Page 1 of 1

RB750 - Hotspot & DNS

Posted: Sun Sep 08, 2013 4:35 pm
by sjoram
Hi,

I use OpenDNS for DNS but I have a couple of different IP addresses with different filtering categories.

I have different masquerade rules configured for different internal VLANs such that most appear to the outside world on one particular IP address but there is one VLAN that appears on a different IP address to the rest. (My 'guest' VLAN).

This has different (more) categories blocked on my OpenDNS dashboard.

The problem I'm having at the moment is that I'm not seeing any DNS requests from that network on my dashboard (and none of the categories I've selected are being filtered).

I think the masquerade rule is working correctly because using sites like ipchicken.com and whatsmyip.org from a client device on that VLAN gives the correct public IP.

I have a hotspot on that VLAN however and am wondering if this is causing the DNS to do something silly.

Are there any sections of my config I can post in order to get some help troubleshooting?

Note I'm on an earlier version of ROS at the moment and the export compact command isn't available - just let me know what you want me to post and I will!

I should note that DHCP for the VLAN is initially done from a W2K3 server on my LAN but then the hotspot takes over, although as far as I can tell the client device still gets the DNS servers from the option on the W2K3 box.

It was initially:

<LAN IP of RB750>
208.67.222.222
208.67.220.220

I've removed the LAN IP of the RB750 from the list of DNS servers for that VLAN's scope and cleared the DNS cache of the RB750 and the client device to no avail - still no requests seen on OpenDNS and still categories that should be blocked are available.

My other VLANs seem to be getting blocked from restricted categories there without any issue.

Update: Looks like this is related to the NAT rules for the hotspot. No idea how to fix this without breaking the hotspot?

Re: RB750 - Hotspot & DNS

Posted: Tue Sep 17, 2013 11:27 am
by sjoram
*bump* Can anyone assist?

Re: RB750 - Hotspot & DNS

Posted: Tue Sep 17, 2013 1:38 pm
by SurferTim
The hotspot redirects all tcp and udp port 53 requests to the hotspot.
[admin@test] /ip firewall nat> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

1 I chain=hotspot action=jump jump-target=pre-hotspot

2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp
hotspot=local-dst dst-port=80

5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp
hotspot=local-dst dst-port=443

Re: RB750 - Hotspot & DNS

Posted: Tue Sep 17, 2013 3:01 pm
by sjoram
Thanks, I spotted that after my original post. Question now is can I remove this without affecting hotspot functionality?

Re: RB750 - Hotspot & DNS

Posted: Tue Sep 17, 2013 3:28 pm
by SurferTim
If you are attempting to limit internet access by domain/ip once the client is logged in, then maybe the hotspot transparent proxy is something you should look into. I don't use it tho, so I wouldn't be much help setting it up.

Re: RB750 - Hotspot & DNS

Posted: Tue Sep 17, 2013 3:35 pm
by sjoram
All I need is for DNS requests from hotspot clients to appear from the correct IP address to external DNS resolvers and not use the internal DNS cache.
If I remove/disable the entry for DNS redirection, will clients connecting initially still be redirected to the hotspot login page?
I'll give it a test when I have local access to the relevant LAN to investigate further.

Edit: I'd like to make use of a transparent proxy, but suspect I'd need ROS to be running on a PC-type setup rather than a RouterBOARD for this to work properly.

Re: RB750 - Hotspot & DNS

Posted: Sat Sep 21, 2013 5:24 pm
by sjoram
I've tried disabling this rule and it prevents clients from being re-directed to the login page, they have to browse to the page manually.
Any suggestions for how I can fix the routing of DNS once clients have authenticated to the hotspot?

Re: RB750 - Hotspot & DNS

Posted: Sat Sep 21, 2013 7:04 pm
by sjoram
Managed to find another thread on here that enabled me to add a further filter rule to the pre-hotspot chain to resolve this.

Re: RB750 - Hotspot & DNS

Posted: Mon Oct 14, 2013 11:48 pm
by sterb
I've just come across the same problem - what was the fix?

Re: RB750 - Hotspot & DNS

Posted: Tue Oct 15, 2013 12:40 am
by sjoram
I've just come across the same problem - what was the fix?
i'll search out the thread when I have a mo and post link.

Re: RB750 - Hotspot & DNS

Posted: Tue Dec 24, 2013 8:37 pm
by sjoram
I've just come across the same problem - what was the fix?
i'll search out the thread when I have a mo and post link.
Sorry for delay posting back. Can't find original thread to give context as to how/why this works, but filter rule added as follows (needs to be done from CLI):
add action=accept chain=pre-hotspot disabled=no hotspot=auth