Archer C5400X V1 - Blocking outbound port 53 except from specified IP?
Quick questions, but I have little hope it'll be possible.
Firstly: On the C5400X V1, how can I drop all traffic from the interior of the network to port 53 any protocol any destination *except* for certain specified IPs inside? I do not want any DNS traffic to any outside server unless it goes through my pi-hole.
Secondly: How can I force the C5400X V1 to use an internal IP as its DNS server - such that any dns query it hears gets redirected to an IP on the internal network? I do not see anything remotely reaching this capability that works within the web interface.
I have specific and good reasons for doing this - I want to ensure that *every* device on the network uses my Pi-hole DNS server.
For the first one I could write the iptables entries without a problem, but how could I put that or the equivalent on the device? Is there a root console I can use?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Refer to this thread and see how to set Pi-Hole IP address as a DNS server for your LAN devices.
- Copy Link
- Report Inappropriate Content
Thanks for the link, but it doesn't do anything at all to resolve either of my questions.
I cannot use the TP-Link as the DHCP server as I'm limited by the undocumented 32 device limit the Archer device has (and I have not seen that yet documented at all, not good from TP-Link tbh.)
Setting the Pi as the DHCP-set DNS server in the TP-Link web gui.is just not possible, because the Archer is under-capable for the described job.
I do in fact have the Pi-hole set as the DHCP-set DNS server by the Pi-hole DHCP server which isn't being respected or seen by the Archer device, and this setup is working fine for everything else on my network.
I can not set the Pi-hole as the DNS server for the "internet" section within the Advanced section - that's a failure of TP-Link's setup. Of course because the web-gui is misconfigured and cut and paste direct from the page to easily show you the message doesn't work - another bug.
As for the error itself, it's certainly not impossible to have the DNS server and the IP address in the same subnet, it's just TP-Link's software that has that limitation.
Honestly, it's looking more and more likely the more I try to use the Archer device that I will have to get a mini-PC with two GigE ports and Pfsense, as it's fairly clear at this point that the TP-Link Archer is only useful as an Access Point, and very much not useful at all for my use case. I'm *really* disappointed with the software onboard the device, it's substandard, and had I known beforehand about the limitations of the software, I'd have saved myself many hours of work and bought something that can actually work as a good home router. The Archer device does not work as a good home router.
- Copy Link
- Report Inappropriate Content
I assume you're referring the Address Reservation limitation of 32 entries only.
For the DNS setup - that's by TP-Link's design - refer this thread for more details.
Here's the official guide for setting Pi-Hole as a DNS server with TP-Link routers.
If you want more flexibility, as you already guessed, you can use a pfSense box with the Archer in AP mode.
- Copy Link
- Report Inappropriate Content
I have upgraded to a pfSense box, as the design decisions that went into the router/firewall portion of the device firmware made it effectively unusable for my purposes. I'm very unimpressed with the software on the TP-Link device really, I had expected much much better than what is running on it. Asus do a far better job on their routers, and the majority of those can be upgraded with a Merlin-developed firmware. TP-Link would do well to take many leaves from the book of Asus. The design decisions taken make little-to-no sense for an attempt at a top-tier home device.
Please make sure to update the manual and the product description to clarify the hard limit present where the onboard DHCP server on the TP-Link device can only manage to give 32 defined IP addresses, and that it is not possible to allocate specific IPs to devices when there are more than that in the list. Having this hard limit undocumented *anywhere* is a serious FAIL on the part of the manufacturer, and on the QA people for not raising this as an issue.
I've still got the TP-Link device on the network, exclusively as an access point, and performing absolutely no other funciton. The WiFi radio at least appears to be good enough for the stated purpose, unlike the GUI and firewall/router functionality, which really isn't good enough for the purpose.
Would I buy the TP-Link device again? For the stated purpose of a premium home router, it's not good enough for sure to be "premium", so that's a hard no from me, and I can only half-recommend it as an AP - for which there are definitely better performing devices that do AP-only functionality for the same or lower cost. I would expect that I will never purchase (nor recommend for others to purchase) a TP-Link device in the future.
Thank you all for your time in looking at the many, many issues I've noted in the device, hopefully some far-future version of the onboard OS and interface might eventually address those. Until then, I'll be having as little as possible to do with the company and its products again.
Yes, I'm a dissatisfied customer, and not afraid to be vocal about it amongst my peers and those that I give advice to.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 611
Replies: 4
Voters 0
No one has voted for it yet.