so I went ahead and adjusted rule 9 as suggested by ginkgo, had not worked, there was another part in my config which caused an issue I think:
I had this in my config (also shown in my first post):
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.0.0.1 {
}
deleted this entry and then pings started working on LAN, DNS resolution seems still an issue from router or any LAN client, however, when I manually edit the /etc/resolv.conf on the PC/router I do get dns resolution.
I was wondering is there some simple way I can just migrate my current config on my Edge Router lite, which is working and I use to VyOS 1.5 ? I googled that a bit but does not look like it
this is my current edge config:
show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description SIP
destination {
address 10.0.0.6
port 5060
}
log disable
protocol tcp_udp
}
rule 20 {
action accept
description RTP
destination {
address 10.0.0.6
}
log disable
protocol tcp_udp
}
rule 30 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.0.0.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 10.133.133.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
rule 1 {
description serverhh
forward-to {
address 10.0.0.3
port 22
}
original-port 41025
protocol tcp
}
rule 2 {
description servervp1
forward-to {
address 10.0.0.3
port 4444
}
original-port 43221
protocol tcp
}
rule 3 {
description serverrent1
forward-to {
address 10.0.0.3
port 41114-43120
}
original-port 41114-43120
protocol tcp
}
rule 4 {
description serverrent2
forward-to {
address 10.0.0.3
port 50000-51000
}
original-port 50000-51000
protocol tcp_udp
}
rule 5 {
description serverGL
forward-to {
address 10.0.0.3
port 44445
}
original-port 44445
protocol tcp
}
rule 6 {
description servervp2
forward-to {
address 10.0.0.3
port 43220
}
original-port 43220
protocol udp
}
rule 7 {
description serverrent3
forward-to {
address 10.0.0.3
port 43301-48599
}
original-port 43301-48599
protocol tcp
}
rule 8 {
description vpn
forward-to {
address 10.0.0.3
port 45123
}
original-port 45123
protocol udp
}
rule 9 {
description NC1
forward-to {
address 10.0.0.10
port 80
}
original-port 80
protocol tcp_udp
}
rule 10 {
description NC2
forward-to {
address 10.0.0.10
port 443
}
original-port 443
protocol tcp_udp
}
rule 11 {
description turnC
forward-to {
address 10.0.0.10
port 3478
}
original-port 3478
protocol tcp_udp
}
rule 12 {
description pydio
forward-to {
address 10.0.0.10
port 8443
}
original-port 8443
protocol tcp_udp
}
rule 13 {
description 1pbx
forward-to {
address 10.0.0.6
port 5060-5061
}
original-port 5060-5061
protocol tcp_udp
}
rule 14 {
description 2pbx
forward-to {
address 10.0.0.6
port 5000-5001
}
original-port 5000-5001
protocol tcp_udp
}
rule 15 {
description jitsi
forward-to {
address 10.0.0.10
port 443
}
original-port 4443
protocol tcp
}
rule 16 {
description jitsi2
forward-to {
address 10.0.0.10
port 10000
}
original-port 10000
protocol udp
}
rule 17 {
description servervp3
forward-to {
address 10.0.0.3
port 43219
}
original-port 43219
protocol udp
}
rule 18 {
description 3pbx
forward-to {
address 10.0.0.6
port 5090
}
original-port 5090
protocol tcp_udp
}
rule 19 {
description 4pbx
forward-to {
address 10.0.0.6
port 9000-9500
}
original-port 9000-9500
protocol tcp_udp
}
rule 20 {
description ncTEMP
forward-to {
address 10.0.0.233
port 80
}
original-port 81
protocol tcp_udp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
lease 86400
start 10.0.0.38 {
stop 10.0.0.243
}
}
}
shared-network-name LAN2 {
authoritative enable
subnet 10.133.133.0/24 {
default-router 10.133.133.1
dns-server 10.133.133.1
lease 86400
start 10.133.133.38 {
stop 10.133.133.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
blacklist {
disabled false
dns-redirect-ip 0.0.0.0
domains {
include adk2x.com
include adsrvr.org
include adtechus.net
include advertising.com
include centade.com
include doubleclick.net
include fastplayz.com
