Did you try to toggle the switch before pressing Apply?
two above switches cannot be toggled also
I flashed 4.6-op24 (05-31 released) and 4.6-op24 (06-07 released), got the same situation.
Model: GL.iNet GL-MT6000
Firmware: 4.6.0 beta3
Compile Time: 2024-06-06 14:27:39 (UTC+00:00)
This is a fresh install with settings erased upon the upgrade to 4.6.0 Beta 3. I'm running my Flint 2 as a Secondary Router again for a few devices, that way I can tweak and test without disturbing the family.
Bug: DNS queries for domains defined in Policy Based Routing for VPN Client is not routed over the VPN Client, instead upstream WAN inteface DNS is used.
Expected behaviour: DNS queries for domains defined in Policy Based Routing for VPN Client are routed over the VPN Client's configured DNS server.
This also affects stable 4.5.8 aswell.
Evidence
This shows DNS queries going out of the upstream WAN DNS for a domain that is routed over the VPN Client.
Configuration information
cat vpnpolicy
config policy 'global'
option kill_switch '0'
option service_policy '1'
option vpn_server_policy '1'
option wan_access '1'
config service 'route_policy'
option proxy_mode '3'
config policy 'vlan'
option private '1'
option guest '1'
config policy 'domain'
option default_policy '0'
option manual '1'
option domain 'browserleaks.com
whatismyipaddress.com'
cat wan-access
config main
option whitelist 0
#config whitelist
# option name 'test1'
# option ipaddr '192.168.1.2'
#config whitelist
# option name 'test2'
# option ipaddr '192.168.12.0/24'
cat wireguard
config proxy 'global'
option global_proxy '1'
config providers 'AzireVPN'
option auth_type '1'
option procedure '0'
option group_id '4'
config providers 'Mullvad'
option auth_type '2'
option procedure '1'
option group_id '2971'
config providers 'FromApp'
option auth_type '1'
option procedure '0'
option group_id '2290'
config groups 'group_4'
option group_name 'AzireVPN'
option group_type '1'
option auth_type '1'
option procedure '0'
config groups 'group_2971'
option group_name 'Mullvad'
option group_type '1'
option auth_type '2'
option procedure '1'
config groups 'group_2290'
option group_name 'FromApp'
option group_type '3'
option auth_type '1'
option procedure '0'
config groups 'group_7542'
option group_name 'New Provider'
option group_type '2'
option auth_type '0'
config peers 'peer_2001'
option group_id '7542'
option name 'ProtonVPN Estonia #20'
option address_v4 '10.2.0.2/32'
option address_v6 ''
option end_point '95.153.31.114:51820'
option private_key 'REDACTED'
option public_key 'REDACTED'
option presharedkey_enable '0'
option allowed_ips '0.0.0.0/0'
option dns '10.2.0.1'
option persistent_keepalive '25'
option local_access '0'
option masq '1'
ip route
default via 192.168.1.1 dev eth1 proto static src 192.168.1.184 (UPSTREAM ROUTER) metric 10
192.168.1.0/24 dev eth1 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
ip route show table 8000
default dev wgclient scope link
ip route show table local
local 10.2.0.2 dev wgclient proto kernel scope host src 10.2.0.2
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.184
local 192.168.1.184 dev eth1 proto kernel scope host src 192.168.1.184
broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.184
broadcast 192.168.8.0 dev br-lan proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan proto kernel scope link src 192.168.8.1
cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6c:c1d0:c831::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan1'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan2'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan3'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan4'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan5'
option macaddr '94:83:c4:a2:e8:21'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
config device
option name 'eth1'
option macaddr '94:83:c4:a2:e8:1f'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@secondwan'
option disabled '1'
option metric '15'
config interface 'modem_1_1_2_6'
option ifname '@modem_1_1_2'
option proto 'dhcpv6'
option disabled '1'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config interface 'wgclient'
option proto 'wgclient'
option config 'peer_2001'
option disabled '0'
cat dhcp
config dnsmasq
option domainneeded '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inet.com'
option ip '192.168.8.1'
config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.8.1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'
cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '1'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '1'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '1'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgclient'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '1'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '1'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '1'
cat gl-dns
config dns
option mode 'auto'
option override_vpn '0'
For me it's working without problems as usual on 4.6-op24...
