Nat Loopback/Dns Filter problem

[Vexira]

ive seem to notice a strange bug with dns filter, if i set nat loop back to merlin dns filter stopps working and breaks completly if i set it, back to asus every thing works fine which confuses me, also what trend stuff breaks if nat loopback is set to merlin from asus. Im just qurios, cause im testing merlin nat loop back to see if upnp works better than, with asus nat loopback.

 

[RMerlin]

ive seem to notice a strange bug with dns filter, if i set nat loop back to merlin dns filter stopps working and breaks completly if i set it, back to asus every thing works fine which confuses me, also what trend stuff breaks if nat loopback is set to merlin from asus. Im just qurios, cause im testing merlin nat loop back to see if upnp works better than, with asus nat loopback.

Can't reproduce it here, welcome.opendns.com returns the same IP if I use OpenDNS's dnsfilter and switch between both NAT loopback modes. The IP changes once I disable DNSFilter. How is your DNSFilter configured?

 

[martinr]

Which version of the firmware? (And which model of router?)

 

[Vexira]

rt-ac88u, 380.67 alpha 3, its set up with global filter custom filter one which is set to the ip of my raspberry pi with pi hole 192.168.7.2, the router is set to 192.168.7.1 no static ip is set in the router but its set in the pi hole during its setup.
The issue kina reminds me of the mru issue under pppoe when its dropped below 1492 the router wont reconnect to the internet, same as when i set mtu below 1500 on auto ip, just gets stuck on disconnected.
When i disable global filter with nat loop back merlin mode, the internet works as in things that require dns resolution.
Nat will go from moderte or strict to open, i havent been able to really leave you loop back set since i havent been home long enough to test it, and see if the things that still have nat errors work fine with your loop back. Or thier just some firewall rules that need to be adjusted, the dns filter issue.

 

[Vexira]

Also this is an old bug ive had it across a few versions of firmware, the custom one setting in global filter when your loop back is in abled cases dns resolution to fail, and nat to become strict, and some games wont connect to online services, whhich is werid.

 

[RMerlin]

You are creating a loop in your network... If you setup a global DNSFilter to use an IP within your LAN, it means that device itself (your Pi) will also try to use its own IP for recursive resolutions, which will obviously fail - it won't be able to connect to any remote nameserver to do recursive lookups - it will be constantly redirected to itself when attempt to resolve a hostname.

 

[Vexira]

I have the pi set as an exclusion, in dns filtering, Oddly it works when set to lan dns with you loop back. I can post a screenshot if you want me to.

So lan dns still forces all devices to use the dns server set if to I'll just set the pi in lan dns and set global to router, since it works in that configuration with Merlin mode. Pi hole uses dns servers like open dns to do resolutions, or in my case my ISP's dns servers.

Im technically using pi-hole software on my raspberry pi 3 since its an adblocking dns server, so all dns requests are passed through pihole filtering.
But if it's creating a loop then why does it work in asus loop back mode but not in yours, that's what I don't understand, it does work when It is set in lan and use router for global filter, I assumed that nat loop back shouldnt interfere with dns filtering, utilising then again I don't know much about Linux and how the router handles everything.

https://pi-hole.net

 

[RMerlin]

I still can't reproduce it here, however I don't have anything within my LAN to act as a recursive nameserver. All I can think is that since you are probably ending up going through the loopback with your setup (as the router will attempt to redirect the outbound connection back to a LAN IP), and this somehow interferes with the Pi's ability to achieve recursive lookups. It's possible for instance that the loopback causes the Pi's resolution connections to appear as coming from the router's own IP rather than from the Pi, causing it to get looped over and over.

You could try adding another exception for the router's IP to see if that's actually the case. If it is, then it's simply a functionality conflict between the NAT loopback and DNSFilter in your particular scenario, and not a bug. You will have to resolve the conflict by either adding another exception rule, or by switching loopback mode.

Each NAT loopback method has its strengths and limitations. That's why I offer both options rather than just one or the other.

 

[Vexira]

I still can't reproduce it here, however I don't have anything within my LAN to act as a recursive nameserver. All I can think is that since you are probably ending up going through the loopback with your setup (as the router will attempt to redirect the outbound connection back to a LAN IP), and this somehow interferes with the Pi's ability to achieve recursive lookups. It's possible for instance that the loopback causes the Pi's resolution connections to appear as coming from the router's own IP rather than from the Pi, causing it to get looped over and over.

You could try adding another exception for the router's IP to see if that's actually the case. If it is, then it's simply a functionality conflict between the NAT loopback and DNSFilter in your particular scenario, and not a bug. You will have to resolve the conflict by either adding another exception rule, or by switching loopback mode.

Each NAT loopback method has its strengths and limitations. That's why I offer both options rather than just one or the other.

