Trouble with Local DNS Records

I’m using T-Mobile Home Internet and their gateways are configured to only use the subnet and they cannot be changed. I currently have three plugged into my balance 710 and ensure that they get assigned different IP addresses. I’m trying to setup Local DNS records for each one with the same gateway ip:

router1 -
router2 -
router3 -

I then setup the following outbound rules:

enforced - domain “router1” - wan1
enforced - domain “router2” - wan2
enforced - domain “router3” - wan3

Unfortunately no matter what I do always goes out last one on the list. I go to http://router1, http://router2 or http://router3 I get router3. If I disable router3, I then get router2. Oddly, if I re-enable router3 it still routes me to router2 and doesn’t resume the previous route.

I’m not sure exactly what’s going on but I can’t make heads or tails of this behavior.

Any thoughts would be greatly appreciated.

Just one more data point, though I’m not sure if it is useful. I’m not clear if this is an issue with Local DNS or Outbound Policy or both as when I change the IP addresses for router1, 2 and 3 to be unique and do an NSlookup the correct value is returned (obviously not helpful for my end case but just for debugging purposes).

So now I’m not sure if the issue is related to having the same IP in the Local DNS, or having a Local DNS entry in an Outbound Policy (it does seem to resolve but doesn’t route me down the right wan port).

I’m not above a hack here if anyone has any ideas. I tried to but the binary value for into router2 just to test but the router will only take octets. I can put another device in front of these guys and proxy through that but I’d hate to put another link in the chain and perhaps have another NAT layer.

Thanks in advance for any thoughts.

Whats the purpose in having three? They are likely connecting to the same tower/radio that is using the same back haul. There is a good chance they will be fighting with one another for bandwidth.

@chris24b domain rules work behind the scene by recording which ip is associated with that domain name lookup using the local DNS server… So the plan here won’t work. The rules are based on IP address … Even when you think you are basing them on the domain name. The rule essentially says whatever ip that domain last resolved to is how it’s applied. Since in this case they all resolve to the same IP address your rules won’t work as you expect. Can you elaborate on the overall goal a little more and maybe we can think up a solution. What are you trying to accomplish? Is the goal to be able to get to the web management of each t-mobile router from a single computer?

This is never going to work trying to match just on a destination IP given it is the same in all three instances.

I think the only valid solution is that you will need to make an outbound policy to match by source IP then pass that traffic to a specific WAN interface for each T-Mobile router. The source IPs will need to be unique so you have something specific to match against.

For example, if you had a LAN side network within you could make three rules matching traffic sourced from destination would be the T-Mobile management IP and enforced via each specific WAN. You’d then have to change the IP on whatever device you wanted to access the T-Mobile boxes from manually each time, so this solution may not work practically for you.

That’s the only way I think you can do this as even introducing another layer of NAT between the T-Mobile routers and the Balance wont help as the destination IP is always the same, unless you are able to change the IP of the t-mobile router itself (you say you cannot change the subnet but can you change the router from being .1 to .2 or something else?).

I won’t have three in the long term, one is from my workshop which is not physically connected to the house but I brought it over while I was testing.

I have two because these are notoriously unreliable and they have to be rebooted frequently. I intend to let the balancer deal with the drop off and then I have a script that is going to monitor each one via the router1 and router2 urls and reboot them if they lose connection to the tower. That’s the goal of this exercise. I have a machine in my network where I do all of my system monitoring so I was trying to center it on that machine and use the routes to get the traffic where I needed it.

If I have to do it, I can connect a pi to these and monitor and reboot them but I would have to do a lot of work to get the visibility I get through the monitoring system.

You don’t mention what you are using for the monitoring but if you are able to add extra IPs to the machine running it are you also able to source traffic specifically from those IPs or write your monitoring scripts in such a way that they would do that?

If so then I think what I suggested above may be viable for you, but requires some work to make your monitoring system able to send traffic from a specific address that the Peplink could match to decide which WAN to forward it to.

I see, and setting a 1 second ttl doesn’t help the cause here either because it’s on the client side. I didn’t see a way to set max-cache-ttl to zero or flush the cache via the APIs either.

