Help with DNS and Initial Configuration

I’m very new to the world of VyOS. I’m coming from the world of pfsense/opnsense. I downloaded the latest 1.5 rolling image and tried adapting the initial configuration documentation to my setup. I’m hoping it’s something incredibly dumb but none of my machines behind the VyOS router can do any DNS lookups. I’m having a hard time reading show firewall to truly understand if I have any errors in play, or what to edit in an attempt to troubleshoot without making things potentially worse.

xx.xx.55.5 (vyos itself) can ping and do DNS lookups, both using something like 1.1.1.1 or itself (xx.xx.55.5). I have a VM that pulled xx.xx.55.102 and it can ping out to the internet, but cannot do any DNS lookups whether from 1.1.1.1 or xx.xx.55.5. I’m assuming the error is somewhere in the tcp/udp 53 rules but nothing jumps out as an error to me. Any help would be greatly appreciated.

$ show configuration commands | strip-private
set firewall group address-group AMPGS01 address ‘xxx.xxx.65.61’
set firewall group address-group BACKUPS address ‘xxx.xxx.126.223’
set firewall group address-group BACKUPS address ‘xxx.xxx.186.58’
set firewall group address-group BACKUPS address ‘xxx.xxx.73.33’
set firewall group address-group BACKUPS include ‘GRANDPA’
set firewall group address-group PLACE1 address ‘xxx.xxx.197.72’
set firewall group address-group PLACE1 address ‘xxx.xxx.197.104’
set firewall group address-group PLACE1 address ‘xxx.xxx.197.89’
set firewall group address-group DANNY address ‘xxx.xxx.34.169’
set firewall group address-group DANNY address ‘xxx.xxx.163.161’
set firewall group address-group DANNY address ‘xxx.xxx.163.163’
set firewall group address-group GRANDPA address ‘xxx.xxx.93.219’
set firewall group address-group PATRICK-PC address ‘xxx.xxx.55.200’
set firewall group address-group PS5 address ‘xxx.xxx.55.194’
set firewall group address-group SCPRIME01 address ‘xxx.xxx.5.83’
set firewall group address-group SCPRIME02 address ‘xxx.xxx.5.60’
set firewall group interface-group LAN-TRUSTED interface ‘bond0.55’
set firewall group interface-group LAN-TRUSTED interface ‘bond0’
set firewall group interface-group WAN interface ‘bond0.2’
set firewall group ipv6-address-group BACKUPS address ‘xxxx:xxxx:f1::ce’
set firewall group ipv6-address-group BACKUPS address ‘xxxx:xxxx:0:b2d::10’
set firewall group network-group LAN-TRUSTED network ‘xxx.xxx.5.0/24’
set firewall group network-group LAN-TRUSTED network ‘xxx.xxx.55.0/24’
set firewall group network-group LAN-TRUSTED network ‘xxx.xxx.10.0/24’
set firewall group network-group LAN-UNTRUSTED network ‘xxx.xxx.5.0/24’
set firewall group network-group NET-INSIDE-v4 include ‘LAN-TRUSTED’
set firewall group network-group NET-INSIDE-v4 include ‘LAN-UNTRUSTED’
set firewall group port-group GEYSER_PORTS port ‘19134-19135’
set firewall group port-group GEYSER_PORTS port ‘25567-25568’
set firewall group port-group HAPROXY_PORTS port ‘80’
set firewall group port-group HAPROXY_PORTS port ‘443’
set firewall group port-group REALM_PORTS port ‘13132-13133’
set firewall ipv4 forward filter rule 10 action ‘jump’
set firewall ipv4 forward filter rule 10 jump-target ‘CONN_FILTER’
set firewall ipv4 forward filter rule 100 action ‘jump’
set firewall ipv4 forward filter rule 100 destination group network-group ‘NET-INSIDE-v4’
set firewall ipv4 forward filter rule 100 inbound-interface interface-group ‘WAN’
set firewall ipv4 forward filter rule 100 jump-target ‘OUTSIDE-IN’
set firewall ipv4 input filter default-action ‘drop’
set firewall ipv4 input filter rule 10 action ‘jump’
set firewall ipv4 input filter rule 10 jump-target ‘CONN_FILTER’
set firewall ipv4 input filter rule 20 action ‘jump’
set firewall ipv4 input filter rule 20 destination port ‘22’
set firewall ipv4 input filter rule 20 jump-target ‘MGMT’
set firewall ipv4 input filter rule 20 protocol ‘tcp’
set firewall ipv4 input filter rule 30 action ‘accept’
set firewall ipv4 input filter rule 30 icmp type-name ‘echo-request’
set firewall ipv4 input filter rule 30 protocol ‘icmp’
set firewall ipv4 input filter rule 30 state new ‘enable’
set firewall ipv4 input filter rule 40 action ‘accept’
