I have been running an MT-3000 with V4.7.2 for quite a while. I use Wireguard to tunnel select IP ranges back to a PFSense server. Using Luci I set the default local domain and DNS forwarding to ensure that host names for my private domain are resolved correctly. This has been working great.
I just upgraded to 4.8.1 (after being prompted) working through the configuration issues (none of the Wireguard setup including global proxy, etc. is preserved). So I mapped the IP ranges in the Primary Tunnel config, went into Luci to re-setup the DNS mapping, etc. The tunnel is working flawlessly with all traffic flowing as expected.
Except DNS - I cannot get any port 53 UDP traffic to flow over Wireguard. Under Network→DNS I have no options set (i.e., DNS Rebinding Attack Protection, Override DNS Settings of All Clients, etc). I have a done a bunch of debugging (on a Macbook attached to the MT-3000) including:
- If I manually nslookup and set the remote server all DNS will timeout.
- I added a NAT rule on my firewall to map port 5353 to 53 on the Wireguard VLAN. Using nslookup on my Macbook I then tested setting port 5353 and all DNS works just fine.
This appears to mean that when Wireguard is active, no UDP port 53 traffic is permitted. I have explicitly set firewall rules to permit AND it always worked in the past under 4.7.2. The problem appears to have been introduced in 4.8.
Looking at MT-3000 firewall rules there is no obvious reason for port 53 to be dropped. Perhaps there was a prior rule to permit? Short of re-installing 4.7.2 I don’t have any direct way of testing this.
I am able to work around this by setting hosts via “Edit Hosts” but that is non-optimal because i have to ensure I keep those addressed up to date.
Any help/suggestions would be appreciated.
-Jeff
Some configuration information:
- Network Mode: Router
- Network → DNS: DNS from Primary Tunnel is the correct IP address (port 5353 work, port 53 does not as described above)
- Other than the Wireguard setup, this is a relatively simple configuration: DHCP setup for the clients (offering 192.168.8.100→254, MT-3000 is 182.168.8.1).
- VPN mode: Policy