DNS IP issue about wag HOT 9 CLOSED

Adding 192.168.5.5/32 with the list of services resolves the issue.

    "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "192.168.5.5/32 icmp 22/tcp",
                    "192.168.5.0/24"
                ],
                "Allow": [
                ]
            }
        }

However, to be frank, I'd prefer to have access to all ports without enumerating them. Is that possible?

from wag.

Hi there.

This happens because a rule for 192.168.5.5/32 is inserted into the ebpf firewall.

Due to the kernel data structure I have to use to match up addresses (longest prefix trie) the most specific route is what ends up controlling data flow.

I.e the rules defined in a /32 override rules defined in a /24

Unfortunately it's a bit of a limitation give datastructutes we've got to use.

In your case. A Dns entry is added to the /32 that is your dns ip address.

You should be able to just add 192.168.5.5 instead of having to define a port and that will append an allow any/any rule to the /32 for your dns server allowing all ports.

from wag.

I am having a lot of troubles making a local/internal DNS work into WAG.

Can you please give some advice on how to do it ?

I just need a simple dnsmasq for the internal wireguard network, that reads IPs from hosts file.

If I just build a "simple/classic" wireguard "star" network it works fine, but into WAG always gets blocked by its internal firewall.

The DNS IP the you put into "general" setting always gets blocked on port 53 even if It's rules into WAG say otherwise.

Very confused about the issue, tried everything, but I am unable to make it work.

Maybe I'm missing something about the logic of it ?

from wag.

I think this is a seperate issue to the original please open your own issue to discuss that there.

from wag.

You should be able to just add 192.168.5.5 instead of having to define a port and that will append an allow any/any rule to the /32 for your dns server allowing all ports.

Adding 192.168.5.5/32 to the MFA block makes DNS (192.168.5.5/32, port 53) inaccessible in non-authorized mode.

from wag.

Have you tried adding it to the public block instead

from wag.

I did, didn't help (both too) and to boot I need it only in the mfa block.

from wag.

Yeah so Mfa rules take precedence over public rules so you can't accidentally set something public when you have a conflicting Mfa rule.

What's happening here is that the any/any Mfa rule matches the 53/udp of dns and thus blocks it.

So you need to have the Mfa directive be specific to a port/port range instead of any/any

from wag.

right, thanks for the explanation, closing

from wag.