DNS/NAT issue on Hotspot
Posted: Thu Nov 22, 2012 4:28 pm
Hi,
I am pretty new to MT and have following problem:
MT is a Hotspot. Clients get address from address space 192.168.100.0/24. MT outside is 172.20.21.251 (lab setup). Client gets one DNS server by the DHCP (also MT). As long as client is not authenticated I assume DNS requests are treated by NAT rule in the way that dst port 53 is mapped to dst port 64872 and DNS queries are obviously answered by the Hotspot service itself on the MT. For this reason MT does the DNS query with its own IP address (172.20.21.251). If the user is authenticated the client's ip address is masqueraded also with 172.20.21.251.
Because of theese smart DNS tunneling apps (e.g wi-free) which allow unauthenticated users to surf in the internet we established a workaround which prohibits the DNS tunneling. For this reason I need a different source nat for the DNS queries done by the non authenticated users than the masquerading done for the authenticated users.
If I establish a pre-hotspot rule with a src-nat for DNS queries MT does not allow it wiht "Couldn't change NAT rule <53> - dsntat chain can not contain masquerade/snat actions".
Any idea how I can have two different IPs for DNS queries for authenticated and non authenticated users?
Thx in advance
regards Richard
I am pretty new to MT and have following problem:
MT is a Hotspot. Clients get address from address space 192.168.100.0/24. MT outside is 172.20.21.251 (lab setup). Client gets one DNS server by the DHCP (also MT). As long as client is not authenticated I assume DNS requests are treated by NAT rule in the way that dst port 53 is mapped to dst port 64872 and DNS queries are obviously answered by the Hotspot service itself on the MT. For this reason MT does the DNS query with its own IP address (172.20.21.251). If the user is authenticated the client's ip address is masqueraded also with 172.20.21.251.
Because of theese smart DNS tunneling apps (e.g wi-free) which allow unauthenticated users to surf in the internet we established a workaround which prohibits the DNS tunneling. For this reason I need a different source nat for the DNS queries done by the non authenticated users than the masquerading done for the authenticated users.
If I establish a pre-hotspot rule with a src-nat for DNS queries MT does not allow it wiht "Couldn't change NAT rule <53> - dsntat chain can not contain masquerade/snat actions".
Any idea how I can have two different IPs for DNS queries for authenticated and non authenticated users?
Thx in advance
regards Richard
