Can't get DNSFilter to work... RT-AC3100

Skruf · Apr 20, 2019

I can't seem to get DNSFilter to work. I thought I'd just try a simple setup and see if I could have DNSFilter force a computer on the network to use Quad9.

I turned on DNSFilter and set Global to No Filtering... Set the computer MAC in the Client MAC Address space and chose Quad9... No go... Still uses the local DNS (pi-hole) set in the static setup on the computer.

I have tried it with local DNS servers setup in LAN-DHCP Server-DNS Server 1 & 2... tried it with them blank... Tried it setting Global to Router... Nothing seems to work for me.

I do have the local DNS server (pi-hole) going through a VPN but I disabled that when I was doing the testing (removed it from the VPN).

I've tried all the variations I can think of (except for the right one) but nothing seems to work. I've even reset the router and did a manual reconfigure with no difference... Any suggestions?

Here's what iptables shows when the router is setup up as above (Global No Filtering)...

Code:

admin@gateway:/tmp/home/root# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 335 packets, 28757 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  4067 VSERVER    all  --  *      *       0.0.0.0/0            84.123.134.64
  147 11506 DNSFILTER  udp  --  *      *       192.168.10.0/24      0.0.0.0/0            udp dpt:53
    0     0 DNSFILTER  tcp  --  *      *       192.168.10.0/24      0.0.0.0/0            tcp dpt:53

Chain INPUT (policy ACCEPT 186 packets, 10107 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4 packets, 236 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      tun12   192.168.10.0/24      0.0.0.0/0
    0     0 MASQUERADE  all  --  *      tun11   192.168.10.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0            policy match dir out pol ipsec
  201 15399 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  175 13691 MASQUERADE  all  --  *      eth0   !84.123.134.64        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      br0     192.168.10.0/24      192.168.10.0/24

Chain DNSFILTER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 3C:W9:E5:54:26:42to:9.9.9.9

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   28  4067 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Thanks...

dave14305 · Apr 20, 2019

For DNS filter to work, the DNS traffic has to be routing through the router. If the computer is configured to use a pi-hole address on your LAN, DNSfilter will not see that traffic. Set the computer to get DNS automatically and then it will probably work.

Edit: LAN DHCP dns is also set for which DNS servers? Internal pi-hole or external DNS?

Skruf · Apr 20, 2019

dave14305 said:
For DNS filter to work, the DNS traffic has to be routing through the router. If the computer is configured to use a pi-hole address on your LAN, DNSfilter will not see that traffic. Set the computer to get DNS automatically and then it will probably work.

Edit: LAN DHCP dns is also set for which DNS servers? Internal pi-hole or external DNS?

Thanks... I did set the computer to get a DHCP address at one point... But, I think I did have the DHCP-DNS Servers set to the pi-hole... I've also left those blank and had the WAN DNS set to external...

I thought that when I had Global set to Router that would capture ALL DNS (53) requests no matter what was hard set on a device.

I'll give it a shot as you describe...

dave14305 · Apr 20, 2019

Skruf said:
Thanks... I did set the computer to get a DHCP address at one point... But, I think I did have the DHCP-DNS Servers set to the pi-hole... I've also left those blank and had the WAN DNS set to external...

I thought that when I had Global set to Router that would capture ALL DNS (53) requests no matter what was hard set on a device.

I'll give it a shot as you describe...

LAN-to-LAN traffic doesn’t get routed, it gets switched as I best understand it. If pi-hole is set in the LAN DHCP server page, at least manually configure the computer to use the router ip for DNS.

Skruf · Apr 20, 2019

Well, tried it like you described and got better results. I mistakenly thought that the way I had it set up the router would grab any DNS traffic but like you mention it wasn't pointed that way and since it was local traffic it didn't need the router anyway.

Thanks for the clarity!

dave14305 · Apr 20, 2019

You might consider this:

Clear LAN DHCP DNS 1 and 2.
Advertise router's IP in addition to user-specified DNS = yes.
DNSFilter custom 1 = pi-hole ip
DNSFilter global mode = Custom 1
DNSFilter computer MAC = Quad9
DNSFilter pi-hole MAC = No filtering

Just be careful using DNSFilter so you don’t mistakenly block your pi-hole. Now I’ll shut my pie-hole.

Skruf · Apr 20, 2019

LOL... Yeah, I'll give that a try... I've already killed internet access in playing with the DNSFilter so I know what that's like!

I really don't have any purpose in mind for DNSFilter other than wanting to know what possibilities it provides... Then I can really break things!

Thanks for your help.

martinr · Apr 20, 2019

Skruf said:
LOL... Yeah, I'll give that a try... I've already killed internet access in playing with the DNSFilter so I know what that's like!

I really don't have any purpose in mind for DNSFilter other than wanting to know what possibilities it provides... Then I can really break things!

Thanks for your help.

Have you considered retiring pi-hole in favour of Diversion and Skynet via AMTM? If you do, you’d probably wish you’d done it ages ago. And, you’ll save on the amount of cables and stuff hanging off the back of the router.

