Want to share a global DNS between main network and Guest Pro Vlans

[CornfieldWin]

I have two prototype Guest Pro vlans, one for cafe style login and one for IOT use case, set up on my AX88U Pro with Merlin 3006.102.5 (autoupdate) and likewise the bulk of AMTM scripts and services including unbound, YaxDHCP, Diversion, and Skynet , and others for curiosity. Very nice, will stay away from OPsense, Promox and fancy home lab stuff for now. Long run I only want to support far more IOT devices than is good for me and a robust media and NAS capability. An immediate goals is to take IP control over the 53 devices I already have through manual DHCP assignments. Eventually I will back haul to my currently mothballed GS-AX5400 (lan to wan or lan to lan) which may take on main IOT role, and do away with relying on Vlans for that use case(s). Maybe. My current problems appear to be with dnsmasq interaction with unbound. I found dnsmasq instances hanging out on every conceivable Port 53 network setting and unbound on the host network Port 53535 like this:
netstat -tulpn |grep :53
netstat: showingonly processes with your user ID
tcp 0 0 127.0.0.1:53535 0.0.0.0:* LISTEN 11988/unbound
tcp 0 0 192.168.53.1:53 0.0.0.0:* LISTEN 21828/dnsmasq
tcp 0 0 192.168.52.1:53 0.0.0.0:* LISTEN 21820/dnsmasq
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 21811/dnsmasq
tcp 0 0 72.230.103.33:53 0.0.0.0:* LISTEN 21811/dnsmasq
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN 21811/dnsmasq
udp 0 0 192.168.53.1:53 0.0.0.0:* 21828/dnsmasq
udp 0 0 192.168.52.1:53 0.0.0.0:* 21820/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 21811/dnsmasq
udp 0 0 72.230.103.33:53 0.0.0.0:* 21811/dnsmasq
udp 0 0 192.168.1.1:53 0.0.0.0:* 21811/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 13187/avahi-daemon:
udp 0 0 127.0.0.1:53535 0.0.0.0:* 11988/unbound

So the multiple dnsmasq individual instances are first up for normal DNS requests, but they aren't all following the same configuration rules. I believe unbound may make back references to some them on the main LAN (how to avoid circularity?). By main LAN I mean the main host bridge. Both vlans are running YazDHCPifized dnsmaq and I found all three configuration scripts. Access to main network only is enabled for the vlans, DNS set on each Vlan to gateway subnet address followed by secondary router address.

I can ping successfully resolving local and internet names from a client on the main LAN and through SSH, but on a Vlan I can only ping the router name and the Internet while also being unable SSH in on a Vlan. Local names on the vlan don't work either even for its own Vlan DHCP settings. How to handle Vlan domains is an open question - subdomains or don't bother? I know that dnsmasq and unbound have an entangled relationship but google searches and the dreaded google AI advice create much confusion how to get them to play nicer together with Guest Pro style Vlans. Do I need forward zones and listener ports to make them aware of each other (not the Vlans directly seeing each other but they do share the access to the main network)? Maybe Iptables updates (genuflect and rub those beads!)? Something else (perfer config files over scripts in general)?

Thanks.

 

[CornfieldWin]

Uh ho. I just saw that AVAHI thing, yet another way Apple knows better what you want when you do not even know that you want it. Ugh. I will have to look into getting rid of it. It may be why one of my critical IOT devices messes up and has to be isolated on the test IOT Vlan. It could also be leaking network details to Apple. Good thing that last night I went to RFC 8375 convention by naming the main network home.arpa and here comes Apple chewing up the .local name. Maybe I will need subdomain names for the vlans after all. Thoughts? Should this be included and turned on in router firmware by default?

 

[bennor]

There are several options (on the 3006.102.x Asus-Merlin firmware) to set Guest Network Pro Profile's DNS.
One is to set the DNS in the Guest Network Pro Profile's Advanced Settings > DNS Server.
Another way is to enable and use LAN > DNS Director > Guest Network Pro profiles. And assign a User Defined DNS to the Guest Network Pro Profile.

In my use case, with Pi-Hole/Unbound running on a Raspberry Pi, I have several Guest Network Pro Profiles set to the Pi's IP address in DNS Director. It works fine to send Guest Network Pro client requests to my Pi-Hole/Unbound.

Edit to add: And lots of past discussion on AVAHI...
https://www.snbforums.com/search/1645677/?q=AVAHI&o=relevance
And if one is having a specific problem with an addon script, see the dedicated Addons subforum. For Unbound, there are a number of discussions on that script in the Addon's subforum.
https://www.snbforums.com/forums/asuswrt-merlin-addons.60/?prefix_id=5

 

[CornfieldWin]

Yes. I decided finally to set the Vlan DNS servers directly as described. What happened after that was that the local Vlan device name was not recognized but the router was, the Internet was, but other devices on the main network were not. SSH could not reach the router (Iptables?). I believe the latter aslo has to do with unbound interaction (dsnmasq --> unbound --> ?) that works on the main lan but not a subnet. I can't explain the Vlan dnsmasq not performing DNS, there must be something funky that I am missing. Frankly, I don't want proprietary services from big tech ecosystems in the middle of my network as I intend to close down internet access to the minimum, using Home Assistant, Jellyfin, and NAS software to be picked to locally supported streaming and storage, going to the Internet mainly to download not to watch, and shutting down jatty IOT, especially cameras. I see nothing in AVAHI but noise for me, just for Apple's benefit. I don't need pihole as Skynet and Diversion is the current option and I have put away my Pi gear. This tour through network management is just to get the backbone in place. If Merlin turns out to be mismatched then I might go the Promox (or equivalent) and Opsense route having more than enough hardware resource but little enthusiasm for digging that deep into homelab infrastructure if a simple router(s) and network design will do. Sometimes bare metal is actually simpler than virtual.