Controllerless Networks

Basically, I'm trying to set an access rule on IAP105 in order to redirect dns traffic from 53 to 54. Apparently it works when I set one rule with destination nat to my first dns server(10.1.1.1). See the config below:

Now, when I add second rule to redirect to the same port 54 but to a second dns server(10.1.1.2), I have two dns servers listening on the same port, and click OK, the IAP would keep only last added rule.

IAP is running on 6.2.1.0-3.4.0.2_39953

Went through other posts, couldn't find an answer. Any help much appreciated. Thanks.

Have you tried from the CLI ? if that doesn't work either , you should consider opening a TAC case it might be something related to the IAP codem you are on.

1. Tried from CLI. commit/apply and I get the same result:

wlan access-rule dns_prof2
 index 3
 rule any any match udp 53 53 dst-nat ip 10.1.1.2 54
 rule any any match any any any permit

second rule overwrites the first.

2. Upgraded the AP to the latest available 6.3.1.1-4.0.0.1_41049, the same result, it gets overwritten by the second rule.

So, the issue is not related to old firmware.

@Andrei,

Please see my previous post; the behavior is by design.   You are creating two policies that are redundant and thus the 2nd will always overwrite the 1st.   If you had both, the 2nd would never get hit as the 1st rule would catch it (all DNS queries in this case).

I understand the logic here, but I definitely cannot have load balancing for dns so I have to find work around.

I wish it was a TAC case as Victor suggested.

Thanks.

You can open a TAC case if you like, but what you are looking to do is not possible.   Are you looking to route DNS requests to two different DNS servers or just have a second in the event one fails?      

Are you giving out the proper DNS servers via DHCP?  If so, you just want to redirect it to UDP 54 instead of UDP 53?

Try the following.   It has two entries; one for each of your DNS servers.  This will only work if you are giving these IPs as DNS servers.  If they choose to use their own, it will not get redirected; but you could at least cover that with an additional line that will capture all other DNS requests; and direct it to one of the two servers.

Brilliant, it seems it took the settings this time:

I just have to test and make sure that I'm hitting dns' on 54.

As you said, my goal is just to have a second server in the event one fails. Dns servers are assigned by the DHCP.

I knew we're going to find a solution. So far, I'll accept this as resolution to my case, until testing proofs otherwise.

thank you a lot clembo and victor for your input.

I would imagine this is expected behavior.   Rules are processed top down.  In your setup, you are putting in redundant rules with different actions.   They are both DST-NAT, but to different destination IPs.   Upon application, only the first rule would ever get hit, so the second one is considered repetitive (since they have the same source and destination).  Thus, when you click OK, you overwrite the first ACL.

The only way to do this would be to DST-NAT to some sort of load balancer with the two DNS servers behind it.