Regarding the “custom DNS” - if I am correct this disables peer DNS for both Wan and WWAN and also adds custom DNS in DHCP and DNS.
However, I do not understand what the “Force all clients to use” does. I presume it calls the script below (found in Firewall>Custom Rules (in Luci).
Can someone confirm this and explain in laymans terms what it does and why it is needed (as custom DNS settings look water-tight to me)?
lanip=$(ifconfig br-lan |sed -n ‘s/.dr:(.) Bc.*/\1/p’)
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
force=$(uci get glconfig.general.force_dns)
if [ -n “$force” ]; then
Regarding the Kill-Switch (Force VPN) - ie. No internet if VPN is not connected. This appears to delete the Lan > Wan forward and replace it with Lan > VPN Client and enable masquerding.
However, when I added the kill-switch in my old router, I ended up also changing the following:
Disabling maquerading on WAN/WWAN and changing the Input > accept
This seems to have the same effect, so I was wondering if both are as good as each other?
Other observations (what I did before):
Permenantly set Input on VPN > reject (just following a tutorial I read)
Permenantly enable MSS Clamping (MTU Fix) on VPN and Wan/WWan (is there any downside)?