I'm using a Unifi UDM Pro as a gateway for 2 VLANs:
- Main LAN (interface:
br0
, subnet:192.168.1.1/24
) - IoT Devices VLAN (interface:
br3
, subnet:192.168.3.1/24
)
Each has its own local DNS (Adguard Home) server (192.168.1.52
and 192.168.3.52
respectively). For each subnet, I want to prevent clients from bypassing the local DNS server assigned via DHCP. In order to do this, I SSH into the UDM Pro and execute these commands:
iptables -t nat -A PREROUTING -i br0 ! -s 192.168.1.52 ! -d 192.168.1.52 -p tcp --dport 53 -j DNAT --to 192.168.1.52
iptables -t nat -A PREROUTING -i br0 ! -s 192.168.1.52 ! -d 192.168.1.52 -p udp --dport 53 -j DNAT --to 192.168.1.52
iptables -t nat -A PREROUTING -i br3 ! -s 192.168.3.52 ! -d 192.168.3.52 -p tcp --dport 53 -j DNAT --to 192.168.3.52
iptables -t nat -A PREROUTING -i br3 ! -s 192.168.3.52 ! -d 192.168.3.52 -p udp --dport 53 -j DNAT --to 192.168.3.52
iptables -t nat -A POSTROUTING -p tcp --dport 53 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp --dport 53 -j MASQUERADE
I test these using two main methods: dig
and via WLAN devices (e.g. iPad):
Using the dig
method, I test first a direct DNS query and then one to a Google DNS server. I run both commands on the physical host for my DNS server (which is a member of every VLAN via the Debian vlan
package):
dig linux.org '@192.168.3.52' -b '192.168.3.52'
dig linux.org '@8.8.8.8' -b '192.168.3.52'
The first command above works fine. The second one gives me a time out. I expect the second one to still work, except to be routed through 192.168.3.52
.
If I run the same dig
commands above but on the main LAN, both work fine and I can see both queries on my local DNS server.
I'm not sure why VLAN 3 doesn't work in the redirect case, but my main LAN does. Can someone help me understand why this isn't working and show me a working solution?