1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNSFilter client MACs inconsistency

Discussion in 'Asuswrt-Merlin' started by FTC, Jul 17, 2019.

  1. FTC

    FTC Senior Member

    Joined:
    Mar 2, 2016
    Messages:
    232
    Location:
    Barcelona
    Hi, today I found that when adding a specific DNSFilter rule for my laptop, the router (RT-AX88U) was still using the 'default' DNSFilter rule for the network. I am using Merlin 384.13 alpha 2.

    What happens is that I am connected through an access point (RP-AC68U) and somehow it is the MAC address of the access point the one that has to be 'DNSFiltered' instead of my lappy's one.

    Is this working as design ? is there a way to present the DNSFilter 'client' list in the webui page which corresponds to what will be filtered.. or even better, a way to filter the real clients ?

    Note that the neworkmap and even the list of clients and MAC addresses presented in the DNSFilter page is correct and differentiates among the real clients and their MACs, so there could be a way to enforce DNSFilter on these and not based on the intermediate AP making the requests..
     
    Vexira likes this.
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,825
    Location:
    Canada
    DNSFilter doesn't do anything on itself. All it does is create iptables rules based on the MACs you specify in the DNSFilter rules, and everything is handled by these firewall rules. So if your AP/repeater masquerades the MAC of the clients connected to it when generating network trafic, there's nothing to be done. Iptables can only act on the traffic it sees.
     
    Vexira likes this.
  3. FTC

    FTC Senior Member

    Joined:
    Mar 2, 2016
    Messages:
    232
    Location:
    Barcelona
    Erik, thanks for taking the time to respond. I understand the reasoning, but there are two things that mislead me :

    1- The access point is really another ASUSWRT device, in fact running stock firmware at level 382.40019, so this masquerade thing must be the 'standard' way for ASUSWRT devices and not for an exotic AP from another third party. This was the origin of my first question, (Is this working as designed?). In that case there should be added somewhere a warning stating that the MAC to be filtered for access point clients should have to be normally that from the access point and not the client itself.

    2- In any case it seems really strange that a connected client is seen by its real MAC (networkmap), but the DNSFILTER code sees the 'masquered' one. I was hoping that somehow both MACs would be travelling with DNS requests and the one 'filtered' would be wrongly checked..
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,075
    Location:
    UK
    There's a difference between how a repeater works and an access point. If your RP-AC68U is an access point then the router should be seeing the client's real MAC address. If the RP-AC68U is acting as a repeater then the router will see the RP-AC68U's MAC address, unless as Merlin says it has the capability to masquerade the clients MAC addresses.
     
  5. FTC

    FTC Senior Member

    Joined:
    Mar 2, 2016
    Messages:
    232
    Location:
    Barcelona
    It is configured as an access point. In the past I hava had it as a repeater and as a media bridge, but and since I cabled the distance from the main router it is confugured as an access point and I do see the real client's MAC address under networkmap (I assume for regular requests), but it seems like the DNS requests come 'masqueraded'.
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,075
    Location:
    UK
    Check the client's network settings. What is the IP address of the DNS server that the client is trying to use. I remember there were some nightmare problems caused by the RP-AC68U's DHCP server.
     
  7. FTC

    FTC Senior Member

    Joined:
    Mar 2, 2016
    Messages:
    232
    Location:
    Barcelona
    The client reports using 192.168.1.1 as its DNS server, which is the address of my main router. This is expected since my default DNSFilter is set to 'router' and 'advertise router's IP' as DNS is checked for LAN clients without any other DNS specified for LAN.
     
  8. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    1,748
    Location:
    Australia
    @FTC those repeaters are extremely werid I would not be surprised if it's prefoming its own dchp, or some sort of Nat traffic intercept, from what I remember of mine working, the most annoying part is that from what I remember was the lack of firmware updates to correct some of the units quirks.

    Also I'd you are using DNS filter disable adverse routers ip.