I tried that too.
Updated firmware without saving current config settings, then just tested with the default 5Ghz network. Same behaviour unfortunately.
I'm updating this post, new test after installing SQM on LuCI, make it persistent to a restart and disabling network acceleration
MT-6000 SQM
Ps. By the way I'm on the last op24 firmware
1 Like
Are you testing with Mullvad or Proton? Pls specific and I will test again.
ProtonVPN. I can test with Mullvad if required.
Model: GL.iNet GL-MT6000
Firmware: 4.6.0 beta3
Compile Time: 2024-06-06 14:27:39 (UTC+00:00)
Tested with Mullvad, same issue.
Configuration Information
cat vpnpolicy
config policy 'global'
option kill_switch '0'
option service_policy '1'
option vpn_server_policy '1'
option wan_access '1'
config service 'route_policy'
option proxy_mode '3'
config policy 'vlan'
option private '1'
option guest '1'
config policy 'domain'
option default_policy '0'
option manual '1'
option domain 'browserleaks.com
whatismyipaddress.com'
cat wan-access
config main
option whitelist 0
#config whitelist
# option name 'test1'
# option ipaddr '192.168.1.2'
#config whitelist
# option name 'test2'
# option ipaddr '192.168.12.0/24'
cat wireguard
config proxy 'global'
option global_proxy '1'
config providers 'AzireVPN'
option auth_type '1'
option procedure '0'
option group_id '4'
config providers 'Mullvad'
option auth_type '2'
option procedure '1'
option group_id '2971'
config providers 'FromApp'
option auth_type '1'
option procedure '0'
option group_id '2290'
config groups 'group_4'
option group_name 'AzireVPN'
option group_type '1'
option auth_type '1'
option procedure '0'
config groups 'group_2971'
option group_name 'Mullvad'
option group_type '1'
option auth_type '2'
option procedure '1'
option username '2857979390954512'
option address '10.69.209.36/32,fc00:bbbb:bbbb:bb01::6:d123/128'
option public_key 'YH4QzbUlvWyOvSA9IisTmnBoKq7iQvHq09EQMJeyag0='
option private_key '+Lkav9tc7oClsMNV/ktn6TiEONA5uo1fmk1tSDNvwkA='
config groups 'group_2290'
option group_name 'FromApp'
option group_type '3'
option auth_type '1'
option procedure '0'
config groups 'group_7542'
option group_name 'New Provider'
option group_type '2'
option auth_type '0'
config peers 'peer_2001'
option group_id '7542'
option name 'ProtonVPN Estonia #20'
option address_v4 '10.2.0.2/32'
option end_point '95.153.31.114:51820'
option private_key 'REDACTED'
option public_key 'REDACTED'
option presharedkey_enable '0'
option allowed_ips '0.0.0.0/0'
option dns '10.2.0.1'
option persistent_keepalive '25'
option local_access '0'
option masq '1'
config peers peer_2002
option group_id '2971'
option name 'Slovenia_si-lju-wg-001'
option location 'Slovenia, Ljubljana'
option address_v4 '10.69.209.36/32'
option address_v6 'fc00:bbbb:bbbb:bb01::6:d123/128'
option private_key 'REDACTED'
option dns '193.138.219.228'
option end_point '93.115.0.3:3248'
option public_key 'REDACTED'
option allowed_ips '0.0.0.0/0,::/0'
option persistent_keepalive '25'
option mtu '1380'
option local_access '0'
option masq '1'
config peers peer_2003
option group_id '2971'
option name 'Slovenia_si-lju-wg-002'
option location 'Slovenia, Ljubljana'
option address_v4 '10.69.209.36/32'
option address_v6 'fc00:bbbb:bbbb:bb01::6:d123/128'
option private_key 'REDACTED'
option dns '193.138.219.228'
option end_point '93.115.0.33:3249'
option public_key 'REDACTED'
option allowed_ips '0.0.0.0/0,::/0'
option persistent_keepalive '25'
option mtu '1380'
option local_access '0'
