Community discussions

MikroTik App
 
User avatar
sunakashi
just joined
Topic Author
Posts: 17
Joined: Wed Nov 23, 2022 1:55 pm
Location: CZ

Firewall settings for unbound

Tue Dec 06, 2022 11:14 pm

I'm trying to set up pihole with unbound (on RPi), however when I set custom upstream in pihole for unbound, my internet connection is lost. Similar story is for pi-hole with stubby with NextDNS as upstream. If I set one of default upstreams in pihole like Quad9 or Google, internet works fine. Debug log of pihole is here.

Test from unbound shows this:
tobias@rpi3B:~ $ dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26949
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.           IN      A

;; Query time: 3499 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE  rcvd: 48

tobias@rpi3B:~ $ dig dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56748
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works.                  IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE  rcvd: 41
First command looks ok (SERVFAIL), second however shows fail (should be NOERROR). What could be wrong? Something about DNSSEC?

I guess there is problem with firewall, because query in pihole is filled (also if using NextDNS as custom upstream instead of unbound, log is filled there.) So I guess there is some rule in firewall that wont let traffic back. There is my firewall setting.
# dec/06/2022 22:02:25 by RouterOS 7.6
# software id = 54UW-M61Q
#
# model = RBD53iG-5HacD2HnD
# serial number = ********
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes src-address=172.17.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.1 dst-port=\
    888 protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
Any idea what could be wrong? Thanks. Firewall rules are too complex for me right now.

Who is online

Users browsing this forum: RobertsN, Rox169 and 88 guests