DNS assignments - AT&T BGW320 gateway and TPLink Deco

[Riptide]

BGW320 AT&T fiber access point, IP Passthrough Mode
TP-Link Deco BE65Pro Mesh, Router Mode (not access point)

On the Deco app I have setup cloudflare DNS, under Advanced->DHCP Server. Primary and secondary. An ipconfig on my PC shows the cloudflare DNS assigned to my ethernet adapter on the PC. I assume then, that the setting on the TP-Link app serves to push those DNS servers down to client devices and that is the expected operation.

If I check the main Deco device via web interface, the DNS entry that shows up there corresponds to the address of the BGW320 gateway.
The BGW320 gateway does not have the cloudflare DNS addresses present. It has what looks like the ISP DNS.

So, being a novice at best here, am seeking to understand what's going on.
1. Why does the Deco have a different DNS entry of its own, vs. what I see and configure under DHCP server in the app? It doesn't seem possible to change this.
2. If I change the DNS settings on the BGW320 gateway, assuming that's possible in IP Passthrough mode, will that ensure that the ISP DNS is completely out of the picture?

Thanks

EDIT: This may be the issue I'm having. I forgot to change the MAC passthrough on the gateway.

https://www.reddit.com/r/firewalla/comments/15koib1/att_fiber_bgw320500_ip_passthrough_configuration

 

[Justinh]

If I check the main Deco device via web interface, the DNS entry that shows up there corresponds to the address of the BGW320 gateway.

Got a picture to explain this? Be clear on what gateway address you are referring to.

Your router is doing the DNS queries. You can use a DNS leak website to verify.

If your network is small/simple and want to be for sure for sure, you can configure DNS servers on the devices.

 

[Tech9]

Got a picture to explain this?

Their ISP provided Gateway was configured as a Router sending whatever was configured there for DNS (default ISP DNS servers most likely with own LAN IP address as DNS Proxy) to its clients. The Deco behind it is a client to the ISP Gateway. The final result is the same - Deco clients get Cloudflare DNS with or without double NAT situation before the Deco. The ISP still can track activity by IP address, they don't need DNS queries.

 

[Justinh]

Their ISP provided Gateway was configured as a Router

But he is using it in passthru mode, so the Deco is not a normal client device, even if it does get a LAN IP address. Anyway, yep, same result.
I'm not clear on what IP addresses he's referring to.

 

[aex.perez]

To have the AT&T BGW-329-500 in passthrough, you need to connect your Deco to one of its LAN ports. When configuring it, select the MAC address from the list on the pull down. Assuming it's the only thing plugged in to LAN ports of the BGW, only the MAC address of the Deco will show up on the list. Once selected, the BGW will (DHCP) provide a Public IP (IPv4 and IPv6) to the Deco. You are then free to configure the Deco to use the DNS of your choice.

DHCP on the BGW will provide a Public IP address to the selected MAC address.
In my case, the MAC address is of the AX88u, and I use Cloudflare for DNS/DNSSEC with it. The AX88u provides all the IP address for all the devices of the LAN out of the configured pool. Then for all practical purposes, BGW320 does not get in the of way of that.

Make sure that the MAC address of your Deco is list in the red box, the rest shoud look like this. Any issues you have with the Deco getting a Public IP Address on reboot/restart fell free to adjust the Passthrough DHCP Lease time, lower.

Extra Bonus, part 2: Make sure that the Lan subnet you configure the Deco with, the IP addresses that are provided to your clients (192.x.x.x) does not overlap or otherwise conflict with the LAN subnet configured on the BGW320, typically 192.168.1.x (I changed mine to .10. as .1. for myself). Leave the DHCP Server Enable, On. That's how it provides the Public IP address to the Deco when configured for Passthrough.

Why?, so you'll be able to get to the BGW320-500 configuration page, from the LAN side of the Deco, additionally you might want to disable WiFi (both radios) on the BGW320 if your Deco provides it (minimizes confilcts / interference)

 

[Riptide]

@aex.perez

The Deco is plugged in via ethernet to the BGW.
Tonight, I fixed the issue with the MAC address pulldown menu 'passthrough fixed MAC address' in your screenshot. I had that set to the old router and had completely spaced needing to go back in and fix that. I also did another scan to remove the previous router from the BGW's tables so that it no longer showed up in that drop-down.

Now, after rebooting the BGW, the Deco is grabbing the public/forward facing IP address correctly. So that seems to be resolved! However, I did notice that when I went to reboot the Deco after resolving this issue it then reverted back to the previous IP of the BGW. Evidently, I need to adjust the lease time lower per your recommendation.

Regarding LAN subnet configuration. The BGW is set for default 192.168.1.64 start and 192.168.1.253 end. DHCP server is enabled. The Deco and all the other LAN devices are reachable at 192.168.68.x. While I am as ignorant about networking as you can get, that seems to imply (to me) that I don't have any conflicts there.

Now, when I check the Deco app under More->Internet Connection, the correct public IP shows for IP address. It is also showing me a similar IP address for default gateway. However, the Primary DNS entry shown is still the address of the BGW gateway. So, do I still have a problem here?

Worth note, the app under More->Advanced->DHCP Server allows me to specify primary and secondary DNS. I have input cloudlfare there, and devices that are receiving DHCP configuration on the LAN are getting cloudflare per my expectation. But like I noted just above here, in the Internet Connection dialogue on the app Deco still shows the BGW for Primary DNS.

