On Thu, Oct 29, 2020 at 1:54 AM Ryan Hamel <ryan@rkhtech.org> wrote:
I'm curious to know why they would add such a thing,
No idea 
and how you got the iptables rules from the device. Do these Asus routers provide SSH directly into the shell?
Yes, it does. 


The input/output/forward chains are empty as one would expect but looking at PREROUTING: 

anurag@RT-AC58U:/tmp/home/root# iptables -t nat  -L PREROUTING -v -n
Chain PREROUTING (policy ACCEPT 751K packets, 133M bytes)
 pkts bytes target     prot opt in     out     source               destination
 361K   25M DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:172.16.0.6:53
anurag@RT-AC58U:/tmp/home/root#




 Note: 172.16.0.6 is the management IP of the Asus AP. 





Ryan
On Oct 28 2020, at 11:33 am, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hello, 

Wondering anyone from Asus here or anyone who could connect me to the developers there? 

Using Asus RT-AC58U in Access Point(AP) mode and expect it to simply bridge wired with wireless but seems like it's re-writing DNS packets source as well as the destination. 

  1. DNS port 53 traffic going out, the source is re-written with the management IP of the AP on the LAN. So virtually all DNS traffic hits the router from the (management) IP of the Asus AP instead of real clients. 

  2. If I define DNS as x.x.x.x on DHCP, the Asus AP picks that up and re-writes destination to x.x.x.x and hence even if any client uses y.y.y.y, the packets are simply re-written. 

I see the rule in iptables on Asus AP. All these issues give an idea that someone created AP mode (besides regular routing mode) and missed to disable the DNS related NATing features in the AP mode. So far my discussions with their support have been going quite slow and would greatly appreciate if someone could connect me to right folks in there so they can release a firmware fix for it. 



Thanks. 

--
Anurag Bhatia


--
Anurag Bhatia