Problem with interface-list in firewall filter rules

kraal · January 26, 2021, 9:12pm

Hello,

Edit: I renamed this topic because the problem is related to interface-lists with more than 1 level of include and not DNS (see 1st reply to this post)

I have a DNS server running on my network at Server_DNS IP and a Microtix CRS326-24G-2S+RM.
I also have a interface list Clients_DNS which includes all vlans that need to access to Server_DNS.
All DHCP servers point out devices in Clients_DNS to Server_DNS as expected (they receive the ip of the DNS server as expected)
When I connect to the Server_DNS using ssh and try to dig a domain name, I retrieve the IP as expected.
However if I try to dig from one of the devices that are member of Clients_DNS, I get blocked (no answer)
I suspect thus that my firewall rules named FF_15 and FF_16 that are supposed to allow DNS traffic to Server_DNS do not work, but I don’t understand why.
Could you please help me ?

The following rules on my firewall are related to DNS.

add action=accept chain=forward comment="FF_13 Allow new connections to WAN DNS Server on WAN from Server_DNS (tcp, DNS)" connection-state=new dst-port=53 out-interface-list=WAN protocol=tcp src-address-list=Server_DNS
add action=accept chain=forward comment="FF_14 Allow new connections to WAN DNS Server on WAN from Server_DNS (udp, DNS)" connection-state=new dst-port=53 out-interface-list=WAN protocol=udp src-address-list=Server_DNS
add action=accept chain=forward comment="FF_15 Allow new connections to local DNS server from Clients_DNS (tcp, DNS)" connection-state=new dst-address-list=Server_DNS dst-port=53 in-interface-list=Clients_DNS protocol=tcp
add action=accept chain=forward comment="FF_16 Allow new connections to local DNS server from Clients_DNS (udp, DNS)" connection-state=new dst-address-list=Server_DNS dst-port=53 in-interface-list=Clients_DNS protocol=udp
add action=drop chain=forward comment="FF_99 Drop other (forward)"

I also have the following NAT rules to force all DNS traffic not comming from

Server_DNS

to

Server_DNS

add action=dst-nat chain=dstnat comment="NAT_02 dst-NAT all DNS traffic to local DNS server (tcp)" dst-port=53 in-interface-list=Clients_DNS protocol=tcp src-address-list=!Server_DNS to-addresses=10.71.60.2 to-ports=53
add action=dst-nat chain=dstnat comment="NAT_03 dst-NAT all DNS traffic to local DNS server (udp)" dst-port=53 in-interface-list=Clients_DNS protocol=udp src-address-list=!Server_DNS to-addresses=10.71.60.2 to-ports=53

Thank you in advance !

kraal · January 26, 2021, 11:04pm

Ok I found what seems to be the cause of my problem…

The Clients_DNS includes a VLAN interface-list which in turn includes a sub interface-list that has vlan20 as member.
If I use the VLAN interface-list in my rules everything works fine.
If I use Clients DNS but add vlan20 to the members of the VLAN interface-list, the rules work fine…

In other words, it seems that interface-lists can only include the direct members of another interface-list.
Is this limitation known / documented ? Is it a bug ?

Thank you and best regards.