Asus Merlin network upstreams

[mebezac]

I've installed ctrld using the script sh -c 'sh -c "$(curl -sL https://api.controld.com/dl)" -s MYCONFIGID forced' on an Asus XT8 running merlin. It works just fine, but I'm trying to figure out how to do the following:

• My network is split in 2: 10.25.30.0/25 is reserved for manual IP assignment 10.25.30.128/25 is the DHCP range
• I want to send all requests from anything in subnet 1 to CONFIG1 anything from subnet 2 to CONFIG2. Something like nextdns' Conditional Profile.
• I thought I could achieve this by setting up my config like this:

# AUTO-GENERATED VIA CD FLAG - DO NOT MODIFY

[listener]
  [listener.0]
    ip = '127.0.0.1'
    port = 53

    [listener.0.policy]
      name = 'My Policy'
      networks = [
        {'network.0' = ['upstream.0']},
        {'network.1' = ['upstream.1']}
      ]

[network]
  [network.0]
    name = 'DHCP'
    cidrs = ['10.25.30.128/25']

  [network.1]
    cidrs = ['10.25.30.0/25']
    name = 'Blocks'

[upstream]
  [upstream.0]
    type = 'doh'
    name = 'Control D Default'
    endpoint = 'https://dns.controld.com/CONFIG1'
    timeout = 5000

  [upstream.1]
    type = 'doh'
    name = 'Control D Blocks'
    endpoint = 'https://dns.controld.com/CONFIG2'
    timeout = 5000

[service]
  log_level = 'debug'
  log_path = '/jffs/ctrld_log.txt'

However, all the requests in the logs say there's no policy, no network, no rule:

{"level":"debug","time":"2023-05-27T14:40:54-04:00","time":"2023-05-27T14:40:54-04:00","message":"[aa9fc6] 127.0.0.1:39930 -> listener.0: 127.0.0.1:53: received query: A calendar.google.com"}
{"level":"info","time":"2023-05-27T14:40:54-04:00","time":"2023-05-27T14:40:54-04:00","message":"[aa9fc6] no policy, no network, no rule -> [upstream.0]"}
{"level":"debug","time":"2023-05-27T14:40:54-04:00","time":"2023-05-27T14:40:54-04:00","message":"[aa9fc6] sending query to upstream.0: Control D Default"}

Is there a way to achieve what I'm after without having to add each device manually? Thanks!

[yegors]

Hi,

This is a know limitation (right now) when running on a router. As dnsmasq is still in use, ctrld doesn't see the true source IP addresses when traffic comes from multiple subnets. A manual solution is to stop + disable dnsmasq and having ctrld be the direct DNS listener on 127.0.0.1:53. This will allow it to see source IPs directly.

However we're investigating how we can streamline this better.

[mebezac]

Thanks for the response! Just wanted to make sure I wasn't missing anything 👍

Looks like you can make dnsmasq forward along source ip with add-subnet=32 and then that's available in EDNS(0) https://discourse.pi-hole.net/t/forwarding-dns-request-with-source-ip/51898/2. Is that what you're thinking of using?

[agneevX]

This is a know limitation (right now) when running on a router.

This is the same for me. Neither am I running on a router nor do I use dnsmasq.

[service]
    log_level = "debug"
    log_path = " "
    cache_enable = true

[listener.0]
    port = 53

[network.0]
    cidrs = ["0.0.0.0/0"]

[upstream.0]
    endpoint = "8.8.8.8"
    name = "GDNS"
    timeout = 3000
    type = "doh3"

[cuonglm]

This is a know limitation (right now) when running on a router.

This is the same for me. Neither am I running on a router nor do I use dnsmasq.

[service]
    log_level = "debug"
    log_path = " "
    cache_enable = true

[listener.0]
    port = 53

[network.0]
    cidrs = ["0.0.0.0/0"]

[upstream.0]
    endpoint = "8.8.8.8"
    name = "GDNS"
    timeout = 3000
    type = "doh3"

Could you elaborate? I don't see your config has anything to do with the policy.

[yegors]

Indeed, the above config has no policy for it to match, so everything will be forwarded to upstream.0. Also, the log_path is set to a blank space. Finally, 8.8.8.8 is not a DOH3 endpoint.

[agneevX]

Yes, I see the limitation here. 8.8.8.8 does support DoH3 though.

I was able to sort this out.

