How to use ipset with knot or remove it

Hi, i want to redirect all packets with specific url destination to vpn interface.
For that i plan to use ipset, I try to configure /etc/config/dhcp but i discover that turris doesn’t use dnsmasq.

So my question is : how to use ipset with knot or disable it properly and replace it with dnsmasq ?

So… I assume the plan is that specific sub-trees of DNS should get forwarded to the ipset-dns daemon – which will be pointed to your VPN’s DNS server (and additionally modify the firewall dynamically).

Here’s how to add custom config for Knot Resolver on Turris: https://wiki.turris.cz/doc/en/public/dns_knot_misc#adding_custom_configuration
and there you want something like:

vpnTrees = {'first.example.net', 'example.org'}
policy.add(policy.suffix(policy.STUB({'address@portNum'}), policy.todnames(vpnTrees)))

(details: upstream documentation)

If I guessed your intention etc. right, I expect this should be enough, given that you also follow the parts that didn’t concern dnsmasq.

ok so just to be clear on the packet flow.

my computer dns request -> kresd (port 53) -> ipset-dns(port 1919) ->tor dns (port 9053):wink:
---------------------------------------------------------------^ ipset v
my computer tcp request -> match ipset firewall mangle mark (0x33) ->routing rule -> vpn

so config file should be :
FOR THE DNS FLOW

/etc/config/resolver at section config resolver 'kresd’

config resolver 'kresd
     ...
     option include_config '/etc/kresd/custom.conf'
     ...

/etc/kresd/custom.conf where ipset_address should be 127.0.0.1and ipset_portNum the port i should specify running ipset-dns

...
FRTVService = {'france.tv', 'ftv.akamaihd.tld'}
policy.add(policy.suffix(policy.STUB({'ipset_address@ipset_portNum'}), policy.todnames(FRTVService)))
...

I should run ipset-dns for each redirection where my_ipv4_set and my_ipv6_set are ipset names for my firewall match rules (frfbx4, frfbx6).
ipset-dns_portNum the port specified in kresd/custom.conf
dns_forward_ip in my case 127.0.0.1:9053 (tor dns port)

$ ipset-dns my_ipv4_set my_ipv6_set ipset-dns_portNum dns_forward_ip

in my case

$ ipset-dns frfbx4 frfbx6 1919 127.0.0.1:9053

FOR THE TCP FLOW

  • Firewalling

/etc/firewall.users

iptables -t mangle -A PREROUTING -i br-myi_lan -m set --match-set frfbx4 src,dst -j MARK --set-mark 0x33
iptables6 -t mangle -A PREROUTING -i br-myi_lan -m set --match-set frfbx6 dst,dst -j MARK --set-mark 0x33

/etc/config/firewall

config ipset
    option enabled '1'
    option name 'frfbx4'
    option match 'ip'
    option storage 'hash'
    option family 'inet'

config ipset
    option enabled '1'
    option name 'frfbx6'
    option match 'ip'
    option storage 'hash'
    option family 'inet6'
  • Routing rules and tables

/etc/iproute2/rt_tables add a table in my case :

...
200 vpn_wan
...

/etc/openvpn/tun.up a script on vpn startup

/sbin/ip rule add fwmark 0x33 lookup vpn_wan
/sbin/ip route add default dev tunf table vpn_wan

The kresd parts sound OK; I don’t have much knowledge about the other parts, and I’ve never done an ipset setup or similar.

OK thanks for your part :wink:

And :point_right: somone else because i can’t do it working with dns tor :confused:
I discover that my problem is redirecting from ipset-dns to tor, i tried with ```
ipset-dns frfbx4 frfbx6 1919 8.8.8.8

and it seems to work.

vcunat,

when i use dnsmasq i can specify like “.fr” and ipset-dns is “notifed” for all “*.fr” subdomain.

It seems not to work like that in knot-resolver.
Is it possible to specify like regex or “*.fr” or other to not specify all subdomain of a domain or part of domain ? (i didn’t see it in documentation :wink: )

Why do you think so? The example I wrote redirects whole subtrees, like what you write about *.fr. The docs also shows policy.pattern, policy.custom_fitler, etc.

Ok my problem was about mwan3. i rethink all the process and finaly succeed.
The routing is based on ipset rules.

so config is finaly :
FOR THE DNS FLOW

  • Routing rules

/etc/openvpn/tun.up

...
# script run on vpn startup then, if not exist 
# create a ipset-dns deamon on localhost on IPSET-LISTENING_PORT 
# then send the request to VPN_DEFAULT_GATEWAY
# then add the answered ip in the IPSET_LIST_IPv4 or IPSET_LIST_IPv6
if [ $(/bin/ps auxf | grep ipset-dns\ fbxfr | wc -l) -gt 1 ] ; then
       echo "[EXIST] ipset-dns fbxfr"
else
       echo "[CREAT] ipset-dns fbxfr"
       /usr/sbin/ipset-dns IPSET_LIST_IPv4 IPSET_LIST_IPv6 IPSET-LISTENING_PORT VPN_DEFAULT_GATEWAY
fi
...

/etc/config/resolver at section config resolver 'kresd’

config resolver 'kresd
     ...
     option include_config '/etc/kresd/custom.conf'
     ...

/etc/kresd/custom.conf where IPSET-DNS_ADDR should be 127.0.0.1 and IPSET-DNS_PORT the port specified in /etc/openvpn/tun.up

...
FRTVService = {'france.tv', 'ftv.akamaihd.tld', ...}
policy.add(policy.suffix(policy.STUB({'IPSET-DNS_ADDR@IPSET-DNS_PORT'}), policy.todnames(FRTVService)))
...

FOR THE TCP FLOW

  • Firewalling
    /etc/config/firewall
# create the 2 ip-set, ipv4 and ipv6
config ipset
    option enabled '1'
    option name 'frfbx4'
    option match 'ip'
    option storage 'hash'
    option family 'inet'

config ipset
    option enabled '1'
    option name 'frfbx6'
    option match 'ip'
    option storage 'hash'
    option family 'inet6'
  • Mwan3
    /etc/config/mwan3
# create the 2 mwan3 ip redirecting rules based on ip-set
config rule 'frmark_rule'
        option proto 'all'
        option sticky '0'
        option ipset 'frfbx4'
        option use_policy 'vpn_fbx_policy'

config rule 'frmark_rule6'
        option proto 'all'
        option sticky '0'
        option ipset 'frfbx6'
        option use_policy 'vpn_fbx6_policy'

/etc/firewall.users

# Additionaly add ip to ipset list  based on geoip except for the combo VPN_ip:port 
iptables -t mangle -I PREROUTING -i br-myi_lan -d ! <VPN_IPV4> --destination-port <VPN_PORT> -m geoip --dst-cc FR -j SET --add-set frfbx4 dst
ip6tables -t mangle -I PREROUTING -i br-myi_lan -d ! <VPN_IPV6> --destination-port <VPN_PORT> -m geoip --dst-cc FR -j SET --add-set frfbx6 dst

Just sometimes the configuration doesn’t work but i have to investigate.
I come back for more information.