set firewall ipv4 input filter rule 40 destination port ‘53’
set firewall ipv4 input filter rule 40 log ‘enable’
set firewall ipv4 input filter rule 40 protocol ‘tcp_udp’
set firewall ipv4 input filter rule 40 source group network-group ‘LAN-TRUSTED’
set firewall ipv4 input filter rule 50 action ‘accept’
set firewall ipv4 input filter rule 50 source address ‘xxx.xxx.0.0/8’
set firewall ipv4 name CONN_FILTER default-action ‘return’
set firewall ipv4 name CONN_FILTER rule 10 action ‘accept’
set firewall ipv4 name CONN_FILTER rule 10 state established ‘enable’
set firewall ipv4 name CONN_FILTER rule 10 state related ‘enable’
set firewall ipv4 name CONN_FILTER rule 20 action ‘drop’
set firewall ipv4 name CONN_FILTER rule 20 state invalid ‘enable’
set firewall ipv4 name MGMT default-action ‘return’
set firewall ipv4 name MGMT rule 15 action ‘accept’
set firewall ipv4 name MGMT rule 15 inbound-interface interface-group ‘LAN-TRUSTED’
set firewall ipv4 name MGMT rule 20 action ‘drop’
set firewall ipv4 name MGMT rule 20 inbound-interface interface-group ‘WAN’
set firewall ipv4 name MGMT rule 20 recent count ‘4’
set firewall ipv4 name MGMT rule 20 recent time ‘minute’
set firewall ipv4 name MGMT rule 20 source group
set firewall ipv4 name MGMT rule 20 state new ‘enable’
set firewall ipv4 name MGMT rule 21 action ‘accept’
set firewall ipv4 name MGMT rule 21 inbound-interface interface-group ‘WAN’
set firewall ipv4 name MGMT rule 21 source group address-group ‘PLACE1’
set firewall ipv4 name MGMT rule 21 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN default-action ‘drop’
set firewall ipv4 name OUTSIDE-IN rule 200 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 200 destination address ‘xxx.xxx.55.20’
set firewall ipv4 name OUTSIDE-IN rule 200 destination port ‘22’
set firewall ipv4 name OUTSIDE-IN rule 200 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 200 source group address-group ‘BACKUPS’
set firewall ipv4 name OUTSIDE-IN rule 200 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 210 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 210 destination address ‘xxx.xxx.55.20’
set firewall ipv4 name OUTSIDE-IN rule 210 destination port ‘21’
set firewall ipv4 name OUTSIDE-IN rule 210 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 210 source group address-group ‘BACKUPS’
set firewall ipv4 name OUTSIDE-IN rule 210 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 220 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 220 destination address ‘xxx.xxx.55.20’
set firewall ipv4 name OUTSIDE-IN rule 220 destination port ‘60000-60050’
set firewall ipv4 name OUTSIDE-IN rule 220 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 220 source group address-group ‘BACKUPS’
set firewall ipv4 name OUTSIDE-IN rule 220 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 230 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 230 destination address ‘xxx.xxx.5.83’
set firewall ipv4 name OUTSIDE-IN rule 230 destination port ‘4282’
set firewall ipv4 name OUTSIDE-IN rule 230 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 230 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 240 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 240 destination address ‘xxx.xxx.5.60’
set firewall ipv4 name OUTSIDE-IN rule 240 destination port ‘14282’
set firewall ipv4 name OUTSIDE-IN rule 240 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 240 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 250 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 250 destination address ‘xxx.xxx.65.61’
set firewall ipv4 name OUTSIDE-IN rule 250 destination group port-group ‘REALM_PORTS’
set firewall ipv4 name OUTSIDE-IN rule 250 protocol ‘udp’
set firewall ipv4 name OUTSIDE-IN rule 250 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 260 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 260 destination address ‘xxx.xxx.65.61’
set firewall ipv4 name OUTSIDE-IN rule 260 destination group port-group ‘GEYSER_PORTS’
set firewall ipv4 name OUTSIDE-IN rule 260 protocol ‘udp’
set firewall ipv4 name OUTSIDE-IN rule 260 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 270 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 270 destination address ‘xxx.xxx.65.52’
