Can't resolve names after blocking rfc1918



  • So I just finished setting up a new box. Pretty much just default 2.4.4 firewall rules except for OpenVPN.
    Our old ISP used private addresses so I wasn't blocking them on the WAN. Our new ISP is a straight public address, so after I got it running with the new IP's, I went through and did a check for any settings that I could tweak and the only thing I did was block the private addresses on the WAN port.
    Now things are really screwed up. Clients say name resolution error on any webpage, but I can dig www.google.com from the console just fine. Can't ping google or anything other than 8.8.8.8.
    Is there any known bugs that would cause this?
    Can't post details now, but I will.
    And I did try to unblock the private addresses on the WAN with no change.
    I'm thinking something just got hosed in the OS itself but I don't know what.
    Any ideas?



  • Here's a few things I tried.

    "/etc/resolv.conf"
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    search localdomain

    traceroute -nI 8.8.8.8
    traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 48 byte packets
    1 144.121.52.201 1.568 ms 1.450 ms 1.443 ms
    2 104.207.214.233 11.748 ms 8.506 ms 9.067 ms
    3 144.121.35.31 8.654 ms 8.679 ms 8.402 ms
    4 144.121.35.39 8.379 ms 8.459 ms 8.325 ms
    5 4.30.132.253 8.882 ms 8.857 ms 8.858 ms
    6 * * *
    7 72.14.213.34 8.776 ms 8.718 ms 8.712 ms
    8 108.170.248.97 8.706 ms 8.686 ms 8.733 ms
    9 209.85.245.195 8.813 ms 8.819 ms 8.813 ms
    10 8.8.8.8 9.320 ms 9.315 ms 9.329 ms

    ping www.google.com
    PING www.google.com (172.217.10.68): 56 data bytes
    ping: sendto: No route to host
    ping: sendto: No route to host
    ping: sendto: No route to host
    ping: sendto: No route to host
    ping: sendto: No route to host
    ping: sendto: No route to host

    Starting to wonder if it's my ISP.



  • I can also VPN into the box but I keep getting disconnected.



  • Block rfc1918 only applies to unsolicited inbound traffic, not replies to your outbound traffic. Are your clients dynamic or static? From your client, if you try to resolve manually, does it work? For example:

    kom@kimono:~$ nslookup
    > server 10.10.4.1
    Default server: 10.10.4.1
    Address: 10.10.4.1#53
    > www.google.com
    Server:         10.10.4.1
    Address:        10.10.4.1#53
    
    Non-authoritative answer:
    Name:   www.google.com
    Address: 172.217.2.164
    Name:   www.google.com
    Address: 2607:f8b0:400b:80d::2004
    


  • @kom said in Can't resolve names after blocking rfc1918:

    Block rfc1918 only applies to unsolicited inbound traffic, not replies to your outbound traffic.

    Yes, I know, that's why I don't understand why making that one changed caused this.
    Clients are both, can't resolve anything from any of them.
    I've since replaced the router with a spare I had and everything is working again.
    Something got screwed up in the config, kinda wish I can figure out what it is but I'll probably just reset it and see if it works again.