1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[R9000] iptables / dns redirect issue

Discussion in 'NETGEAR AC Wireless' started by pwnograffik, Oct 12, 2019.

  1. pwnograffik

    pwnograffik New Around Here

    Joined:
    May 25, 2016
    Messages:
    3
    Hello,

    I've been having a weird issue that I've been unable to solve and could use some help.

    I'm running an R9000 with Voxel's latest firmware. I also have a Raspberry Pi on the network serving DNS over Cloudflared DoH (DNS over HTTPS). The R9000 IPv4 DNS is set to 10.0.0.247 (the Pi) without a secondary DNS configured and the IPv6 DNS is set to the Pi's address 2600:xxxx etc. I also have 2 static routes configured to block Google DNS (my aim is to make sure that all devices on my network use my Pi's DNS, since some devices have hardcoded DNS servers that they use). With this setup, my 30 devices work without issue, that is except for my Google Home Mini, my 2 Wyze cameras and my 2 Rokus (1 Premier+ and a TCL Roku TV).

    Even with the pihole service disabled those devices refuse to work stating that they can't get an internet connection. Looking at the logs on the pihole all of the queries are going through successfully so I don't understand why they state that they can't connect. Of course, on these devices they don't allow you to configure network settings other than simply choosing which wired or wireless network to connect to.

    To solve this issue, I discovered that with 3 iptables rules on the R9000 I can get everything working flawlessly.
    1. iptables -t nat -A PREROUTING ! -s 10.0.0.1/32 ! -d 10.0.0.247/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.247:53
    2. iptables -t nat -A PREROUTING ! -s 10.0.0.1/32 ! -d 10.0.0.247/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.247:53
    3. iptables -t nat -A POSTROUTING -j MASQUERADE
    However, after a few hours the trouble devices stop working. Telnet into the R9000 reveals that the 3 rules that I have set are gone. "iptables-save" doesn't seem to work.

    Without those 3 rules I cannot get those devices to work. Am I missing something with iptables or is it just something else that Netgear has locked down such as their IPv6 ICMP implementation? If iptables rules do not persist is there a script or something that I can use to add the rules every so often? Or do I need to look into other firmware such as Kong? I'd rather not have to change firmware because before installing Voxel's firmware my R9000 was the buggiest router I've ever personally owned and I was ready to return it (it is now the most stable and best performing router that I've ever owned).

    Using the Pi as the DHCP server instead of the R9000 also didn't work without those iptables rules. Further troubleshooting revealed that Netgear also doesn't support conditional forwarding since they don't allow you to set a DNS suffix for either IPv4 or IPv6 which is strange as I've had that functionality even on crappy ISP gateways before and those are usually bare-bones. Maybe I'm just expecting too much from a consumer router.

    Any help would be greatly appreciated.
     
  2. Voxel

    Voxel Very Senior Member

    Joined:
    Dec 9, 2014
    Messages:
    1,487
    Please check me README. You should create the script with your iptables rules in /opt/scripts directory. For firewall.

    I am out of kbd so only short comment from me, sorry

    Voxel.
     
    kamoj likes this.