Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

RB750 - Hotspot & DNS

Sun Sep 08, 2013 4:35 pm

Hi,

I use OpenDNS for DNS but I have a couple of different IP addresses with different filtering categories.

I have different masquerade rules configured for different internal VLANs such that most appear to the outside world on one particular IP address but there is one VLAN that appears on a different IP address to the rest. (My 'guest' VLAN).

This has different (more) categories blocked on my OpenDNS dashboard.

The problem I'm having at the moment is that I'm not seeing any DNS requests from that network on my dashboard (and none of the categories I've selected are being filtered).

I think the masquerade rule is working correctly because using sites like ipchicken.com and whatsmyip.org from a client device on that VLAN gives the correct public IP.

I have a hotspot on that VLAN however and am wondering if this is causing the DNS to do something silly.

Are there any sections of my config I can post in order to get some help troubleshooting?

Note I'm on an earlier version of ROS at the moment and the export compact command isn't available - just let me know what you want me to post and I will!

I should note that DHCP for the VLAN is initially done from a W2K3 server on my LAN but then the hotspot takes over, although as far as I can tell the client device still gets the DNS servers from the option on the W2K3 box.

It was initially:

<LAN IP of RB750>
208.67.222.222
208.67.220.220

I've removed the LAN IP of the RB750 from the list of DNS servers for that VLAN's scope and cleared the DNS cache of the RB750 and the client device to no avail - still no requests seen on OpenDNS and still categories that should be blocked are available.

My other VLANs seem to be getting blocked from restricted categories there without any issue.

Update: Looks like this is related to the NAT rules for the hotspot. No idea how to fix this without breaking the hotspot?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Tue Sep 17, 2013 11:27 am

*bump* Can anyone assist?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: RB750 - Hotspot & DNS

Tue Sep 17, 2013 1:38 pm

The hotspot redirects all tcp and udp port 53 requests to the hotspot.
[admin@test] /ip firewall nat> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

1 I chain=hotspot action=jump jump-target=pre-hotspot

2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp
hotspot=local-dst dst-port=80

5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp
hotspot=local-dst dst-port=443
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Tue Sep 17, 2013 3:01 pm

Thanks, I spotted that after my original post. Question now is can I remove this without affecting hotspot functionality?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: RB750 - Hotspot & DNS

Tue Sep 17, 2013 3:28 pm

If you are attempting to limit internet access by domain/ip once the client is logged in, then maybe the hotspot transparent proxy is something you should look into. I don't use it tho, so I wouldn't be much help setting it up.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Tue Sep 17, 2013 3:35 pm

All I need is for DNS requests from hotspot clients to appear from the correct IP address to external DNS resolvers and not use the internal DNS cache.
If I remove/disable the entry for DNS redirection, will clients connecting initially still be redirected to the hotspot login page?
I'll give it a test when I have local access to the relevant LAN to investigate further.

Edit: I'd like to make use of a transparent proxy, but suspect I'd need ROS to be running on a PC-type setup rather than a RouterBOARD for this to work properly.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Sat Sep 21, 2013 5:24 pm

I've tried disabling this rule and it prevents clients from being re-directed to the login page, they have to browse to the page manually.
Any suggestions for how I can fix the routing of DNS once clients have authenticated to the hotspot?
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Sat Sep 21, 2013 7:04 pm

Managed to find another thread on here that enabled me to add a further filter rule to the pre-hotspot chain to resolve this.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
sterb
newbie
Posts: 28
Joined: Mon Dec 01, 2008 7:29 pm

Re: RB750 - Hotspot & DNS

Mon Oct 14, 2013 11:48 pm

I've just come across the same problem - what was the fix?
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Tue Oct 15, 2013 12:40 am

I've just come across the same problem - what was the fix?
i'll search out the thread when I have a mo and post link.
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 116
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: RB750 - Hotspot & DNS

Tue Dec 24, 2013 8:37 pm

I've just come across the same problem - what was the fix?
i'll search out the thread when I have a mo and post link.
Sorry for delay posting back. Can't find original thread to give context as to how/why this works, but filter rule added as follows (needs to be done from CLI):
add action=accept chain=pre-hotspot disabled=no hotspot=auth
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
RB750 - Draytek Vigor 120v2 ADSL2+ Annex M
RB750Gr3 - Draytek Vigor 130 FTTC (VDSL) & RBD52G-5HacD2HnD

Who is online

Users browsing this forum: No registered users and 48 guests