set firewall ipv4 name OUTSIDE-IN rule 270 destination port ‘3389’
set firewall ipv4 name OUTSIDE-IN rule 270 protocol ‘tcp_udp’
set firewall ipv4 name OUTSIDE-IN rule 270 source group address-group ‘DANNY’
set firewall ipv4 name OUTSIDE-IN rule 270 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 280 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 280 destination address ‘xxx.xxx.65.52’
set firewall ipv4 name OUTSIDE-IN rule 280 destination port ‘9600’
set firewall ipv4 name OUTSIDE-IN rule 280 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 280 source group address-group ‘DANNY’
set firewall ipv4 name OUTSIDE-IN rule 280 state new ‘enable’
set firewall ipv4 name OUTSIDE-IN rule 290 action ‘accept’
set firewall ipv4 name OUTSIDE-IN rule 290 destination address ‘xxx.xxx.65.52’
set firewall ipv4 name OUTSIDE-IN rule 290 destination port ‘9232’
set firewall ipv4 name OUTSIDE-IN rule 290 protocol ‘tcp’
set firewall ipv4 name OUTSIDE-IN rule 290 source geoip country-code xxxxxx
set firewall ipv4 name OUTSIDE-IN rule 290 source geoip country-code xxxxxx
set firewall ipv4 name OUTSIDE-IN rule 290 source geoip country-code xxxxxx
set firewall ipv4 name OUTSIDE-IN rule 290 state new ‘enable’
set firewall ipv6 input filter default-action ‘drop’
set interfaces bonding bond0 address ‘xxx.xxx.5.5/24’
set interfaces bonding bond0 dhcpv6-options no-release
set interfaces bonding bond0 member interface ‘eth4’
set interfaces bonding bond0 member interface ‘eth5’
set interfaces bonding bond0 mode ‘active-backup’
set interfaces bonding bond0 primary ‘eth4’
set interfaces bonding bond0 vif 2 address ‘dhcp’
set interfaces bonding bond0 vif 2 address ‘dhcpv6’
set interfaces bonding bond0 vif 2 dhcpv6-options no-release
set interfaces bonding bond0 vif 2 dhcpv6-options pd 0 interface bond0.2
set interfaces bonding bond0 vif 2 dhcpv6-options pd 0 interface bond0.55 address ‘1’
set interfaces bonding bond0 vif 2 dhcpv6-options pd 0 interface bond0.55 sla-id ‘55’
set interfaces bonding bond0 vif 2 dhcpv6-options pd 0 length ‘56’
set interfaces bonding bond0 vif 55 address ‘dhcpv6’
set interfaces bonding bond0 vif 55 address ‘xxx.xxx.55.5/24’
set interfaces bonding bond0 vif 55 dhcpv6-options no-release
set interfaces bonding bond0 vif 55 dhcpv6-options pd 55 interface bond0.2
set interfaces bonding bond0 vif 55 dhcpv6-options pd 55 length ‘64’
set interfaces ethernet eth0 hw-id ‘xx:xx:xx:xx:xx:18’
set interfaces ethernet eth1 hw-id ‘xx:xx:xx:xx:xx:19’
set interfaces ethernet eth2 hw-id ‘xx:xx:xx:xx:xx:1a’
set interfaces ethernet eth3 hw-id ‘xx:xx:xx:xx:xx:1b’
set interfaces ethernet eth4 hw-id ‘xx:xx:xx:xx:xx:00’
set interfaces ethernet eth5 hw-id ‘xx:xx:xx:xx:xx:01’
set interfaces loopback lo
set nat destination rule 100 description ‘Port forward 22 to xxx.xxx.55.20’
set nat destination rule 100 destination port ‘22’
set nat destination rule 100 inbound-interface ‘bond0.2’
set nat destination rule 100 protocol ‘tcp’
set nat destination rule 100 source group address-group ‘BACKUPS’
set nat destination rule 100 translation address ‘xxx.xxx.55.20’
set nat destination rule 110 description ‘Port forward 21 to xxx.xxx.55.20’
set nat destination rule 110 destination port ‘21’
set nat destination rule 110 inbound-interface ‘bond0.2’
set nat destination rule 110 protocol ‘tcp’
set nat destination rule 110 source group address-group ‘BACKUPS’
set nat destination rule 110 translation address ‘xxx.xxx.55.20’
set nat destination rule 120 description ‘Backups to xxx.xxx.55.20’
set nat destination rule 120 destination port ‘60000-60050’
set nat destination rule 120 inbound-interface ‘bond0.2’
set nat destination rule 120 protocol ‘tcp’
set nat destination rule 120 translation address ‘xxx.xxx.55.20’
set nat destination rule 130 description ‘Geyser redirect to AMPGS01’
set nat destination rule 130 destination group port-group ‘GEYSER_PORTS’
set nat destination rule 130 inbound-interface ‘bond0.2’
set nat destination rule 130 protocol ‘udp’
set nat destination rule 130 translation address ‘xxx.xxx.65.61’
set nat destination rule 140 description ‘Realm redirect to AMPGS01’
set nat destination rule 140 destination group port-group ‘REALM_PORTS’
