see more _________________ Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Wed Mar 20, 2024 20:41 Post subject:
please ignore below and refer to https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1298865#1298865 for working setup.
Code:
# block traffic between br0 and br1 while still allowing dns and dhcp
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j DROP
# force dns redirection for br0
iptables -t nat -I PREROUTING -i br0 -p tcp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I PREROUTING -i br0 -p udp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I POSTROUTING -o br0 -p tcp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
iptables -t nat -I POSTROUTING -o br0 -p udp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
# force dns redirection for br1
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 10.10.10.254
iptables -t nat -I POSTROUTING -o br1 -p tcp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
iptables -t nat -I POSTROUTING -o br1 -p udp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1
iptables -I FORWARD -i br1 -p tcp -d 10.10.10.254 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d 10.10.10.254 --dport 53 -j ACCEPT
Huge thanks to egc and ho1Aetoo for your input. Last edited by rnix on Wed Mar 20, 2024 21:51; edited 2 times in total
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Posted: Wed Mar 20, 2024 20:50 Post subject:
Yes, of course, if you have a completely fucked-up setup.
You redirect to the Pi-Hole before routing and later in the chain to the address of the router.
Maybe you should take a look at the Pi-Hole stickies in the forum first - with the best will in the world, there may be something wrong with your setup.
And I have very probably already explained why it doesn't work in the previous post. _________________ Quickstart guides:
use Pi-Hole as simple DNS-Server with DD-WRT
VLAN configuration via GUI - 1 CPU port
VLAN configuration via GUI - 2 CPU ports (R7800, EA8500 etc)
Routers
Marvell OCTEON TX2 - QHora-322 - OpenWrt 23.05.3 - Gateway
Qualcomm IPQ8065 - R7800 - DD-WRT - WAP
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Back to top
ho1Aetoo DD-WRT Guru Joined: 19 Feb 2019 Posts: 3006 Location: Germany
Back to top
rnix DD-WRT User Joined: 23 Feb 2016 Posts: 200
Posted: Wed Mar 20, 2024 21:28 Post subject:
Apologies, I meant how dd-wrt webif was configured with pihole was based on second example.
If I would take your linked example 2 then how could I adjust it also for br1 interface?
Code: # filter on br0 (usually includes LAN and WLAN)
iptables -t nat -I PREROUTING -i br0 ! -s 10.10.10.254 ! -d $(nvram get lan_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -I PREROUTING -i br0 ! -s 10.10.10.254 ! -d $(nvram get lan_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
Back to top