Assign DNS server address based on MAC address?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2
Author Message
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jun 03, 2009 8:51    Post subject: Reply with quote
I think v24 uses different kernels depending on the platform, 2.4.37 for mips devices and 2.6 for x86.

The reason that --to works is because it is common for linux/gnu apps to accept shortened option switches. --to is the shortest it will recognize for the option while --to-destination is the full form.

Yes it would be better to insert the rules because DNAT is a terminating target so the first match will stop the chain.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Sponsor
SNR
DD-WRT User


Joined: 27 Apr 2009
Posts: 132

PostPosted: Wed Jun 03, 2009 10:12    Post subject: Reply with quote
phuzi0n wrote:
I think v24 uses different kernels depending on the platform, 2.4.37 for mips devices and 2.6 for x86.


Any ideas on how to setup up a "group target" in iptables for a v2.6 kernel? I'd like to be able to specify both OpenDNS addresses in the rules, similar to what I've done with the multiple "--to" targets in my example.

phuzi0n wrote:
Yes it would be better to insert the rules because DNAT is a terminating target so the first match will stop the chain.


Thanks for that info. I will take a look at the current (default) chains in that table to try and confirm that inserting (as opposed to appending) won't cause any problems.
SNR
DD-WRT User


Joined: 27 Apr 2009
Posts: 132

PostPosted: Wed Jun 03, 2009 19:08    Post subject: Reply with quote
Here's a dump of the PREROUTING chain from my current nat table, including the rules I've added to force clients on br1 to use OpenDNS:

Quote:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.1.64 to:192.168.1.1
0 0 TRIGGER 0 -- * * 0.0.0.0/0 192.168.1.64 TRIGGER type:dnat match:0 relate:0
0 0 DNAT udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:208.67.222.222 208.67.220.220
0 0 DNAT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:208.67.222.222 208.67.220.220


So it looks like (in my basically default setup) this will work as intended, even though the OpenDNS entries have been appended to the bottom of the chain (rather than inserted at the top). It also looks like (in my case) inserting them at the top will work just as well...

But it seems to me that with any serious custom NAT mangling and/or port triggering you would probably need to figure out exactly where to insert these OpenDNS entries (possibly somewhere in the middle?). Otherwise you may end up circumventing your NAT strategy for clients on your restricted AP (br1 in my case); or these clients may never get the OpenDNS addresses enforced.

???
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Wed Jun 10, 2009 20:42    Post subject: Reply with quote
Quote:
[quote="frater"]Why are you taking such a difficult route?

You can also do it the other way around.
You yourself can use static DNS to your ISP's DNS-server..

I think it's also possible to configure dnsmasq so they will get another dns-entry.

The "Intercept port" is made as an extra when they try to use a static DNS and still force them to the lan ip of the router.

Change your dynamic pool to go from 192.168.1.128 and up, they will then be forced to use 192.168.1.1 as the DNS-server which is configured to use opendns...
Code:
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Will this work with static DHCP leases as well? wired and wireless? I run my own DNS server for my domain and would like me and my wife to use it but force the kids computers to opendns. Current config is in Sig. Thx in advance.

_________________
The New Me
SNR
DD-WRT User


Joined: 27 Apr 2009
Posts: 132

PostPosted: Thu Jun 11, 2009 2:09    Post subject: Reply with quote
DHC_DarkShadow wrote:
frater wrote:

I think it's also possible to configure dnsmasq so they will get another dns-entry.

The "Intercept port" is made as an extra when they try to use a static DNS and still force them to the lan ip of the router.

Change your dynamic pool to go from 192.168.1.128 and up, they will then be forced to use 192.168.1.1 as the DNS-server which is configured to use opendns...
Code:
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Will this work with static DHCP leases as well? wired and wireless? I run my own DNS server for my domain and would like me and my wife to use it but force the kids computers to opendns. Current config is in Sig. Thx in advance.

This should work just as well for DHCP reservations, and for both wired and wireless.

As frater noted (per the text I've marked in bold above, and the code you quoted), this would require that you configure your router to point directly to OpenDNS for DNS. This could work for your purposes, assuming that your kids don't have administrative access to their computers and can't fiddle with the IP address settings.

But if there's a way for the kids to assign IP addresses to their machines that are outside the targeted range, then it won't work (or they may simply get no network service at all, depending on how you have IP assignments setup). To prevent the kids from working around it in this way you might be able to use dnsmasq, but I have no experience with this myself. (frater?)

If your kids use wireless and you and your wife don't (or vice versa), or if you have multiple wireless access points (kids on one and adults on another) then that would be another way to segregate DNS service in your household, and the kids couldn't workround it with an address change. In that case you wouldn't need the source address filters in the iptables commands. You would just need to target based on the interface that the kids are using ('-i br0' would need to be changed to '-i wl0' or something else).
SNR
DD-WRT User


Joined: 27 Apr 2009
Posts: 132

PostPosted: Thu Jun 11, 2009 2:59    Post subject: Reply with quote
phuzi0n wrote:
Yes it would be better to insert the rules because DNAT is a terminating target so the first match will stop the chain.

