Board,
It seems when I have PBR set to force next-hop, dns forwarding stops working. What is strange is that when PBR is enabled, it seems the dns forwarding process loops lookups back to the LAN address from the WAN address. Please note that I have a global static next hope for when pbr is enabled, this I would expect the dns proxy to send queries out via.
Thanks in advance,
db
vyos@user-vr:~$ sho version
Version: VyOS 1.3-rolling-202011200217
Release Train: equuleus
tcpdump of external interface without PBR when doing a lookup which works:
vyos@user-vr:~$ tcpdump -i eth1.1703 port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.1703, link-type EN10MB (Ethernet), capture size 262144 bytes
19:16:24.157980 IP 10.83.119.66.25105 > 8.8.4.4.53: 27252+% [1au] A? linux.org. (38)
19:16:24.750165 IP 8.8.4.4.53 > 10.83.119.66.25105: 27252 3/0/1 A 104.27.166.219, A 104.27.167.219, A 172.67.153.210 (86)
tcpdump of external interface with PBR when doing a lookup which does not work:
vyos@user-vr:~$ tcpdump -i eth1.1703 port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.1703, link-type EN10MB (Ethernet), capture size 262144 bytes
19:14:01.067852 IP 10.83.119.66.60744 > 192.168.5.1.53: 15879+ A? linux.org. (27)
19:14:06.072944 IP 10.83.119.66.60744 > 192.168.5.1.53: 15879+ A? linux.org. (27)
19:14:11.075173 IP 10.83.119.66.60744 > 192.168.5.1.53: 15879+ A? linux.org. (27)
Config with PBR disabled on LAN interface (eth2.5):
interfaces {
ethernet eth1 {
hw-id 52:55:00:d1:55:02
}
vif 1703 {
address 10.83.119.66/28
ethernet eth2 {
hw-id 52:55:00:d1:55:03
vif 5 {
address 192.168.5.1/24
}
nat {
source {
rule 10 {
outbound-interface eth1.1703
source {
address 192.168.5.0/24
}
translation {
address masquerade
}
}
}
}
policy {
route pbr {
rule 20 {
description “Route hs traffic to table 10”
set {
table 10
}
source {
address 192.168.5.0/24
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.83.119.65 {
}
}
table 10 {
route 0.0.0.0/0 {
next-hop 10.83.119.65 {
}
}
}
service {
dns {
forwarding {
allow-from 192.168.5.0/24
listen-address 192.168.5.1
name-server 8.8.8.8
name-server 8.8.4.4
}
}
}
Config with PBR enabled on LAN interface (eth2.5):
interfaces {
ethernet eth1 {
hw-id 52:55:00:d1:55:02
}
vif 1703 {
address 10.83.119.66/28
ethernet eth2 {
hw-id 52:55:00:d1:55:03
vif 5 {
address 192.168.5.1/24
policy {
route pbr
}
}