Dns forwarding, with pbr next-hop causes dns queries to fail

Bugs
,
1

Board,

It seems when I have PBR set to force next-hop, dns forwarding stops working. What is strange is that when PBR is enabled, it seems the dns forwarding process loops lookups back to the LAN address from the WAN address. Please note that I have a global static next hope for when pbr is enabled, this I would expect the dns proxy to send queries out via.

Thanks in advance,

db

vyos@user-vr:~$ sho version

Version: VyOS 1.3-rolling-202011200217
Release Train: equuleus

tcpdump of external interface without PBR when doing a lookup which works:
vyos@user-vr:~$ tcpdump -i eth1.1703 port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.1703, link-type EN10MB (Ethernet), capture size 262144 bytes
19:16:24.157980 IP 10.83.119.66.25105 > 8.8.4.4.53: 27252+% [1au] A? linux.org. (38)
19:16:24.750165 IP 8.8.4.4.53 > 10.83.119.66.25105: 27252 3/0/1 A 104.27.166.219, A 104.27.167.219, A 172.67.153.210 (86)

tcpdump of external interface with PBR when doing a lookup which does not work:
vyos@user-vr:~$ tcpdump -i eth1.1703 port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.1703, link-type EN10MB (Ethernet), capture size 262144 bytes
19:14:01.067852 IP 10.83.119.66.60744 > 192.168.5.1.53: 15879+ A? linux.org. (27)
19:14:06.072944 IP 10.83.119.66.60744 > 192.168.5.1.53: 15879+ A? linux.org. (27)
19:14:11.075173 IP 10.83.119.66.60744 > 192.168.5.1.53: 15879+ A? linux.org. (27)

Config with PBR disabled on LAN interface (eth2.5):

interfaces {
ethernet eth1 {
hw-id 52:55:00:d1:55:02
}
vif 1703 {
address 10.83.119.66/28
ethernet eth2 {
hw-id 52:55:00:d1:55:03
vif 5 {
address 192.168.5.1/24
}

nat {
source {
rule 10 {
outbound-interface eth1.1703
source {
address 192.168.5.0/24
}
translation {
address masquerade
}
}
}
}
policy {
route pbr {
rule 20 {
description “Route hs traffic to table 10”
set {
table 10
}
source {
address 192.168.5.0/24
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.83.119.65 {
}
}
table 10 {
route 0.0.0.0/0 {
next-hop 10.83.119.65 {
}
}
}
service {
dns {
forwarding {
allow-from 192.168.5.0/24
listen-address 192.168.5.1
name-server 8.8.8.8
name-server 8.8.4.4
}
}
}

Config with PBR enabled on LAN interface (eth2.5):
interfaces {
ethernet eth1 {
hw-id 52:55:00:d1:55:02
}
vif 1703 {
address 10.83.119.66/28
ethernet eth2 {
hw-id 52:55:00:d1:55:03
vif 5 {
address 192.168.5.1/24
policy {
route pbr
}
}

2

You don’t seem to have any NAT on eth2.5?
How are you expecting traffic egressing that Interface to get NAT’d so that it comes back to you?

3

tjh,

I do have nat configured for eth2.5 range 192.168.5.0/24

4

What that rule you have configured says is:

If traffic is egressing Interface eth1.1703, and it has a source address of 192.168.5.0/24, then re-write the source address of the packets to be the same as the IP address of eth1.1703.

You don’t have ANY NAT in that configuration you’ve posted for traffic leaving Interface eth2.5