[yegors]

8.8.8.8 is a UDP/TCP legacy DNS IP. You're looking for: https://developers.google.com/speed/public-dns/docs/doh

[agneevX]

Ehh not really. https://8.8.8.8/dns-query/h3://8.8.8.8/dns-query work well without the need for domain lookups.

[cuonglm]

This should be fixed with v1.2.1 release.

[mebezac]

It's still not working for me, just installed 1.2.1 and it's not spoofing the IP address, the logs still show all requests coming from 127.0.0.1:XXXXX, not from the actual client IP. And because of that, it's never sure which upstream to route to.

[cuonglm]

It's still not working for me, just installed 1.2.1 and it's not spoofing the IP address, the logs still show all requests coming from 127.0.0.1:XXXXX, not from the actual client IP. And because of that, it's never sure which upstream to route to.

Did you use controld.com upstream?

[mebezac]

It's still not working for me, just installed 1.2.1 and it's not spoofing the IP address, the logs still show all requests coming from 127.0.0.1:XXXXX, not from the actual client IP. And because of that, it's never sure which upstream to route to.

Did you use controld.com upstream?

Yes, I'm using the config I pasted when I opened this issue:

# AUTO-GENERATED VIA CD FLAG - DO NOT MODIFY

[listener]
  [listener.0]
    ip = '127.0.0.1'
    port = 53

    [listener.0.policy]
      name = 'My Policy'
      networks = [
        {'network.0' = ['upstream.0']},
        {'network.1' = ['upstream.1']}
      ]

[network]
  [network.0]
    name = 'DHCP'
    cidrs = ['10.25.30.128/25']

  [network.1]
    cidrs = ['10.25.30.0/25']
    name = 'Blocks'

[upstream]
  [upstream.0]
    type = 'doh'
    name = 'Control D Default'
    endpoint = 'https://dns.controld.com/CONFIG1'
    timeout = 5000

  [upstream.1]
    type = 'doh'
    name = 'Control D Blocks'
    endpoint = 'https://dns.controld.com/CONFIG2'
    timeout = 5000

[service]
  log_level = 'debug'
  log_path = '/jffs/ctrld_log.txt'

Also, my log is full of these messages:

no policy, no network, no rule -> [upstream.0]"}

so it doesn't look it knows the requests are coming from a certain IP address.

[cuonglm]

@mebezac How did you restart ctrld after editing configuration?

If you want to use that new config, you must do:

ctrld setup auto --config=/jffs/controld/ctrld.toml

If you do:

ctrld setup auto --cd=<uid>

Then the configuration file will always be overwritten. Also, do you use custom dnsmasq lease file?

[mebezac]

@mebezac How did you restart ctrld after editing configuration?

If you want to use that new config, you must do:

ctrld setup auto --config=/jffs/controld/ctrld.toml

If you do:

ctrld setup auto --cd=<uid>

Then the configuration file will always be overwritten.

Yeah, I made that mistake at first 😅 , but even after restarting correctly it's still not working correctly. I'm sure it's using the new config since the debug log is present and being updated (which is not part of the overwritten config)

[cuonglm]

@mebezac Do you use custom dnsmasq lease file?

Could you please send me full log to cuong@controld.com, thank you.

[mebezac]

@mebezac Do you use custom dnsmasq lease file?

Could you please send me full log to cuong@controld.com, thank you.

Just emailed it

[cuonglm]

@mebezac Do you use custom dnsmasq lease file? Could you please send me full log to cuong@controld.com, thank you.

Just emailed it

Sorry not be clear, what I mean:

• What's the path of your dnsmasq lease file on Merlin router?
• Could you please send me full log of ctrld after you run with new configuration.

Thank you.

[mebezac]

Sorry not be clear, what I mean:

• What's the path of your dnsmasq lease file on Merlin router?
• Could you please send me full log of ctrld after you run with new configuration.

Thank you.

The path is /var/lib/misc/dnsmasq.leases and I realized you asked for the log after the first email and sent it in a 2nd one 🤦

[mebezac]

Oh man, sorry @cuonglm I've been dumb! I was just poking around in my custom configs on that router. My dnsmasq.conf.add had add-subnet=32 from when I was playing around to see if I could get the local IP address into controld. I removed that and everything works perfectly now!

Thanks for looking into this one, even though it ended up just my own mistake 😅

[cuonglm]

@mebezac Thanks for figuring it out :pray: