SSH into Balance Two Router

I need to SSH into my balance two router so that I can force all devices on my network or on a particular LAN to use a specific DNS by running IPtables.

Please note I do not want to use the WEB CLI. I am asking about locally accessing the router

My doubts / help:

  1. I am not sure what to configure to SSH into my router and how to do it.
  2. I am not sure how to configure IPtables.

If I can get these two things clarified with guidance that would be much appreciated.

if anyone knows, please let me know if i can issue AT commands to the modems. only thing i’m not fond of when i need extreme tweaking, i have to pull the modems out.

So I managed to SSH into my router.
But I am unable to run iptables command as illustrated here
Spaces / Blank characters are not being accepted.
@MartinLangmaid I was referred to you by a Peplink employee as they said you could assist here

https://scotthelme.co.uk/catching-and-dealing-with-naughty-devices-on-my-home-network-v2/

I want to force all DNS connections and that’s why I need to use iptables.

Morning!
You don’t need the CLI for this.
Navigate to Network > Service Forwarding.
Turn on DNS forwarding and then add a custom rule for DNS over UDP underneath setting the server IP to your pi hole or to the LAN of the Peplink if you don’t have pihole…

Then all standard DNS queries will be forced via the Peplink (which acts as a DNS proxy) and then you can decide where you forward them from there.

2 Likes

That’s because it’s not going to give you the ability to do what you want, the CLI on the Peplinks is pretty limited to some basic debug commands and some show commands to give you a bit of system info and PepVPN info.

It makes no difference if you access it via SSH or the WebCLI function of Ic2, it’s the same interface you are dropped into.

Nothing in that article you linked is anything to do with configuring a Peplink… all it’s doing however is configuring the router to intercept DNS traffic and send it to a specific server.

Peplink has a feature for this.

Under Network > Service Forwarding look at the DNS forwarding option.

This will effectively have the Peplink intercept all outgoing DNS from clients that are using standard UDP/TCP 53 for DNS and send the queries to the internal DNS proxy and you can then decide where to forward them onto.

If you want to be sure that things are not using other DNS servers then I’d suggest you put a firewall rule in to drop traffic going outbound to TCP/UDP 53 and enable logging so you can see if anything hits it.

Some devices though these days will also start to try DoT / DoH, the former you could probably drop using just the well known destination port (TCP 853) however blocking DoH is quite a lot harder for obvious reasons - you could drop traffic towards well known public DoH server IPs though I suppose and hope that is enough.

@MartinLangmaid
So I did that and I did a test by manually changing the DNS on my iPhone to Google’s DNS.
The internet did not work at all.

Let me give you some more details regarding my setup.
I have a Raspberry Pi running Adguard on 10.0.1.5
I have pointed the DNS server in Untagged Lan to it.

I enabled the above as you said,

But as I said above when I manually changed the DNS on my iPhone it did not work, I would think that even if the user changes the DNS the internet would still work but be forced through the specified DNS right? (that’s what IP Tables was for right?)

Also sharing a screenshot of the other part in the Network Settings, I have left this unfconfigured.

And FYI: The Adguard is doing DoH/DoT with unbound, and the DoH on Peplink is disabled as I do not want that.

I’d add a service forwarding entry for TCP:53 too, it’s not the 1990s… TCP:53 is very frequently used by DNS these days due to some very large query responses from certain sites.

That does not however explain your issue, more just a good practice.

So does that mean your AdGuard is not going to respond to standard DNS over UDP/TCP:53 at all?

From a regular computer are you able to NSLOOKUP / DIG / DRILL whatever to both say 8.8.8.8 and the internal 10.1.0.5 IPs and get responses from either?

Just tested this very basically, all traffic from my vlan200 range out on TCP/UDP:53 forwarded to Cisco Umbrella.

