What's new

DNSFilter client MACs inconsistency

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

FTC

Senior Member
Hi, today I found that when adding a specific DNSFilter rule for my laptop, the router (RT-AX88U) was still using the 'default' DNSFilter rule for the network. I am using Merlin 384.13 alpha 2.

What happens is that I am connected through an access point (RP-AC68U) and somehow it is the MAC address of the access point the one that has to be 'DNSFiltered' instead of my lappy's one.

Is this working as design ? is there a way to present the DNSFilter 'client' list in the webui page which corresponds to what will be filtered.. or even better, a way to filter the real clients ?

Note that the neworkmap and even the list of clients and MAC addresses presented in the DNSFilter page is correct and differentiates among the real clients and their MACs, so there could be a way to enforce DNSFilter on these and not based on the intermediate AP making the requests..
 
DNSFilter doesn't do anything on itself. All it does is create iptables rules based on the MACs you specify in the DNSFilter rules, and everything is handled by these firewall rules. So if your AP/repeater masquerades the MAC of the clients connected to it when generating network trafic, there's nothing to be done. Iptables can only act on the traffic it sees.
 
DNSFilter doesn't do anything on itself. All it does is create iptables rules based on the MACs you specify in the DNSFilter rules, and everything is handled by these firewall rules. So if your AP/repeater masquerades the MAC of the clients connected to it when generating network trafic, there's nothing to be done. Iptables can only act on the traffic it sees.

Erik, thanks for taking the time to respond. I understand the reasoning, but there are two things that mislead me :

1- The access point is really another ASUSWRT device, in fact running stock firmware at level 382.40019, so this masquerade thing must be the 'standard' way for ASUSWRT devices and not for an exotic AP from another third party. This was the origin of my first question, (Is this working as designed?). In that case there should be added somewhere a warning stating that the MAC to be filtered for access point clients should have to be normally that from the access point and not the client itself.

2- In any case it seems really strange that a connected client is seen by its real MAC (networkmap), but the DNSFILTER code sees the 'masquered' one. I was hoping that somehow both MACs would be travelling with DNS requests and the one 'filtered' would be wrongly checked..
 
1- The access point is really another ASUSWRT device, in fact running stock firmware at level 382.40019, so this masquerade thing must be the 'standard' way for ASUSWRT devices and not for an exotic AP from another third party. This was the origin of my first question, (Is this working as designed?). In that case there should be added somewhere a warning stating that the MAC to be filtered for access point clients should have to be normally that from the access point and not the client itself.
There's a difference between how a repeater works and an access point. If your RP-AC68U is an access point then the router should be seeing the client's real MAC address. If the RP-AC68U is acting as a repeater then the router will see the RP-AC68U's MAC address, unless as Merlin says it has the capability to masquerade the clients MAC addresses.
 
There's a difference between how a repeater works and an access point. If your RP-AC68U is an access point then the router should be seeing the client's real MAC address. If the RP-AC68U is acting as a repeater then the router will see the RP-AC68U's MAC address, unless as Merlin says it has the capability to masquerade the clients MAC addresses.

It is configured as an access point. In the past I hava had it as a repeater and as a media bridge, but and since I cabled the distance from the main router it is confugured as an access point and I do see the real client's MAC address under networkmap (I assume for regular requests), but it seems like the DNS requests come 'masqueraded'.
 
Check the client's network settings. What is the IP address of the DNS server that the client is trying to use. I remember there were some nightmare problems caused by the RP-AC68U's DHCP server.
 
Check the client's network settings. What is the IP address of the DNS server that the client is trying to use. I remember there were some nightmare problems caused by the RP-AC68U's DHCP server.
The client reports using 192.168.1.1 as its DNS server, which is the address of my main router. This is expected since my default DNSFilter is set to 'router' and 'advertise router's IP' as DNS is checked for LAN clients without any other DNS specified for LAN.
 
@FTC those repeaters are extremely werid I would not be surprised if it's prefoming its own dchp, or some sort of Nat traffic intercept, from what I remember of mine working, the most annoying part is that from what I remember was the lack of firmware updates to correct some of the units quirks.

Also I'd you are using DNS filter disable adverse routers ip.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top