option masq '1'
cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6c:c1d0:c831::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan1'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan2'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan3'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan4'
option macaddr '94:83:c4:a2:e8:21'
config device
option name 'lan5'
option macaddr '94:83:c4:a2:e8:21'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
config device
option name 'eth1'
option macaddr '94:83:c4:a2:e8:1f'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@secondwan'
option disabled '1'
option metric '15'
config interface 'modem_1_1_2_6'
option proto 'dhcpv6'
option disabled '1'
option device '@modem_1_1_2'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config interface 'wgclient'
option proto 'wgclient'
option disabled '0'
option config 'peer_2002'
cat dhcp
config dnsmasq
option domainneeded '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option rebind_protection '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option force '1'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inet.com'
option ip '192.168.8.1'
config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.8.1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'disabled'
option ra 'disabled'
config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'
cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '1'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '1'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
option enabled '1'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgclient'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '1'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '1'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '1'
config rule 'ping_wan'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option target 'ACCEPT'
cat gl-dns
config dns
option mode 'auto'
option override_vpn '0'
ip route
default via 192.168.1.1 dev eth1 proto static src 192.168.1.184 metric 10
192.168.1.0/24 dev eth1 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
ip route show table 8000
default dev wgclient scope link
ip route show table local
local 10.69.209.36 dev wgclient proto kernel scope host src 10.69.209.36
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.184
local 192.168.1.184 dev eth1 proto kernel scope host src 192.168.1.184
broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.184
broadcast 192.168.8.0 dev br-lan proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan proto kernel scope link src 192.168.8.1
Is AdGuard Home enabled?
In the configuration I provided it's not enabled. However I have tested with it enabled and unfortunately the issue is still present.
Adguard home is quite cool though, and apart from the queries all being reported from localhost I've not had any issues with adguard.
I might try the op24 firmware and see if that has the same DNS leak issue.
Another Coredump, and 5Ghz dont connect until a reboot.
<1>[53456.430022] Unable to handle kernel paging request at virtual address 005390baa327ec65
<1>[53456.437936] Mem abort info:
<1>[53456.440733] ESR = 0x0000000096000004
<1>[53456.444467] EC = 0x25: DABT (current EL), IL = 32 bits
<1>[53456.449767] SET = 0, FnV = 0
<1>[53456.452846] EA = 0, S1PTW = 0
<1>[53456.456012] FSC = 0x04: level 0 translation fault
<1>[53456.460924] Data abort info:
<1>[53456.463800] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
