DNS resolution thru VPN tunnel fail on MT2500A

I am using a MT2500A for VPN purpose in front of an Omada router. By default Omada uses the MT2500A as gateway and the gateway the ISPs DNS servers for namespace resolution. All fine.

When activating the VPN on the MT2500A i can traceroute and ping any public IP but the DNS resolution fails. The Omada router still uses the MT2500A as gateway and I expect now the VPNs DNS server is used for resolution (pinging/tracerouting the ISPs DNS still works, so seems no caching thing). The change from ISP to VPN provider should not be transparent to the router.

With VPN on any nslookup with any public DNS server i.e. "nslookup google.com 8.8.8.8" works, tracroutes to the DNS servers work, they show going thru VPN. Only the DNS requests fail.

So far, the only way of making DNS resolution work is to

  • manually set the DNS servers in the LAN DHCP configuration of the MT2500A so that the Omada router always uses these instead of the MT2500A gateway IP address. This is what i do not want.
  • Allow Custom DNS to Override VPN DNS set to on, to ensure the specified DNS servers are always used, with or without VPN (not important as VPN usage is the goal) - not sure if this has an impact.
  • Use VPN Policy Based on the Target Domain or IP settings and add the hardcoded DNS servers.
  • If Global proxy is used, there is no DNS resolution. Pinging/tracrouting the DNS servers works with global proxy setting and they go thru the VPN. Only the DNS requests fail.

My (naive?) expectation is that the LAN setting provided by the MT2500A DHCP should not make a difference. The Omada router should forward any requests to its MT2500A gateway which routes then to the DNS servers provided by the ISP or the VPN provider. Why does it only work, when the router (and clients behind the router) "knows" dedicated DNS servers?

Why do i have to exclude the DNS servers from VPN tunneling on the MT2500A? I can still ping and traceroute the DNS servers even all traffic goes thru VPN (Global proxy).

Any advice?

Hi,

The Brume 2 as the (drop-in) gateway and enable VPN client, right?
Please screenshot the drop-in gateway setting of the Brume2.

May can try to capture the DNS package in the PC and Brume LAN and WAN, to see where lose the DNS package?