Quote from: utahbmxer on Today at 07:12:58 AMReally love the WAF
auto lo
iface lo inet loopback
iface nic1 inet manual
auto vmbr0
iface vmbr0 inet static
address XXXX/XX
gateway XXXXXX
bridge-ports nic1
bridge-stp off
bridge-fd 0
bridge_maxwait 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.0.10.2
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -j DNAT --to 10.0.10.2
auto vmbr1
iface vmbr1 inet static
address 10.0.10.1/30
bridge-ports none
bridge-stp off
bridge-fd 0
post-up iptables -t nat -A POSTROUTING -s '10.0.10.0/30' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.10.0/30' -o vmbr0 -j MASQUERADE
#Firewall WAN
auto vmbr2
iface vmbr2 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0
#Firewall LAN1Quote from: DEC670airp414user on December 22, 2025, 06:20:19 PMscreen shot 3. i would turn off DNS within dnsmasq. change listen port to 0. you also do not need dnssec enabled if using quad 9Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.
i use unbound and it works 100% reliable.
i setup dns over tls for quad 9 or similar products though.