I need to set up custom DNS settings for the router itself to use. In mainline OpenWrt I do so by just setting DNS servers on a WAN interface.
I can't fins the correct way to do than in the Beryl AX3000 custom UI. I.e. the DNS settings that the router uses are just pulled in from the upstream router via DHCP and cannot be overridden:
But the things is that whatever changes I made and save there do not survive a reboot - i.e. once the router is rebooted, the changed get reverted and the old settings get restored:
Yes, I know that )
But I don't want it to. I specifically want my router to use DNS that I put in the settings manually. And there is a reason I want it to be different from what the clients of the router will use (the AGH, supplied via option 6 in LAN DHCP settings).
In vanilla openWRT this is easy to achieve - I just need to uncheck the checkbox I shown in the screenshot. But when doing that in beryl AX3000, my settings get reverted after a reboot. I do not want that. I want it to be the way I set it.
So I'm wondering if there is any way to tell the device to turn off its obnoxious smarts and keep the settings I entered.
I don't even know if it's possible, to be honest.
Many features were built to be leak-proof - at least in my brain it sounds like your construct would break it, so I am not really sure if there is an option for that.
Since you already transmit AGH via DHCP option 6 - wouldn't it be more easy to exclude the AGH filtering for your router?
My issue is not about excluding something from AGH filtering. The reason is that my AX3000 router runs an XRAY tunnel (in client mode). And I route all DNS traffic from the entire network behind AX3000 to that tunnel. But the tunnel software itself uses DNS when (e.g. starting up, establishing a new connection, etc) - to resolve XRAY server's name to establish a connection with. For it to work, those DNS requests need to bypass the the tunnel (which is just being created) obviously..
The way I do that in vanilla openWRT - I set a dedicated DNS server for the router (e.g. 8.8.8.8) and set up special iptables rules not to route it to the tunnel.
But the AX3000 is playing smart with me and keeps reverting custom DNS settings done via LuCi.
Thanks for the suggestion. But in my setup the full chain is DNSMASQ -> AGH -> UPSTREAM_DNS. So AGH in that case sees only one client - dnsmasq (i.e. 127.0.0.1). If I fully switched to AGH only and let it handle the ipsets, it could work I think.
Another option I'm considering is assigning a unique GID to AGH process and modifying my iptables rules a bit to route to the tunnel only DNS traffic coming from a process with that specific GID.
But before taking out big guns like that, I first wanted to explore a simpler option and figure out if there is a way to tell AX3000 not to be that stubborn
BTW, I'm already starting to regret spending money on that device.. As good as it sounds to be able to hook up to a public wifi and hide your devices behind this router, the software is still too raw imo.
I just spent several hours today trying to figure out quirks around DNS and XRAY - all my other openWrt devices are just working fine both as XRAY servers and as XRAY clients. But with AX3000 a server just refused certain TLS connections when SNI fragmentation was configured on the client (AX3000)..
At first I was blaming different openwrt version - AX3000 runs a custom fork of 21.02. And only after hours of picking around I stumbled upon a custom iptables chain named PORTAL_TTL. I don't know what exactly it is for there, but once I un-hooked that chain from the POSTROUNG, everything stared to work like a charm that same very moment..
Can anyone enlighten me on the following:
What problem(s) is that rule supposed to help with? Use-cases?
Is there any safe way to turn it off? (just dropping it from the POSTROUTING on a boot does seem more like a hack
The chain PORTAL_TTL is designed for flow control of captive portal traffic based on the TTL value in the packet, and redirected to a portal page before access the internet.
@bruce, any plans to have a UI "knob" to set custom WAN/WWAN DNS and have it persisted across reboots? That's the other part of te original priblem described in the first posts:
Can you please jelp me figure out how I can override that settings and have it persisted in a way that would keep it across reboots?
Now that you have enabled ADH and want to config the custom DNS server, you can set this in ADH.
Because even if the DNS of the WAN/WWAN interface is changed/configured, the actual all clients DNS request traffic still goes through AGH and follow the AGH DNS.
Not really. It's not about what clients will use, but the device itself. And since the device uses DNSs from WAN/WWAN, I want that setting to be persisted when I change it in LuCi.
Right now whatever changes I make get lost when I reboot the device - it always gets reset to "use upstream DNS". This is quite annoying as I know better what effect I want to achieve and I do not want the add-on "smarts" to be in the way.
Thanks, that'll definitely cut it as a workround. Still, not sure I understand the reason for this behavior: the Gl-inet UI doesn't have this option plumbed through (WAN/WWAN DNS) and when when I make these specific changes in LuCi, they are reverted upon reboot.. Do you happen to know what the purpose is?