Hello
An update on this issue: Going through (long) Asus support channel, they first agreed that this was intentional to make router.asus.com work but did take my request to make that optional. They have issued me a test firmware which so far seems to be working perfectly with no-rewriting rules. Hoping that it doesn't bring any side effects and they eventually put it in their public release after testing. Thanks. On Mon, Nov 2, 2020 at 10:09 PM Anurag Bhatia <m...@anuragbhatia.com> wrote: > Hi Alarig > > > I tried that but somehow DNS traffic still does not work. I tried adding > rules in prerouting as well and still no impact. > > > anurag@RT-AC58U:/tmp/home/root# iptables -t nat -L PREROUTING -v -n > Chain PREROUTING (policy ACCEPT 25 packets, 3147 bytes) > pkts bytes target prot opt in out source > destination > 672 46143 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:53 > anurag@RT-AC58U:/tmp/home/root# iptables -t nat -L -v -n > Chain PREROUTING (policy ACCEPT 63 packets, 10481 bytes) > pkts bytes target prot opt in out source > destination > 993 68310 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:53 > > Chain INPUT (policy ACCEPT 46 packets, 8909 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:53 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:53 > anurag@RT-AC58U:/tmp/home/root# > > > > > > From my client behind Asus Wifi AP: > > dig @1.1.1.1 whoami.akamai.net > > ; <<>> DiG 9.10.6 <<>> @1.1.1.1 whoami.akamai.net > ; (1 server found) > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > > > Whether or not I have these rules, I see no traffic on port 53 when doing > tcpdump on the core router (in the North of Asus wifi AP). So clearly > firewall rules are not working. > Please suggest if you see something wrong here. > > > Also, in meantime, I heard from Asus and their support mentioned that this > re-writing is intentional and is done so that end users can access device > on router.asus.com hostname. I requested them to make this feature > optional so that at least folks like us can disable it. Let's see how that > goes. > > > > Thanks. > > > On Thu, Oct 29, 2020 at 3:13 PM Alarig Le Lay <ala...@swordarmor.fr> > wrote: > >> On Thu 29 Oct 2020 02:10:25 GMT, Anurag Bhatia wrote: >> > I tried deleting the rule and it drops the traffic completely. So DNS >> > resolution stops working and I am unsure why. It's not like default >> drop or >> > anything. I can edit the rule and whatever active port 53 related rule >> is >> > there works. But I want case of no such rule at all. :-) >> >> Did you try to add >> -t nat -A POSTROUTING -p tcp -m tcp --dport 53 -j ACCEPT >> -t nat -A POSTROUTING -p udp -m udp --dport 53 -j ACCEPT >> >> after the deletion? >> >> -- >> Alarig >> > > > -- > Anurag Bhatia > anuragbhatia.com > -- Anurag Bhatia anuragbhatia.com
