After installing the Dec 697 yesterday everything appeared to work until I found I could not pass DNS queries from one interface. I have as outgoing rules
- LAN any to any - this works
- IoT and Servers - pass anything not to local - appears to work for servers, not for IoT, with a further wrinkle.
- Unbound listens on all ports.
- An override in Unbound allows LAN access to the servers.
- DHCP is Kea.
- Crowdsec is off.
I added a prior rule to IoT to allow port 53 to the firewall, trying by a DNAT rule as advised, and as a direct "pass port 53" which also appeared to allow the traffic to pass but without allowing DNS queries.
Testing Servers to see why it worked but IoT did not with otherwise the same rules, I found something really weird.
I have three computers on the Servers net, all connected to the same unmanaged switch. Using SSH into each and trying
Are the simple rules sound? What sort of configuration might lead to different behaviours or responses? I have "Use system servers" unchecked. The previous router did not use Kea or Unbound but rules are otherwise copied across.
I can try checking what might be configured in the three boxes. Other than that one is MacOS and the other two Ubuntu Linux they should be the same. My query here is firstly to make sure that there is no immediate flaw in the firewall rules model or related configuration that someone is aware might produce this oddity.
- LAN any to any - this works
- IoT and Servers - pass anything not to local - appears to work for servers, not for IoT, with a further wrinkle.
- Unbound listens on all ports.
- An override in Unbound allows LAN access to the servers.
- DHCP is Kea.
- Crowdsec is off.
I added a prior rule to IoT to allow port 53 to the firewall, trying by a DNAT rule as advised, and as a direct "pass port 53" which also appeared to allow the traffic to pass but without allowing DNS queries.
Testing Servers to see why it worked but IoT did not with otherwise the same rules, I found something really weird.
I have three computers on the Servers net, all connected to the same unmanaged switch. Using SSH into each and trying
Code Select
dig au.archive.ubuntu.com
I found the following results:- Box 1 answered correctly, from 127.0.0.1
- Box 2 answered correctly from root servers
- Box 3 said servfail from 127.0.0.1
Are the simple rules sound? What sort of configuration might lead to different behaviours or responses? I have "Use system servers" unchecked. The previous router did not use Kea or Unbound but rules are otherwise copied across.
I can try checking what might be configured in the three boxes. Other than that one is MacOS and the other two Ubuntu Linux they should be the same. My query here is firstly to make sure that there is no immediate flaw in the firewall rules model or related configuration that someone is aware might produce this oddity.