Vexira · Apr 20, 2019

Skruf said:
I can't seem to get DNSFilter to work. I thought I'd just try a simple setup and see if I could have DNSFilter force a computer on the network to use Quad9.

I turned on DNSFilter and set Global to No Filtering... Set the computer MAC in the Client MAC Address space and chose Quad9... No go... Still uses the local DNS (pi-hole) set in the static setup on the computer.

I have tried it with local DNS servers setup in LAN-DHCP Server-DNS Server 1 & 2... tried it with them blank... Tried it setting Global to Router... Nothing seems to work for me.

I do have the local DNS server (pi-hole) going through a VPN but I disabled that when I was doing the testing (removed it from the VPN).

I've tried all the variations I can think of (except for the right one) but nothing seems to work. I've even reset the router and did a manual reconfigure with no difference... Any suggestions?

Here's what iptables shows when the router is setup up as above (Global No Filtering)...

Code:

admin@gateway:/tmp/home/root# iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 335 packets, 28757 bytes) pkts bytes target prot opt in out source destination 28 4067 VSERVER all -- * * 0.0.0.0/0 84.123.134.64 147 11506 DNSFILTER udp -- * * 192.168.10.0/24 0.0.0.0/0 udp dpt:53 0 0 DNSFILTER tcp -- * * 192.168.10.0/24 0.0.0.0/0 tcp dpt:53 Chain INPUT (policy ACCEPT 186 packets, 10107 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 236 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4 packets, 236 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * tun12 192.168.10.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * tun11 192.168.10.0/24 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0 policy match dir out pol ipsec 201 15399 PUPNP all -- * eth0 0.0.0.0/0 0.0.0.0/0 175 13691 MASQUERADE all -- * eth0 !84.123.134.64 0.0.0.0/0 0 0 MASQUERADE all -- * br0 192.168.10.0/24 192.168.10.0/24 Chain DNSFILTER (2 references) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 3C:W9:E5:54:26:42to:9.9.9.9 Chain LOCALSRV (0 references) pkts bytes target prot opt in out source destination Chain PCREDIRECT (0 references) pkts bytes target prot opt in out source destination Chain PUPNP (1 references) pkts bytes target prot opt in out source destination Chain VSERVER (1 references) pkts bytes target prot opt in out source destination 28 4067 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VUPNP (1 references) pkts bytes target prot opt in out source destination

Thanks...

Add pi with no filter to the DNS list of devices and global is custom one is the pi's up address that's how mine is set up.

But I'm using a rock64 instead of a raspberry pi.

Skruf · Apr 20, 2019

martinr said:
Have you considered retiring pi-hole in favour of Diversion and Skynet via AMTM? If you do, you’d probably wish you’d done it ages ago. And, you’ll save on the amount of cables and stuff hanging off the back of the router.

Yeah, actually I have and will probably give it a go in the near future... Especially considering the DNS changes and such I'm seeing in .11 Merlin alpha release...

Pi-hole/Unbound/NSD is running on a VM on VirtualBox on a OMV server... I like a good challenge... And of course it keeps the brain active... I ain't getting any younger as they say...

Thanks for the nudge.

Skruf · Apr 20, 2019

Vexira said:
Add pi with no filter to the DNS list of devices and global is custom one is the pi's up address that's how mine is set up.

But I'm using a rock64 instead of a raspberry pi.

I'm running pi-hole on a VM with VirtualBox... Started out on a Raspberry Pi 3... Makes sense how you did it especially after @dave14305 enlightened me. I'll give it a try to see how it works.

Thanks for help.

Thread starter	Title	Forum	Replies	Date
W	Support ending Dec 2024 for AC3100 - Need hardware buying advice?	Asuswrt-Merlin	12	Sep 25, 2024
S	RT AC3100 386.13 vs 386.14	Asuswrt-Merlin	5	Aug 20, 2024
J	iTunes and UPnP media server [RT-AC3100] not functioning after firmware upgrade to version 386.14	Asuswrt-Merlin	3	Jul 28, 2024
	RT-AC3100 stable on v386.2_6 what do I miss by NOT updating	Asuswrt-Merlin	10	Jun 3, 2024
	Moving from RT-AC3100 to RT-AX88U Pro	Asuswrt-Merlin	13	May 13, 2024
L	IPSec VPN Server with VNC connection causes ASUS RT-AC3100 to Reboot	Asuswrt-Merlin	0	Apr 28, 2024

Search

Search

Can't get DNSFilter to work... RT-AC3100

Skruf

Occasional Visitor

dave14305

Part of the Furniture

Skruf

Occasional Visitor

dave14305

Part of the Furniture

Skruf

Occasional Visitor

dave14305

Part of the Furniture

Skruf

Occasional Visitor

martinr

Part of the Furniture

Vexira

Part of the Furniture

Skruf

Occasional Visitor

Skruf

Occasional Visitor

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online