Model: GL.iNet GL-MT6000
Firmware: 4.6.0 beta3
Compile Time: 2024-06-06 14:27:39 (UTC+00:00)
This is a fresh install with settings erased upon the upgrade to 4.6.0 Beta 3. I'm running my Flint 2 as a Secondary Router again for a few devices, that way I can tweak and test without disturbing the family.
Bug: DNS queries for domains defined in Policy Based Routing for VPN Client is not routed over the VPN Client, instead upstream WAN inteface DNS is used.
Expected behaviour: DNS queries for domains defined in Policy Based Routing for VPN Client are routed over the VPN Client's configured DNS server.
This also affects stable 4.5.8 aswell.
Evidence
This shows DNS queries going out of the upstream WAN DNS for a domain that is routed over the VPN Client.
Configuration information
cat vpnpolicy
config policy 'global'
option kill_switch '0'
option service_policy '1'
option vpn_server_policy '1'
option wan_access '1'
config service 'route_policy'
option proxy_mode '3'
config policy 'vlan'
option private '1'
option guest '1'
config policy 'domain'
option default_policy '0'
option manual '1'
option domain 'browserleaks.com
whatismyipaddress.com'
cat wan-access
config main
option whitelist 0
#config whitelist
# option name 'test1'
# option ipaddr '192.168.1.2'
#config whitelist
# option name 'test2'
# option ipaddr '192.168.12.0/24'
cat wireguard
config proxy 'global'
option global_proxy '1'
config providers 'AzireVPN'
option auth_type '1'
option procedure '0'
option group_id '4'
config providers 'Mullvad'
option auth_type '2'
option procedure '1'
option group_id '2971'
config providers 'FromApp'
option auth_type '1'
option procedure '0'
option group_id '2290'
config groups 'group_4'
option group_name 'AzireVPN'
option group_type '1'
option auth_type '1'
option procedure '0'
config groups 'group_2971'
option group_name 'Mullvad'
option group_type '1'
option auth_type '2'
option procedure '1'
config groups 'group_2290'
option group_name 'FromApp'
option group_type '3'
option auth_type '1'
option procedure '0'
config groups 'group_7542'
option group_name 'New Provider'
option group_type '2'
option auth_type '0'
config peers 'peer_2001'
option group_id '7542'
option name 'ProtonVPN Estonia #20'
option address_v4 '10.2.0.2/32'
option address_v6 ''
option end_point '95.153.31.114:51820'
option private_key 'REDACTED'
option public_key 'REDACTED'
option presharedkey_enable '0'
option allowed_ips '0.0.0.0/0'
option dns '10.2.0.1'
option persistent_keepalive '25'
option local_access '0'
option masq '1'
ip route
default via 192.168.1.1 dev eth1 proto static src 192.168.1.184 (UPSTREAM ROUTER) metric 10
192.168.1.0/24 dev eth1 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
ip route show table 8000
default dev wgclient scope link
ip route show table local
local 10.2.0.2 dev wgclient proto kernel scope host src 10.2.0.2
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.184
local 192.168.1.184 dev eth1 proto kernel scope host src 192.168.1.184
broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.184
broadcast 192.168.8.0 dev br-lan proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan proto kernel scope link src 192.168.8.1
cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6c:c1d0:c831::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan1'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan2'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan3'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan4'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan5'
option macaddr '94:83:c4:a2:e8:21'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
config device
option name 'eth1'
option macaddr '94:83:c4:a2:e8:1f'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@secondwan'
option disabled '1'
option metric '15'
config interface 'modem_1_1_2_6'
option ifname '@modem_1_1_2'
option proto 'dhcpv6'
option disabled '1'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config interface 'wgclient'
option proto 'wgclient'
option config 'peer_2001'
option disabled '0'
cat dhcp
config dnsmasq
option domainneeded '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inet.com'
option ip '192.168.8.1'
config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.8.1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'
cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '1'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '1'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '1'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgclient'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '1'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '1'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '1'
cat gl-dns
config dns
option mode 'auto'
option override_vpn '0'