I’m trying to protect part of my home LAN using a DNS service like OpenDNS or Norton ConectSafe.
However, I still need that part of the LAN is unrestricted and use google’s DNS for instance.
I want to have this separation at physical port level. I have a RB3011.
I tried to forward DNS requests like this:
ip firewall nat
add action=dst-nat chain=dstnat comment=“Force filtered DNS” dst-port=53 in-interface=etherX protocol=tcp to-addresses=199.85.127.20 to-ports=53
This results in an error saying etherX is a slave … and it seems to work only if I apply it to bridge1.
As my router is configured now, it means the entire traffic, so it doesn’t help.
Can anyone suggest a solution or point me in the right direction?
A pretty unique request
I’d give a bridge filter a try.
Mark all packets coming from that interface with dst-port 53 and use this packet mark in your dst-nat rule to exclude those from your redirection (packet-mark=!yourMark)
Unfortunately it works only for the two master interfaces corresponding to the two internal switches of RB3011.
If you use a “slave” interface, it doesn’t do anything. No traffic at all.
So now I can force a different DNS for half of the ports, but not for a specific port.
This is normal behavior.
Remove that interface from its master port and add it to the bridge separately. Then the filter will work.
The 3011 has enough CPU horsepower to handle this.
-Chris
