What's new

[R9000] iptables / dns redirect issue


New Around Here

I've been having a weird issue that I've been unable to solve and could use some help.

I'm running an R9000 with Voxel's latest firmware. I also have a Raspberry Pi on the network serving DNS over Cloudflared DoH (DNS over HTTPS). The R9000 IPv4 DNS is set to (the Pi) without a secondary DNS configured and the IPv6 DNS is set to the Pi's address 2600:xxxx etc. I also have 2 static routes configured to block Google DNS (my aim is to make sure that all devices on my network use my Pi's DNS, since some devices have hardcoded DNS servers that they use). With this setup, my 30 devices work without issue, that is except for my Google Home Mini, my 2 Wyze cameras and my 2 Rokus (1 Premier+ and a TCL Roku TV).

Even with the pihole service disabled those devices refuse to work stating that they can't get an internet connection. Looking at the logs on the pihole all of the queries are going through successfully so I don't understand why they state that they can't connect. Of course, on these devices they don't allow you to configure network settings other than simply choosing which wired or wireless network to connect to.

To solve this issue, I discovered that with 3 iptables rules on the R9000 I can get everything working flawlessly.
  1. iptables -t nat -A PREROUTING ! -s ! -d -p tcp -m tcp --dport 53 -j DNAT --to-destination
  2. iptables -t nat -A PREROUTING ! -s ! -d -p udp -m udp --dport 53 -j DNAT --to-destination
  3. iptables -t nat -A POSTROUTING -j MASQUERADE
However, after a few hours the trouble devices stop working. Telnet into the R9000 reveals that the 3 rules that I have set are gone. "iptables-save" doesn't seem to work.

Without those 3 rules I cannot get those devices to work. Am I missing something with iptables or is it just something else that Netgear has locked down such as their IPv6 ICMP implementation? If iptables rules do not persist is there a script or something that I can use to add the rules every so often? Or do I need to look into other firmware such as Kong? I'd rather not have to change firmware because before installing Voxel's firmware my R9000 was the buggiest router I've ever personally owned and I was ready to return it (it is now the most stable and best performing router that I've ever owned).

Using the Pi as the DHCP server instead of the R9000 also didn't work without those iptables rules. Further troubleshooting revealed that Netgear also doesn't support conditional forwarding since they don't allow you to set a DNS suffix for either IPv4 or IPv6 which is strange as I've had that functionality even on crappy ISP gateways before and those are usually bare-bones. Maybe I'm just expecting too much from a consumer router.

Any help would be greatly appreciated.


Very Senior Member
Please check me README. You should create the script with your iptables rules in /opt/scripts directory. For firewall.

I am out of kbd so only short comment from me, sorry


Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!