AdguardTeam
Binding on 0.0.0.0 causing asymmetric routing on multihomed hosts
Prerequisites
-
[x] I have checked the Wiki and Discussions and found no answer
-
[x] I have searched other issues and found no duplicates
-
[x] I want to report a bug and not ask a question or ask for help
-
[x] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
FreeBSD, AMD64 (aka x86_64)
Installation
Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)
Setup
On one machine
AdGuard Home version
v0.107.69
Action
On a OPNsense router:
- Configured LAN 192.168.0.1 on igc0.
- Created VLAN30 as vlan0.30 and terminated it with IP 192.168.30.1.
- Allowed any traffic in the firewall for VLAN30.
- AdGuard bound on 0.0.0.0.
On a UNRAID NAS:
- Configured eth0 with IP 192.168.0.2.
- Configured OPNsense router as DNS, 192.168.0.1.
- Configured eth0.30 with IP 192.168.30.2.
- Created a macvlan docker network with parent eth0.30.
- Created a container in the macvlan network and assigned IP 192.168.30.3.
On a managed switch:
- Tagged the port for OPNsense and UNRAID with ID 30 and kept them untagged on default vlan.
On the container created in the UNRAID NAS:
- nslookup google.com
Expected result
The expected result would be a successful query.
Actual result
Query timed out.
Additional information and/or screenshots
The DNS is running on 192.168.0.1 and is reachable from 192.168.30.3. The issue is related to asymmetric routing.
With a tcpdump tcpdump -i vlan0.30 -nn port 53 on OPNsense, we can see that the query packet arrives from 192.168.30.3 to 192.168.0.1, but when it leaves OPNsense, its source is modified from 192.168.0.1 to 192.168.30.1.
This is probably due to some specific behavior of the FreeBSD kernel. The workaround is to bind to specific interfaces. I think something could be done to fix this, considering that Unbound works well in this very same setup.
