[rnix]

edit - jump to solution https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1298865#1298865

I need some help figuring out iptable rules to force pihole DNS for br1 which is my untrusted VLAN.

Following firewall rules seems to work fine for br0 by forcing all DNS traffic through pihole if device has hardcoded DNS.

10.10.10.1 = dd-wrt router
10.10.10.254 = pihole server

[egc]

Assuming the Pihole is not on br1 you do not need to exclude the piholes address.

You probably have the subnets isolated from each other so besides a DNAT rule you do need a FORWARD rule to allow traffic.

The POSTROUTING rule is usually not necessary but does not hurt.
It could be necessary as this traffic can be classified as invalid because of the asymmetric routing

[rnix]

Thanks for your response, egc

[egc]

Forced DNS Redirection from the webif forces the redirection to the router so is not applicable to your case.

If this is setup as a regular router and not as an WAP you can simply enable the isolation of br1 by enabling "Net Isolation" in the GUI.

But if you are happy with the way it is just leave it as is.

Just add as last rules to your firewall rules:

[rnix]

[egc]

Did you add the DNAT rule as discussed?

[rnix]

Those are my current firewall rules.
I added FORWARD rule in very end, but it didn't make difference and I can still bypass pihole DNS on br1

10.10.10.1 = dd-wrt router
10.10.10.254 = pihole server
10.4.0.0/24 = wireguard

[ho1Aetoo]

I'll help a little so that we don't keep going round in circles

[rnix]

Hi ho1Aetoo,
Unfortunately it didn't work. After applying those I cannot resolve anything anymore.

[ho1Aetoo]

With the best will in the world, I don't see any mistakes.
So the redirection seems to work if the DNS resolution in your isolated VLAN no longer works.

I would now check the Pi-Hole settings and firewall settings, maybe the Pi-Hole itself rejects the connection.

There is a setting in the WebIF

"Allow only local requests" or "Respond only on interface eth0"

and post "iptables -vnL FORWARD" again and we'll see more

[rnix]

please ignore below and refer to https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1298865#1298865 for working setup.

Code:

# block traffic between br0 and br1 while still allowing dns and dhcp iptables -I INPUT -i br1 -m state --state NEW -j DROP iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j DROP iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j DROP # force dns redirection for br0 iptables -t nat -I PREROUTING -i br0 -p tcp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254 iptables -t nat -I PREROUTING -i br0 -p udp ! -s 10.10.10.254 --dport 53 -j DNAT --to 10.10.10.254 iptables -t nat -I POSTROUTING -o br0 -p tcp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1 iptables -t nat -I POSTROUTING -o br0 -p udp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1 # force dns redirection for br1 iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 10.10.10.254 iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 10.10.10.254 iptables -t nat -I POSTROUTING -o br1 -p tcp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1 iptables -t nat -I POSTROUTING -o br1 -p udp ! -s 10.10.10.254 --dport 53 -j SNAT --to 10.10.10.1 iptables -I FORWARD -i br1 -p tcp -d 10.10.10.254 --dport 53 -j ACCEPT iptables -I FORWARD -i br1 -p udp -d 10.10.10.254 --dport 53 -j ACCEPT

Huge thanks to egc and ho1Aetoo for your input.

[ho1Aetoo]

Yes, of course, if you have a completely fucked-up setup.
You redirect to the Pi-Hole before routing and later in the chain to the address of the router.

Maybe you should take a look at the Pi-Hole stickies in the forum first - with the best will in the world, there may be something wrong with your setup.

And I have very probably already explained why it doesn't work in the previous post.

[rnix]

I have completely stock pihole install with only unbound running additionally on same device.
I described what did work for me and as mentioned in original post, I am no expert by any means.

I already configured my dd-wrt and pihole setup as per 2nd example.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256876#1256876

If you see something obviously wrong then I apperciate if you could suggest better setup.
Rules which you provided earlier unfortunately resulted no internet connection at all.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1298851#1298851

[ho1Aetoo]

This is not an example2 configuration because you are using completely wrong firewall rules for example2.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256879#1256879

[rnix]

Apologies, I meant how dd-wrt webif was configured with pihole was based on second example.

If I would take your linked example 2 then how could I adjust it also for br1 interface?