set nat destination rule 140 inbound-interface ‘bond0.2’
set nat destination rule 140 protocol ‘udp’
set nat destination rule 140 translation address ‘xxx.xxx.65.61’
set nat destination rule 150 description ‘scp01’
set nat destination rule 150 destination port ‘4282’
set nat destination rule 150 inbound-interface ‘bond0.2’
set nat destination rule 150 protocol ‘tcp_udp’
set nat destination rule 150 translation address ‘xxx.xxx.5.83’
set nat destination rule 160 description ‘scp02’
set nat destination rule 160 destination port ‘14282’
set nat destination rule 160 inbound-interface ‘bond0.2’
set nat destination rule 160 protocol ‘tcp_udp’
set nat destination rule 160 translation address ‘xxx.xxx.5.60’
set nat destination rule 170 description ‘TS3 file transfer’
set nat destination rule 170 destination port ‘30033’
set nat destination rule 170 inbound-interface ‘bond0.2’
set nat destination rule 170 protocol ‘tcp’
set nat destination rule 170 translation address ‘xxx.xxx.65.50’
set nat destination rule 180 description ‘TS3 voice’
set nat destination rule 180 destination port ‘9987’
set nat destination rule 180 inbound-interface ‘bond0.2’
set nat destination rule 180 protocol ‘udp’
set nat destination rule 180 translation address ‘xxx.xxx.65.50’
set nat destination rule 190 description ‘Danny RDP’
set nat destination rule 190 destination port ‘4222’
set nat destination rule 190 protocol ‘tcp_udp’
set nat destination rule 190 source group address-group ‘DANNY’
set nat destination rule 190 translation address ‘xxx.xxx.65.52’
set nat destination rule 190 translation port ‘3389’
set nat destination rule 200 description ‘Danny ACC API’
set nat destination rule 200 destination port ‘9600’
set nat destination rule 200 inbound-interface ‘bond0.2’
set nat destination rule 200 protocol ‘tcp’
set nat destination rule 200 source group address-group ‘DANNY’
set nat destination rule 200 translation address ‘xxx.xxx.65.52’
set nat destination rule 210 description ‘Danny ACC Server TCP’
set nat destination rule 210 destination port ‘9232’
set nat destination rule 210 inbound-interface ‘bond0.2’
set nat destination rule 210 protocol ‘tcp’
set nat destination rule 210 translation address ‘xxx.xxx.65.52’
set nat destination rule 220 description ‘Danny ACC Server UDP’
set nat destination rule 220 protocol ‘udp’
set nat destination rule 220 translation address ‘xxx.xxx.65.52’
set nat source rule 100 outbound-interface ‘bond0.2’
set nat source rule 100 source address ‘0.0.0.0/0’
set nat source rule 100 translation address ‘masquerade’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.55.0/24 default-router ‘xxx.xxx.55.5’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.55.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.55.0/24 lease ‘86400’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.55.0/24 name-server ‘xxx.xxx.55.5’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.55.0/24 range 0 start ‘xxx.xxx.55.100’
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.55.0/24 range 0 stop ‘xxx.xxx.55.245’
set service dns forwarding allow-from ‘xxx.xxx.55.0/24’
set service dns forwarding cache-size ‘0’
set service dns forwarding listen-address ‘xxx.xxx.55.5’
set service dns forwarding name-server 1.1.1.1
set service ntp allow-client xxxxxx ‘xxx.xxx.0.0/0’
set service ntp allow-client xxxxxx ‘::/0’
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system name-server ‘1.1.1.1’
set system syslog global facility all level ‘info’
set system syslog global facility local7 level ‘debug’

Exactly what I thought it was - a very dumb mistake. In an effort to translate my existing rules, dNAT rule 220 was capturing all my udp traffic since no port was specified. Once I added the expected port that I had mistakenly omitted, everything started working as expected. I was originally just watching bond0.55 udp port 53 traffic, but once I switched to watching my WAN interface, I could see it was redirecting everything to xx.xx.65.62 errantly.

1 Like

your firewall rules looks bullet proof very advanced for a first timer i must say ,you have deep understanding of networking,i am struggling to understand the fw rules for linux based vyos …