include free-counter.co.uk
include hilltopads.net
include intellitxt.com
include kiosked.com
include patoghee.in
include themillionaireinpjs.com
include traktrafficflow.com
include wwwpromoter.com
source NoBitCoin {
description "Blocking Web Browser Bitcoin Mining"
prefix 0.0.0.0
url https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
}
source OISD {
description "OISD Domains Basic"
url https://dbl.oisd.nl/basic/
}
source simple_tracking {
description "Basic tracking list by Disconnect"
url https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
}
}
exclude 1e100.net
exclude 2o7.net
exclude adjust.com
exclude adobedtm.com
exclude akamai.net
exclude akamaihd.net
exclude amazon.com
exclude amazonaws.com
exclude ampproject.org
exclude android.clients.google.com
exclude apple.com
exclude apresolve.spotify.com
exclude ask.com
exclude avast.com
exclude avira-update.com
exclude bannerbank.com
exclude bazaarvoice.com
exclude bing.com
exclude bit.ly
exclude bitdefender.com
exclude bonsaimirai.us9.list-manage.com
exclude c.s-microsoft.com
exclude cdn.ravenjs.com
exclude cdn.visiblemeasures.com
exclude clientconfig.passport.net
exclude clients2.google.com
exclude clients4.google.com
exclude cloudfront.net
exclude coremetrics.com
exclude dickssportinggoods.com
exclude dl.dropboxusercontent.com
exclude dropbox.com
exclude ebay.com
exclude edgesuite.net
exclude evernote.com
exclude express.co.uk
exclude feedly.com
exclude freedns.afraid.org
exclude github.com
exclude githubusercontent.com
exclude global.ssl.fastly.net
exclude google.com
exclude googleads.g.doubleclick.net
exclude googleadservices.com
exclude googleapis.com
exclude googletagmanager.com
exclude googleusercontent.com
exclude gstatic.com
exclude gvt1.com
exclude gvt1.net
exclude hb.disney.go.com
exclude herokuapp.com
exclude hp.com
exclude hulu.com
exclude i.s-microsoft.com
exclude images-amazon.com
exclude live.com
exclude logmein.com
exclude m.weeklyad.target.com
exclude magnetmail1.net
exclude microsoft.com
exclude microsoftonline.com
exclude msdn.com
exclude msecnd.net
exclude msftncsi.com
exclude mywot.com
exclude nsatc.net
exclude outlook.office365.com
exclude paypal.com
exclude pop.h-cdn.co
exclude products.office.com
exclude quora.com
exclude rackcdn.com
exclude rarlab.com
exclude s.youtube.com
exclude schema.org
exclude shopify.com
exclude skype.com
exclude smacargo.com
exclude sourceforge.net
exclude spclient.wg.spotify.com
exclude spotify.com
exclude spotify.edgekey.net
exclude spotilocal.com
exclude ssl-on9.com
exclude ssl-on9.net
exclude sstatic.net
exclude static.chartbeat.com
exclude storage.googleapis.com
exclude twimg.com
exclude video-stats.l.google.com
exclude viewpoint.com
exclude weeklyad.target.com
exclude weeklyad.target.com.edgesuite.net
exclude windows.net
exclude www.msftncsi.com
exclude xboxlive.com
exclude yimg.com
exclude ytimg.com
hosts {
exclude cfvod.kaltura.com
include ads.feedly.com
include beap.gemini.yahoo.com
source openphish {
description "OpenPhish automatic phishing detection"
prefix http
url https://openphish.com/feed.txt
}
}
}
cache-size 10000
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
}
}
system {
analytics-handler {
send-analytics-report false
}
conntrack {
expect-table-size 2048
hash-size 32768
modules {
sip {
disable
}
}
table-size 262144
}
crash-handler {
send-crash-report false
}
host-name EdgeRouter-Lite-3-Port
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
package {
repository blacklist {
components main
description "Britannic blacklist debian stretch repository"
distribution stretch
password ****************
url https://raw.githubusercontent.com/britannic/debian-repo/master/blacklist/public/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task update_blacklists {
executable {
arguments 10800
path /config/scripts/update-dnsmasq-cronjob.sh
}
interval 1d
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}