<1>[53456.469271] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
<1>[53456.474343] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
<1>[53456.479645] [005390baa327ec65] address between user and kernel address ranges
<0>[53456.486795] Internal error: Oops: 0000000096000004 [#1] SMP
<7>[53456.492358] Modules linked in: pppoe ppp_async option wireguard usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_fib_inet nf_flow_table_inet mt7915e(O) mt76_connac_lib(O) mt76(O) mac80211(O) libchacha20poly1305 ipt_REJECT huawei_cdc_ncm chacha_neon cfg80211(O) cdc_ncm cdc_ether xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_quota xt_pkttype xt_owner xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_cgroup xt_addrtype xt_TCPMSS xt_REDIRECT xt_MASQUERADE xt_LOG xt_HL xt_DSCP xt_CT xt_CLASSIFY usbserial usbnet ts_fsm ts_bm slhc poly1305_neon nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_compat nft_chain_nat nf_tables nf_reject_ipv4 nf_nat_tftp nf_nat_snmp_basic nf_nat_sip nf_nat_pptp nf_nat_irc nf_nat_h323 nf_nat_amanda nf_log_syslog nf_flow_table
<7>[53456.492543] nf_conntrack_tftp nf_conntrack_snmp nf_conntrack_sip nf_conntrack_pptp nf_conntrack_netlink nf_conntrack_irc nf_conntrack_h323 nf_conntrack_broadcast ts_kmp nf_conntrack_amanda nf_conncount mdio_netlink(O) libcurve25519_generic libcrc32c libchacha iptable_nat iptable_mangle iptable_filter ipt_ECN ipheth ip_tables compat(O) cdc_wdm cdc_acm br_netfilter asn1_decoder arptable_filter arpt_mangle arp_tables crypto_safexcel fuse sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred act_gact xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ipmac ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6table_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_NPT ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables
<7>[53456.581693] nf_reject_ipv6 ifb ip6_udp_tunnel udp_tunnel tun ntfs nls_utf8 nls_iso8859_1 nls_cp437 sha512_arm64 sha1_ce sha1_generic seqiv md5 geniv des_generic libdes authencesn authenc uas usb_storage leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd uhci_hcd ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl kmwan(O) ehci_hcd gpio_button_hotplug(O) gl_sdk4_tertf(O) gl_sdk4_black_white_list(O) vfat fat exfat usbcore usb_common aquantia mii gl_sdk4_hw_info(O)
<7>[53456.713686] CPU: 3 PID: 32714 Comm: kworker/u8:0 Tainted: G O 6.6.32 #0
<7>[53456.721669] Hardware name: GL.iNet GL-MT6000 (DT)
<7>[53456.726355] Workqueue: phy0 mt7915_mac_work [mt7915e]
<7>[53456.731412] pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<7>[53456.738353] pc : kmem_cache_alloc_node+0xb0/0x25c
<7>[53456.743044] lr : kmem_cache_alloc_node+0x3c/0x25c
<7>[53456.747731] sp : ffffffc08906bae0
<7>[53456.751029] x29: ffffffc08906bae0 x28: 0000000000000000 x27: ffffff80058fd130
<7>[53456.758145] x26: 0000000083001000 x25: 0000000000000cc0 x24: 00000000000000e0
<7>[53456.765262] x23: ffffffc080b98000 x22: 00000000ffffffff x21: 0000000000000000
<7>[53456.772377] x20: 0000000000000cc0 x19: ffffff8000037000 x18: 00000000ffffffff
<7>[53456.779494] x17: 0000000000000028 x16: 0000000000000000 x15: ffffff80047588a6
<7>[53456.786609] x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
<7>[53456.793726] x11: 7f7f7f7f7f7f7f7f x10: fefefefefefefeff x9 : 7f7f7f7f7f7f7f7f
<7>[53456.800843] x8 : 0000000000000000 x7 : 0000000000000004 x6 : ffffffc08906bc60
<7>[53456.807959] x5 : 00000000004f6c1d x4 : 00000000004f6c1c x3 : 7cb4a973b8a7c672