WIFI on the BGW is disabled.

Thanks much.

 

[Riptide]

Attached a couple photos here regarding my question above. Do I have a problem here?

The DNS entry showing up if I check the TP-Link webUI corresponds to the BGW gateway. There seems to be no way to edit this, though in the TP-Link app I do have cloudflare DNS entered under Advanced->DHCP Server and clients do assign cloudflare for their DNS.

So it seems the app's settings for DNS are being pushed to clients, which is fine, but there is the matter of what I see in the TP-Link webUI page. Seems odd.

 

[aex.perez]

Not sure of the TP-Link UI, as I don't have a TP-Link device. But on my Asus and it's GUI, and I can only guess/assume that TP-Link has something similar, under WAN settings and then Internet Connection under the Web GUI, I can override the ISP setting and use a DNS of my choosing. Note: it's for the Router (in your case TP-Link Deco) WAN, on the LAN side / the clients it's configured as you have, under the DHCP settings, which is what the protocol used to hand out Network setting to the clients of the Router.

In lieu of overriding that in the GUI for the WAN side, then yes the AT&T BGW320 will be the DNS for the Router, and AT&T's DNS for the BGW320 (Not configurabe), but it only impacts the Router as you have the clients using Cloudflare.

 

[Riptide]

Unfortunately, there seems to be no way for me to change the value on the router side. It's not an option I can find in the app and the webUI on tp-link devices is basically read-only.

In the grand scheme, it's of minor consequence since the LAN devices are getting cloudflare per the settings in the app. I knew going to a deco mesh system ahead of time there would be some limitations and this is evidently one of them minor as it is. A slightly more annoying thing is the lack of DNS over TLS support. Not much I can do about that right now except complain to the manufacturer.

 

[aex.perez]

Well I did find a TP-Link GUI Emulator, but not the exact Router model or region from your original post, I took a guess and picked the RE650 v2.

From that, and poking around a bit. I did't see a way to override the WAN DNS without overriding the WAN IP coming from the BGW320 as well, unfortunately.

But at some risk, if you want to take it, and if you configured to BGW320 Passthrough and if you configure it to use "DHCP-S fixed", then you MIGHT be able to select "Use the following IP address". Picking your own DNS, overriding the DNS handed out by the BGW320. Selecting the WAN IP the router currently has for IP address, though not sure what to use for Default Gateway but it could be the IP Address you shared in the previous screen shot...

The risk of course, is that it's a manual setting, vs automatic and your depending on the BGW320's DHCP to work reliably, and AT&T to had out the same IP address to the BGW320 and subsequently the Router for it to work. But again this is would only be used by the router so might be worth leaving it alone if your goal was the fixing the clients and you seem to have that figured already

On second thought It could be that if you left the Address, Mask and Gateway fields blank and just provided the Primary and Secondary DNS, it might just override the DNS settings, and continue using DHCP for the populating the three address fields received from the BGW320. You'll need to read the manual or reach out to support for that, and try it

 

[Riptide]

Yah at this point I think I'm leaving it alone. Unfortunately, the webUI on the deco model I have is extremely limited. Much moreso than what you see in that emulator. And there is no way to make any edits. It's strictly read only.

Thank you for your assistance.

 

[aex.perez]

Yah at this point I think I'm leaving it alone. Unfortunately, the webUI on the deco model I have is extremely limited. Much moreso than what you see in that emulator. And there is no way to make any edits. It's strictly read only.

Thank you for your assistance.

I was just a little curious as I've been looking whar to go next as I figure ot what to do going forward. But after some quick Google searches, I did find this. See if this might help
TP-Link FAQ unfortunately, the only thing I found for DNSSEC together with DoH (DNS over HTTPS) or DoT (DNS over TLS) doesn't look promising

 

[Riptide]

Affirm, at this stage DNSSEC and DNS over TLS are basically feature requests. Requests have been made and seemingly been ignored by tp-link.

It may be the non-mesh systems like the BE900 routers might be more feature rich, I haven't checked. I have a BE800 sitting in a box right now but honestly after installing the mesh system I don't see myself even using it. It'll be sold, gifted, or sent back. Haven't decided yet.

 

[aex.perez]

Check for a firmware update, you might be getting that functionality sooner that you thought TP-Link Wi-Fi Routers Support DoH and DoT Network

 

[Riptide]

Thanks. The updates shown there for WiFi7 are for the archer series, like the BE900 I mentioned earlier.

Running the latest firmware on my BE65 Pro and there is no support for DNS over TLS. Not holding my breath there either, but who knows. Maybe by the time WiFi8 comes out and I'm ready to upgrade again? lol

 

[aex.perez]

Affirm, at this stage DNSSEC and DNS over TLS are basically feature requests. Requests have been made and seemingly been ignored by tp-link.

It may be the non-mesh systems like the BE900 routers might be more feature rich, I haven't checked. I have a BE800 sitting in a box right now but honestly after installing the mesh system I don't see myself even using it. It'll be sold, gifted, or sent back. Haven't decided yet.

One option to consider is to keep the BE800 since its works with EasyMesh, and use the BE65 Pro's as nodes? I reading its manual, it appears to be much more capable and looks like it can do what you want on the WAN side with DNS (minus DNSSEC)