Diversion not filtering Wifi

[ColinTaylor]

iptables: No chain/target/match by that name.

Enter this command and try again: modprobe xt_comment

Alternatively, remove this section from each of the commands: -m comment --comment "DNS Type 65"

 

[Mogsy]

Enter this command and try again: modprobe xt_comment

Alternatively, remove this section from each of the commands: -m comment --comment "DNS Type 65"

Thank you, got that entered but still not blocking iOS devices. I followed dnsmasq log and I can see it is blocking to 0.0.0.0

 

[SomeWhereOverTheRainBow]

iptables: No chain/target/match by that name.

Weird, I am able to do it. I guess it depends on how old your router's @kernol is. Glad someone told you which kernel module to enable.

 

[SomeWhereOverTheRainBow]

Thank you, got that entered but still not blocking iOS devices. I followed dnsmasq log and I can see it is blocking to 0.0.0.0

Change them to

iptables -I INPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT 
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I OUTPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

Also keep in mind this does not cover tcp responses.

 

[Mogsy]

Change them to

iptables -I INPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I OUTPUT -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

Also keep in mind this does not cover tcp responses.

Entered. Still the same. In my LAN setting, I didn't put lan domain name. Also Skynet blocked inbound logs are from kernel, not dnsmasq

 

[SomeWhereOverTheRainBow]

Entered. Still the same. In my LAN setting, I didn't put lan domain name. Also Skynet blocked inbound logs are from kernel, not dnsmasq

Yes but port 53 is from dnsmasq. So if it is not blocking those queries, then your iPhone is getting its DNS from a completely different source then the router. What dns servers show up when you run the test at

DNS leak test

dnsleaktest.com

Also, are you using a VPN on your router or iphone?

 

[chongnt]

iptables: No chain/target/match by that name.

Can try this without the comment.

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

 

[Mogsy]

Yes but port 53 is from dnsmasq. So if it is not blocking those queries, then your iPhone is getting its DNS from a completely different source then the router. What dns servers show up when you run the test at

DNS leak test

dnsleaktest.com

Also, are you using a VPN on your router or iphone?

I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?

 

[SomeWhereOverTheRainBow]

I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?

No, unless you somehow have traffic traveling over ipv6 on your iOS.

 

[SomeWhereOverTheRainBow]

I use 9.9.9.9 TLS normally. I switched to NextDNS just to see the logs. lightswitch is on NextDNS too, when I enabled them in NextDNS privacy, it does block the test page from iOS. I have my ipv6 disabled, will that affect any DNS queries?

I wonder if nextdns is diverting your request still despite you having disabled the blocking. I recommend uninstalling it instead of disabling it to see if your request start getting blocked.

 

[Mogsy]

Can try this without the comment.

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

This seems to work! But at the same time I did a network reset on my iPhone. Will try other iOS device. Thank you!

 

[Mogsy]

Same again. Saw this in DivStats

2022-06-10 15:55	block-test.developerdan.com	192.168.102.212	type=65	Allowed
2022-06-10 15:55	block-test.developerdan.com	192.168.102.212	A	Blocked (blocking list)

 

[Mogsy]

This seems to work! But at the same time I did a network reset on my iPhone. Will try other iOS device. Thank you!

This work only when I have SSH enabled. When I disabled SSH, the block test page showing up again. Do I have leave SSH on?

 

[chongnt]

Same again. Saw this in DivStats

2022-06-10 15:55	block-test.developerdan.com	192.168.102.212	type=65	Allowed
2022-06-10 15:55	block-test.developerdan.com	192.168.102.212	A	Blocked (blocking list)

Did you reboot your router? Currently the rules are gone after a reboot. Can you run this and see if the rules still exists iptables -nvL INPUT | grep 0000410001? If not then please try to apply again. Once you verify the rules exists, there should be no more type=65 entry in DivStats.

 

[chongnt]

This work only when I have SSH enabled. When I disabled SSH, the block test page showing up again. Do I have leave SSH on?

By right the rules stay unless you manually delete it or reboot your router. In order to keep the rules after reboot can add it in /jffs/scripts/firewall-start. This is how I do it.

 

[Mogsy]

By right the rules stay unless you manually delete it or reboot your router. In order to keep the rules after reboot can add it in /jffs/scripts/firewall-start. This is how I do it.

Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.

 

[chongnt]

Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.

Interesting. I’m not aware of this behavior. I have always leave LAN SSH on.

 

[Mogsy]

Interesting. I’m not aware of this behavior. I have always leave LAN SSH on.

Safe to leave it on? Port forwarding enabled and not port 22

 

[ColinTaylor]

Thank you. Did not reboot. Only closing SSH client and disabled LAN SSH in System administration. When I enabled SSH again, and run the command, the rules were not there. Re-entered, but once SSH disabled, the rules seems to be gone.

When you change the state of SSH it restarts the firewall which wipes out any changes you've made.

Just leave SSH enabled for LAN only.

 

[Mogsy]

When you change the state of SSH it restarts the firewall which wipes out any changes you've made.

Just leave SSH enabled for LAN only.

Thank you. Left it on. Thanks all for you help