Just some background, I live in a rural community and we don’t have any viable internet options and so when tmo home internet came out it was a godsend especially when they rolled out their 5G service. The only issue is that the devices have a tendency to disconnect at times or lock on a suboptimal band. A quick reboot can fix that and I have a script that monitors for that but I need to be able to look at each router.

Some of the hardware fixes like wifi rebooters won’t work because it isn’t that the wifi goes down or that the internet is inaccessible, it’s just that it slows to a crawl.

I’ll have to noodle on it a bit more…

I have it running on a synology box but it only has a single 10G nic. I started down the path hoping I could have it run from anywhere and just use the domain to route it to the proper wan so that I could also do management from my laptop wherever I am (I could still do this just buy connecting to wifi on different VLANs but it’s clunky).

I bought a 4 nic NUC (say that 5 times fast) and installed linux mint on it thinking I’d just plug in and monitor directly as there’s a second port on the routers but so many software packages that I used either had bugs related to multiple nics (speedtest-cli) or just ignored the fact that there were multiple adapters. I didn’t want to have to rewrite everything but it sounds like I might need to go that route.

I wonder if there’s not some hybrid where I keep all of my stuff on the synology, then put a separate little device per router out on the network that just runs a squid-proxy (or whatever the kids are using these days) and use your IP based routing technique? I could set the routes to the proxy servers in the synology (router1->router1_proxy, router2->router2_proxy) then setup routes to the IP based outbound policies in the peplink.

That way I could keep all of my monitoring on the Synology and still have access to the individual routers

Hmm… trying to think of creative solutions… how often do they crash? Is it a similar uptime or time of day or week? If so, perhaps having a device automatically power cycle would prevent the issue? You’d be without internet for a moment while the power is cut and it reboots, but if you can do that say at 3am once a day or once a week, you might be OK?

Another option might be to consider Starlink? Have both Starlink and T-mobile running?

You could run a bunch of Docker processes each with their own LAN IP. Basicly LAN IP is the only way to differentiate the outbound policy… you get destination IP, destination port, and source IP/network. Source IP is the only one you can control.

You can add additional IP addresses as virtual interfaces such as ovs_eth0:1 with custom scripts, then your monitoring code would have to bind manually to the required interface.

1 Like

It really depends. Sometimes they can be stable for a good long while and you don’t have any dropouts. Othertimes it can happen multiple times a day and in bad cases it can continuously happen where the router just won’t reconnect and you have to contact support. Sometimes they can help, sometimes they need to ship out a new router. The only thing I know for sure is it usually happens when I am about to get on a zoom or when someone in the house is fighting something called an enderdragon.

Thanks Paul, I agree, I think Will Jones’ suggestion of using source IP policies is the way to go and your idea of running a script in separate docker containers may simplify things. I’m so dreadful and rusty with Docker I just worry I’ll set the building on fire in the process but nothing ventured nothing gained.

I do wish there were the ability to have a little more power in the outbound policy rules like a lua scripting engine or something. I understand why you wouldn’t want to open pandora’s box but this just feels like something I should be able to do.

Oh you want router1? That’s on wan port 1, let me just resolve that name for ya… got it… and off we go.

Yes, but that isn’t how it works… you have to think IP level… the actual “name” of the URL isn’t part of the HTTP/HTTP request until after the TCP session is established. All you have at the IP level is source IP, destination IP and destination port. The DNS lookup and HTTP/HTTPS session are separate things.

Now, you could monitor the status via API… and when one of the WAN’s goes down (as told to the API) then you tell the Outbound policy (via API) , set to WAN X… and then reset/reboot that particular unit.

1 Like

Excellent point, that certainly clarifies why it’s done the way it is. in the router.

When you say monitor status via API and the the outbound policy via API it’s not clear to me which parts we’re talking about. Is the monitor API the one I wrote or are we talking about the Peplink APIs?

Is there a Peplink API for managing the outbound policies or the local dns settings? I read through the docs but I didn’t see anything like that… certainly doesn’t mean I didn’t miss it.

But you are right, I don’t see the outbound policies in that API… it must be there, since the GUI uses an API, but it isn’t published. Looks like you need the virtual IP or docker solution.