<7>[53456.815074] x2 : 0000000000000070 x1 : 65ec27a3ba9053e8 x0 : e85390baa327ebf5
<7>[53456.822191] Call trace:
<7>[53456.824623] kmem_cache_alloc_node+0xb0/0x25c
<7>[53456.828965] __alloc_skb+0x110/0x140
<7>[53456.832528] __mt76_mcu_msg_alloc+0x48/0xd0 [mt76]
<7>[53456.837312] mt76_mcu_send_and_get_msg+0x54/0x8c [mt76]
<7>[53456.842525] mt7915_mcu_get_chan_mib_info+0x98/0x1c4 [mt7915e]
<7>[53456.848346] mt7915_update_channel+0x48/0x1a0 [mt7915e]
<7>[53456.853559] mt76_update_survey+0x2c/0xe4 [mt76]
<7>[53456.858166] mt7915_mac_work+0x2c/0x130 [mt7915e]
<7>[53456.862858] process_one_work+0x154/0x2a0
<7>[53456.866856] worker_thread+0x2a8/0x484
<7>[53456.870590] kthread+0xd8/0xdc
<7>[53456.873630] ret_from_fork+0x10/0x20
<0>[53456.877195] Code: b9402a62 f9405e63 8b020001 dac00c21 (f8626802)
<4>[53456.883268] ---[ end trace 0000000000000000 ]---
Panic#2 Part1
<1>[53456.430022] Unable to handle kernel paging request at virtual address 005390baa327ec65
<1>[53456.437936] Mem abort info:
<1>[53456.440733] ESR = 0x0000000096000004
<1>[53456.444467] EC = 0x25: DABT (current EL), IL = 32 bits
<1>[53456.449767] SET = 0, FnV = 0
<1>[53456.452846] EA = 0, S1PTW = 0
<1>[53456.456012] FSC = 0x04: level 0 translation fault
<1>[53456.460924] Data abort info:
<1>[53456.463800] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
<1>[53456.469271] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
<1>[53456.474343] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
<1>[53456.479645] [005390baa327ec65] address between user and kernel address ranges
<0>[53456.486795] Internal error: Oops: 0000000096000004 [#1] SMP
<7>[53456.492358] Modules linked in: pppoe ppp_async option wireguard usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_fib_inet nf_flow_table_inet mt7915e(O) mt76_connac_lib(O) mt76(O) mac80211(O) libchacha20poly1305 ipt_REJECT huawei_cdc_ncm chacha_neon cfg80211(O) cdc_ncm cdc_ether xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_quota xt_pkttype xt_owner xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_cgroup xt_addrtype xt_TCPMSS xt_REDIRECT xt_MASQUERADE xt_LOG xt_HL xt_DSCP xt_CT xt_CLASSIFY usbserial usbnet ts_fsm ts_bm slhc poly1305_neon nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_compat nft_chain_nat nf_tables nf_reject_ipv4 nf_nat_tftp nf_nat_snmp_basic nf_nat_sip nf_nat_pptp nf_nat_irc nf_nat_h323 nf_nat_amanda nf_log_syslog nf_flow_table
<7>[53456.492543] nf_conntrack_tftp nf_conntrack_snmp nf_conntrack_sip nf_conntrack_pptp nf_conntrack_netlink nf_conntrack_irc nf_conntrack_h323 nf_conntrack_broadcast ts_kmp nf_conntrack_amanda nf_conncount mdio_netlink(O) libcurve25519_generic libcrc32c libchacha iptable_nat iptable_mangle iptable_filter ipt_ECN ipheth ip_tables compat(O) cdc_wdm cdc_acm br_netfilter asn1_decoder arptable_filter arpt_mangle arp_tables crypto_safexcel fuse sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred act_gact xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ipmac ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6table_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_NPT ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables
<7>[53456.581693] nf_reject_ipv6 ifb ip6_udp_tunnel udp_tunnel tun ntfs nls_utf8 nls_iso8859_1 nls_cp437 sha512_arm64 sha1_ce sha1_generic seqiv md5 geniv des_generic libdes authencesn authenc uas usb_storage leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd uhci_hcd ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl kmwan(O) ehci_hcd gpio_button_hotplug(O) gl_sdk4_tertf(O) gl_sdk4_black_white_list(O) vfat fat exfat usbcore usb_common aquantia mii gl_sdk4_hw_info(O)