SNR wrote:
[...]it seems to me that with any serious custom NAT mangling and/or port triggering you would probably need to figure out exactly where to insert these OpenDNS entries (possibly somewhere in the middle?). Otherwise you may end up circumventing your NAT strategy for clients on your restricted AP (br1 in my case); or these clients may never get the OpenDNS addresses enforced.

???

After thinking this over a bit I've decided that phuzi0n is right, and I should just insert these tables at the top of the chain and be done with it. So here's what the prerouting chain in my nat table finally looks like:

Quote:
root@DD-WRT:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

0 0 DNAT udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:208.67.222.222 208.67.220.220
0 0 DNAT tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:208.67.222.222 208.67.220.220
0 0 DNAT icmp -- * * 0.0.0.0/0 192.168.1.64 to:192.168.1.1
0 0 TRIGGER 0 -- * * 0.0.0.0/0 192.168.1.64 TRIGGER type:dnat match:0 relate:0
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Thu Jun 11, 2009 4:04    Post subject: Reply with quote
SNR wrote:
DHC_DarkShadow wrote:
frater wrote:

I think it's also possible to configure dnsmasq so they will get another dns-entry.

The "Intercept port" is made as an extra when they try to use a static DNS and still force them to the lan ip of the router.

Change your dynamic pool to go from 192.168.1.128 and up, they will then be forced to use 192.168.1.1 as the DNS-server which is configured to use opendns...
Code:
iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Will this work with static DHCP leases as well? wired and wireless? I run my own DNS server for my domain and would like me and my wife to use it but force the kids computers to opendns. Current config is in Sig. Thx in advance.

This should work just as well for DHCP reservations, and for both wired and wireless.

As frater noted (per the text I've marked in bold above, and the code you quoted), this would require that you configure your router to point directly to OpenDNS for DNS. This could work for your purposes, assuming that your kids don't have administrative access to their computers and can't fiddle with the IP address settings.

But if there's a way for the kids to assign IP addresses to their machines that are outside the targeted range, then it won't work (or they may simply get no network service at all, depending on how you have IP assignments setup). To prevent the kids from working around it in this way you might be able to use dnsmasq, but I have no experience with this myself. (frater?)

If your kids use wireless and you and your wife don't (or vice versa), or if you have multiple wireless access points (kids on one and adults on another) then that would be another way to segregate DNS service in your household, and the kids couldn't workround it with an address change. In that case you wouldn't need the source address filters in the iptables commands. You would just need to target based on the interface that the kids are using ('-i br0' would need to be changed to '-i wl0' or something else).


yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0

Thx for the Help and thanks to the dev and all who make this project what it is.

Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.

_________________
The New Me
SNR
DD-WRT User


Joined: 27 Apr 2009
Posts: 132

PostPosted: Thu Jun 11, 2009 6:53    Post subject: Reply with quote
DHC_DarkShadow wrote:
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0

Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.

What exact commands did you end up using to set this up?
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Thu Jun 11, 2009 10:43    Post subject: Reply with quote
SNR wrote:
DHC_DarkShadow wrote:
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0

Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.

What exact commands did you end up using to set this up?


I Used this

iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

_________________
The New Me
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sun Jun 14, 2009 21:53    Post subject: Reply with quote
DHC_DarkShadow wrote:
SNR wrote:
DHC_DarkShadow wrote:
yup it worked. Had a hell of a time getting there though. Since I host my own DNS server for my domain I had my local IP for my DNS server entered in the setup tab under "Local DNS". To set this up properly I had to reset that back to 0.0.0.0

Edit: I Spoke too soon. It works but it is applied to all DHCP address. My wife's laptop had a static lease of IP 192.168.1.22, well out of the pool. But was still forced to OPenDNS. So I had to set a static IP on the thing it self.

What exact commands did you end up using to set this up?


I Used this

iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)



IT WORKS!!!!! I had to manually put in my personal DNS IP in each computer I wanted to use my DNS. If no DNS ip is supplied on the computer using DHCP weather its in the range or not of the script will automatically use the static DNS IP's of the router. So even the one in the range if i manually set the dns ip it still forced them to use the static ip's of the router. I am so happy. Laughing

_________________
The New Me
SNR
DD-WRT User


Joined: 27 Apr 2009
Posts: 132

PostPosted: Mon Jun 15, 2009 2:48    Post subject: Reply with quote
DHC_DarkShadow wrote:
I Used this

iptables -t nat -A PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

DHC_DarkShadow wrote:
IT WORKS!!!!! I had to manually put in my personal DNS IP in each computer I wanted to use my DNS. If no DNS ip is supplied on the computer using DHCP weather its in the range or not of the script will automatically use the static DNS IP's of the router. So even the one in the range if i manually set the dns ip it still forced them to use the static ip's of the router. I am so happy. Laughing

As to that nagging issue with this working whether or not the device is in the range specified in your commands... this might be caused by using the "-A" option to Append the rules to the end of the table. You might want to try using "-I" to Insert the commands at the top of the table (as phuzi0n recommended earlier in this thread). In other words:

Quote:
iptables -t nat -I PREROUTING -p udp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -I PREROUTING -p tcp -i br0 -s 192.168.1.128/25 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum