<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="Carlito">Hi,<br>
<br>
I'm setting up my openwrt modem as an internet gateway for remote
guests.<br>
The modem is running openvpn and dnsmasq.<br>
The guests arrive at their own interface (tun1 = openvpn) </font><font
face="Carlito"><font face="Carlito">with a different subnet. </font>Guest
> LAN forwarding is disabled in the firewall for security
reasons.<br>
However, once the guests have connected, dnsmasq will resolve the
LAN for them. Although guests won't be able to connect to anything
on the LAN (forwarding is off) they are still able to go on a
fishing expedition thanks to DNS. I don't want to turn off DNS
completely. So </font><code>--except-interface=tun1</code><font
face="Carlito"> is not an option. <br>
So, for anything connecting to tun1, how can I enable DNS
resolving the internet space, while preventing resolving my LAN?<br>
<br>
Thanks!<br>
Koos<br>
<br>
</font><code></code>
</body>
</html>