![]() ![]() To see what traffic got intercepted, issue show nat statisticsĪgain, if you do not have a “rogue” client (yet), this should not show any translations. Which, if all is well, should show our newly created rule 10. First, confirm the rules are active by issuing: show nat rules Now, it is time to test the configuration. Set service nat rule 10 inside-address address 192.168.10.1 Set service nat rule 10 inbound-interface eth1.10 Set service nat rule 10 destination port 53 Set service nat rule 10 destination group address-group !5c31fd78464df004519aec1b Set service nat rule 10 description 'Catch DNS traffic for eth1:10' Check the last two characters to be sure you are using the correct group. To enter the firewall group name, enter the first four characters and then use to have it autocomplete. In other words, all packets to port 53 except those going to the allowed DNS servers. We want to match packets going to port 53 that are NOT part of the allowed DNS group. Please note the use of the ‘!’ – it stands for NOT. Therefore, I will also number this rule “10”. Remember the first four characters (and the last two, for good measure, to be able to positively identify the group name). You will see that the USG has allocated a system-generated name (and helpfully does not use your invented name) for your newly created group. Then, login to the SSH shell of the USG and issue: show firewall group Save this group and then wait a little, untill the USG is provisioned. Then, the two Samba AD servers, the one Pi-Hole server and finally the three ISP mandated DNS servers. My group has 10 entries: 4x USG IP addresses, 1 per VLAN. ![]() Use the “Routing & Firewall” – “Firewall” – “Groups” menu options for this: But, seeing my infra is redundant I want a rule to catch traffic NOT going to a GROUP of addresses.įirst, create a new firewall group containing the list of allowed DNS entries. Most examples of this I found use a DNAT rule that catch traffic NOT going to a single address. I want to intercept all traffic that tries to directly access a DNS resolver outside of the list of DNS’es I am allowing and force it to take a “trusted” route. I use 4 VLANs (only 2 are in the diagram) and except for the Guest VLAN, I direct all DNS requests to my own DNS infrastructrure, which consists of Samba-based AD, as well as Pi-Hole.īecause my Pi-Hole is very restrictive, I want to “liberate” some of my devices to use my ISP’s DNS services. The goal is to catch and intercept DNS traffic that is NOT going through my carefully crafted infrastructure and force it to take my designed route. To catch and redirect IPv6 DNS requests, please check the corresponding article. Please note this is for IPv4 DNS requests. In this article we will look at how to apply DNS redirection on your Unifi network. ![]()
0 Comments
Leave a Reply. |