How do I make an exception in the router for the router so that forced does so filtering doesn't apply to it.
Also I left the setting connected to dns automatically on.
Is it possible that it's an issue with the firewall not allowing it through.
I'm starting to think that it's not a conflict, and it's more that asus loop back had support for internal ip addresses for dns filtering, and when enabling Merlin mode it does not have such support therefore it's like its blocked or just doesn't work, that is my theory on the issue because when I set it up to router mode with the pi hole's ip as lan dns, it has the same issue.
I'm sure that with out a pi hole it's impossible to replicate but, pihole can be run from a Linux virtual machine if that helps with testing.
I'll have to ask my friend with an 88u and a pi hole to test and see if he gets the same results.

 

[Vexira]

The reason I'm trying get see if I can set up you loop back, is I'm trying to work out why upnp seems to have reverted in behaviour it appears to stop forwarding ports after an hour or so and I need to trigger a uPnP reboot in order to get it working this has been persistent behaviour since 380.67 alpa 1 but mainly it's bugging out on my pcs, I haven't left it on long enough to see if it's a bug with upnp or asus loop back.

I've also been trying to test and see if you loop back would help with the strange nat error messagees that I received for gta v rockstar social club and mw3 spec ops mode even though the ports appear in the upnp log, I still get nat errors, Oddly my steam link connects to my pc but net work test results in an error about not being able to connect via its required port.

Just a quick question how long does it take before a loop back change takes effect, or do I have to reboot in order for it to kick in.
I've also noticed that qos priority changes cause upnp to reboot and so does changing the upnp port range, both of which temporarily fix it even a loop back change does with out cleaning existing upnp forwards, which fixes the behaviour revert of upnp. I'm half tempted to return back to 380.66 to get consistent upnp.

Dns filtering works with your loop back, only on an external dns server ip address, not on internal ip address I checked it with an internal ip, it failed to work is there a possibility of a fix I'm willing to let you team viewer my system if you need to might help if you can see the behaviour first hand or I possibly could use my capture card and make a recording if it helps.

 

[RMerlin]

How do I make an exception in the router for the router so that forced does so filtering doesn't apply to it.

Create a rule with the router's IP set to either "No Filtering" or "OpenDNS" (just for test purposes).

Just a quick question how long does it take before a loop back change takes effect, or do I have to reboot in order for it to kick in.

It's immediate, so maybe 5-10 secs, the time for the firewall to be restarted.


Why not disable the NAT loopback? Quite frankly, most people do not even need it. The concept behind the NAT loopback is hackish at best, no matter how it's implemented. On "serious" networks, this is often handled by having the local DNS return the LAN IP rather than the WAN IP on lookups for the public hostname.

 

[Vexira]

Seems that dns filtering has the same issue as Merlin mode nat loop back if nat loop back is disabled.
Is there any way to seperate nat loopback from dns filtering and, still allow it to work as per normal with an internal ip address as a dns server, beause it seems tied to asus nat loopback, for some perplexing reason due to it only working with an internal ip when asus nat loop back enabled.
It would be nice to be able to force a global filter with out it being dependant on asus nat loopback, if there was a way to modify the behavior to get it to function similarly to the way that dns does in lan but yet still enforce a global filter, that would be ideal since that acutally works with no issues.

 

[martinr]

I'm not on the latest firmware, but I also have a malicious-domain-blocking Raspberry Pi.

My settings:

DNS Filtering set to On.
Global filter mode set to Router.
(Custom user defined DNS all blank)
In the Client List underneath I list only the RPi and that's set to No Filtering.

Under WAN DNS settings, for DNS server 1 and 2, I list the internal IP address of the RPi. (And Connect automatically to DNS server is set to No.)

(Under LAN, DHCP server, all DNS entries are blank, of course.)

How does that compare with yours?

 

[Vexira]

I'm not on the latest firmware, but I also have a malicious-domain-blocking Raspberry Pi.

My settings:

DNS Filtering set to On.
Global filter mode set to Router.
(Custom user defined DNS all blank)
In the Client List underneath I list only the RPi and that's set to No Filtering.

Under WAN DNS settings, for DNS server 1 and 2, I list the internal IP address of the RPi. (And Connect automatically to DNS server is set to No.)

(Under LAN, DHCP server, all DNS entries are blank, of course.)

How does that compare with yours?

i left connect automatically to dns on, i normaly use custom one, on global filter, asus nat loopback, my pi hole is targeted at ads and malicous sites.
lan is blank in dns feilds.
i dont use the wan part because i read that if you set it under lan it would override the wan part.
mine bugs out if you set nat loop back to merlin or no nat loopback even if i use the dns under lan and set it global filter to router and you use the feilds under lan or custom one with the pihole ip.