Recently redid my configuration to accommodate zone-based, however now I am unable to have my router provide DNS to subnets via assigned name-server.
I can ping www.google.com from the console, which I believe is considered LOCAL in zone-based.
I can define the DNS server via DHCP, which works, so I know that my firewall from the LAN to Local to WAN allows DNS.
However, when I point my DHCP address at the default gateway for each subnet, it cannot resolve names.
Portion of config I think are applicable in order of appearance:
Portion to say to not use ISP provided DNS
interfaces {
ethernet eth0 {
address dhcp
description WAN
dhcp-options {
default-route update
default-route-distance 210name-server no-update
}
Example of DHCP server pointing at DG:
shared-network-name Wired {
authoritative disable
subnet 10.80.23.0/24 {
default-router 10.80.23.1dns-server 10.80.23.1
lease 86400
start 10.80.23.11 { stop 10.80.23.250DNS forwarding info:
dns {
forwarding {
cache-size 150listen-on eth1.1
listen-on eth1.2
listen-on eth2.1
name-server 8.8.8.8
system
}Note: I added the dns forwarding name-server 8.8.8.8 as part of my testing, did not work
Defining the system name server, what I hoped would be a single point for defining DNS
system {
host-name XXXX
login {
user XXXX {
authentication {
encrypted-password XXXX
}
level admin
}
}name-server 8.8.8.8Full config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name ALLOW-ALL {
default-action accept
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name ALLOW-GUEST {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
}
name ALLOW-VPN {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
description "Allow VPN Connection"
destination {
port 443
}
protocol tcp
}
}
name ALLOW-EST-DROP-INV {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name LAN-LOCAL {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol icmp
}
rule 200 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
rule 800 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
dhcp-options {
default-route update
default-route-distance 210name-server no-update
}
duplex auto
speed auto
}
ethernet eth1 {
description "Wired and guest networks"
duplex auto
speed auto
vif 10 {
address 10.80.23.1/24
description "Wired VLAN"
}
vif 11 {
address 172.16.0.1/24
description "Guest VLAN"
}
}
ethernet eth2 { description "Wireless and camera networks"
duplex auto
speed auto
vif 20 {
address 10.80.211.1/24
description "Wireless VLAN"
}
vif 21 {
address 10.30.6.1/24
description "Security Cameras"
}
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Guest {
authoritative disable
subnet 172.16.0.0/24 {
default-router 172.16.0.1
dns-server 172.16.0.1
lease 86400
start 172.16.0.11 {
stop 172.16.0.250
}
}
}
shared-network-name Wired {
authoritative disable
subnet 10.80.23.0/24 {
default-router 10.80.23.1dns-server 10.80.23.1
lease 86400
start 10.80.23.11 { stop 10.80.23.250
}
}
}
shared-network-name Wireless {
authoritative disable
subnet 10.80.211.0/24 {
default-router 10.80.211.1
dns-server 10.80.211.1
lease 86400
start 10.80.211.11 {
stop 10.80.211.250
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150listen-on eth1.1
listen-on eth1.2
listen-on eth2.1
name-server 8.8.8.8
system
}
}
gui {
http-port 80
https-port 8443
older-ciphers enable
}
nat {
rule 5010 {
description "Masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name XXXX
login {
user XXXX {
authentication {
encrypted-password XXXX
}
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}Thanks!