<7>[53456.713686] CPU: 3 PID: 32714 Comm: kworker/u8:0 Tainted: G O 6.6.32 #0
<7>[53456.721669] Hardware name: GL.iNet GL-MT6000 (DT)
<7>[53456.726355] Workqueue: phy0 mt7915_mac_work [mt7915e]
<7>[53456.731412] pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<7>[53456.738353] pc : kmem_cache_alloc_node+0xb0/0x25c
<7>[53456.743044] lr : kmem_cache_alloc_node+0x3c/0x25c
<7>[53456.747731] sp : ffffffc08906bae0
<7>[53456.751029] x29: ffffffc08906bae0 x28: 0000000000000000 x27: ffffff80058fd130
<7>[53456.758145] x26: 0000000083001000 x25: 0000000000000cc0 x24: 00000000000000e0
<7>[53456.765262] x23: ffffffc080b98000 x22: 00000000ffffffff x21: 0000000000000000
<7>[53456.772377] x20: 0000000000000cc0 x19: ffffff8000037000 x18: 00000000ffffffff
<7>[53456.779494] x17: 0000000000000028 x16: 0000000000000000 x15: ffffff80047588a6
<7>[53456.786609] x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
<7>[53456.793726] x11: 7f7f7f7f7f7f7f7f x10: fefefefefefefeff x9 : 7f7f7f7f7f7f7f7f
<7>[53456.800843] x8 : 0000000000000000 x7 : 0000000000000004 x6 : ffffffc08906bc60
<7>[53456.807959] x5 : 00000000004f6c1d x4 : 00000000004f6c1c x3 : 7cb4a973b8a7c672
<7>[53456.815074] x2 : 0000000000000070 x1 : 65ec27a3ba9053e8 x0 : e85390baa327ebf5
<7>[53456.822191] Call trace:
<7>[53456.824623] kmem_cache_alloc_node+0xb0/0x25c
<7>[53456.828965] __alloc_skb+0x110/0x140
<7>[53456.832528] __mt76_mcu_msg_alloc+0x48/0xd0 [mt76]
<7>[53456.837312] mt76_mcu_send_and_get_msg+0x54/0x8c [mt76]
<7>[53456.842525] mt7915_mcu_get_chan_mib_info+0x98/0x1c4 [mt7915e]
<7>[53456.848346] mt7915_update_channel+0x48/0x1a0 [mt7915e]
<7>[53456.853559] mt76_update_survey+0x2c/0xe4 [mt76]
<7>[53456.858166] mt7915_mac_work+0x2c/0x130 [mt7915e]
<7>[53456.862858] process_one_work+0x154/0x2a0
<7>[53456.866856] worker_thread+0x2a8/0x484
<7>[53456.870590] kthread+0xd8/0xdc
<7>[53456.873630] ret_from_fork+0x10/0x20
<0>[53456.877195] Code: b9402a62 f9405e63 8b020001 dac00c21 (f8626802)
<4>[53456.883268] ---[ end trace 0000000000000000 ]---
<3>[53456.924203] pstore: backend (ramoops) writing error (-28)
<0>[53456.929594] Kernel panic - not syncing: Oops: Fatal exception
<2>[53456.935322] SMP: stopping secondary CPUs
<0>[53456.939230] Kernel Offset: disabled
<0>[53456.942701] CPU features: 0x0,00000000,00000000,1000400b
<0>[53456.947995] Memory Limit: none
I don't have DNS leaking with the OP24 firmware version Model: GL.iNet GL-MT6000
Firmware: 4.6.0 beta3.I am using Torguard as a VPN provider.
It seems to be better on 4.6.0-op24.
Adguard is disabled here with Allow Custom DNS to Override VPN DNS toggled off.
Here's the result with Adguard enabled and with Allow Custom DNS to Override VPN DNS toggled off.
You can see a mix of Wireguard and Adguard DNS.
This was on a fresh install with settings wiped.
Did you add ipv6 resolvers to AG? default it has only ipv4
nope, I only added ipv4 addresses.
Upstream
1.1.1.1
1.0.0.1
9.9.9.9
149.112.112.112
8.8.8.8
8.8.4.4
Fallback
192.168.1.1
45.90.28.242
45.90.30.242
No leaks shown on same test site. Using default settings AdGuard and Mulvad.
Here's the default Adguard config and with a Mullvad Tunnel.
Allow Custom DNS to Override VPN DNS is toggled off. The default Adguard config includes the Google and Quad9 servers you can see.