To test this I run the following query directly to Quad9 with the forwarding disabled, this is a query that Quad9 will answer with the actual backend resource that is serving your responses:

dig @9.9.9.9 CH TXT id.server

; <<>> DiG 9.10.6 <<>> @9.9.9.9 CH TXT id.server
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29962
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;id.server. CH TXT

;; ANSWER SECTION:
id.server. 0 CH TXT “res100.gva.rrdns.pch.net

;; Query time: 71 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri May 20 10:51:42 CEST 2022
;; MSG SIZE rcvd: 75

Now if I enable the rules and run the same query again in theory directly to Quad9 notice the different response; this is evidence to me that the service forwarding is working as Umbrella does not answer for id.server in this fashion and actually refuses it.

dig @9.9.9.9 CH TXT id.server

; <<>> DiG 9.10.6 <<>> @9.9.9.9 CH TXT id.server
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28849
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;id.server. CH TXT

;; Query time: 61 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri May 20 10:53:16 CEST 2022
;; MSG SIZE rcvd: 27

So let me clarify what I am testing on.

I am using my iPhone X, setting the DNS to Manual and removing my DNS server 10.0.1.5 and setting to 8.8.8.8 to simulate if a person is changing it.

I have set the Custom Forwarding like shown

But I am unable to load google.com or 1.1.1.1/help or any site for that matter.

It says “No internet connection” in the Wifi Settings


Oddly though apps like Instagram and Facebook do work and refresh content, but not all apps.

FYI: Also unbound is listening on port 53

You have iCloud private relay enabled - that means that iPhone will be using Apple’s proxy servers (which I believe are a combination of DoT and DoH plus some other bits) for certain apps which may explain the inconsistent testing.

Can you disable iCloud relay and try agin with the phone, or use a proper computer and run DIG commands or NSLOOKUP to prove that the Adguard is actually answering?

dig @10.0.1.5 - does it actually answer?

Edit - your unbound is also only listening on localhost, that seems probably wrong?

You need to enable DNS proxy - that’s where the requests are being redirected to
image.png

Ok so that warning was appearing because Limit IP address tracking was enabled not iCloud Private Relay. I have that off. Nevertheless I turned off Limit IP address tracking.

I also did the test on my MacBook Air and I couldn’t load google.com or any site.
I did the dig command and here is the result.

I added this entry as well with no other settings and that seemed to do the trick.

And I can verify if I manually override the DNS on my iPhone or Mac it doesn’t work which is great.

Now I have another Mac with a system level configuration for DNS.
Would that be overridden? because when I do the test via 1.1.1.1/help I see CISCO DNS which is the managed DNS.

This is the dig on the managed device along with the 1.1.1.1/help screenshot

vs dig on my non configured device along with the 1.1.1.1/help screenshot

Another point looking at the logs from the managed device on Adguard Query log, I see this

I want to force the device to circumnavigate this and be forced to use my specified resolvers i.e. 10.0.1.5

I know of 1 way by downloading a config profile from Adguard home and installing it on the system. But can I do it on the router side? so that if there are any other folks that try this I can force the connection regardless of the config profiles installed?

@MartinLangmaid
I also see this behavior,
If the device has a changed DNS, the device will be forced to be rerouted to the specified DNS but on the Adguard side it appears that the requests are coming from my router 10.0.1.1 instead of 10.0.1.11 or some other IP. Is there a way to get the actual IP?
Also
It seems that this, has no impact on the routing.
If this is to solve my question above it is not working :frowning:

It will be appearing from the router as you are essentially performing NAT to intercept the traffic and redirect it, the source address is therefore being rewritten to that of the router as part of the NAT process.

@WillJones
As I mentioned the “Custom Service Forwarding Setup” rules do not seem to have any impact.
So I’m not sure what that is doing?

Also is there a way to just pass the IP address so that the Adguard Home Server can see the clients?

@WillJones
So I tried blocking the TCP / UDP on port 53 as you said and I did not see any hits on the Event log.
I tried Port 80 just to see and I saw some hits but no impact to the browsing experience, so I’m a bit confused.
Attaching screenshots of the same.


You can not run AT commands no.

No there isn’t. the router is sat between the end device and Adguard redirecting dns requests that are trying to bypass it back to adguard. The traffic is being translated by the Peplink acting as the DNS proxy so you’re seeing its IP.

DNS changes would have no impact on routing.

not sure which question you are asking now.

Nope. The device is requesting a response from another DNS server entirely - it isn’t talking to adguard directly, the only way this works is because the Peplink is responding to the DNS queries being sent via it as the network gateway. So adguard isn’t seeing the source IP of the originating LAN device because the LAN device is not talking to it.

Did you put the firewall rules in the Outbound Firewall Rules section?