Unbound + Pi-hole warnings and communications error

• DietPi version
  G_DIETPI_VERSION_CORE=8
  G_DIETPI_VERSION_SUB=25
  G_DIETPI_VERSION_RC=1
  G_GITBRANCH=‘master’
  G_GITOWNER=‘MichaIng’

• Distro version
  bookworm 0

• Kernel version
  Linux dietpi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux

• Architecture
  arm64

• SBC model
  RPi 4 Model B (aarch64)

• Software title
  Unbound

• Was the software title installed freshly or updated/migrated?
  Fresh from dietpi-software, pi-hole was already installed from dietpi-software too

• Can this issue be replicated on a fresh installation of DietPi?
  Haven’t tried

I am trying to make Unbound work on my Pi-hole home setup but something is not working properly and i have no internet connection.
Unbound is successfully installed from dietpi-software and is properly adjusting the settings in Pi-hole.

Here some logs:

 root@dietpi:~# systemctl status unbound
● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/unbound.service.d
             └─dietpi.conf
     Active: active (running) since Fri 2024-01-19 14:24:34 EET; 1min 3s ago
       Docs: man:unbound(8)
    Process: 420 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 480 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 482 (unbound)
      Tasks: 1 (limit: 2197)
        CPU: 355ms
     CGroup: /system.slice/unbound.service
             └─482 /usr/sbin/unbound -d -p

Jan 19 14:24:33 dietpi systemd[1]: Starting unbound.service - Unbound DNS server...
Jan 19 14:24:34 dietpi unbound[482]: [482:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache.
Jan 19 14:24:34 dietpi unbound[482]: [482:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
Jan 19 14:24:34 dietpi unbound[482]: [482:0] info: start of service (unbound 1.17.1).
Jan 19 14:24:34 dietpi systemd[1]: Started unbound.service - Unbound DNS server.

root@dietpi:~# journalctl -u unbound
Jan 19 14:24:33 dietpi systemd[1]: Starting unbound.service - Unbound DNS server...
Jan 19 14:24:34 dietpi unbound[482]: [482:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache.
Jan 19 14:24:34 dietpi unbound[482]: [482:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
Jan 19 14:24:34 dietpi unbound[482]: [482:0] info: start of service (unbound 1.17.1).
Jan 19 14:24:34 dietpi systemd[1]: Started unbound.service - Unbound DNS server.

root@dietpi:~# ss -tulpn | grep LISTEN
tcp   LISTEN 0      5          127.0.0.1:4711       0.0.0.0:*    users:(("pihole-FTL",pid=444,fd=10))
tcp   LISTEN 0      1024         0.0.0.0:443        0.0.0.0:*    users:(("lighttpd",pid=648,fd=5))
tcp   LISTEN 0      511        127.0.0.1:6379       0.0.0.0:*    users:(("redis-server",pid=412,fd=7))
tcp   LISTEN 0      80         127.0.0.1:3306       0.0.0.0:*    users:(("mariadbd",pid=479,fd=20))
tcp   LISTEN 0      256        127.0.0.1:5335       0.0.0.0:*    users:(("unbound",pid=482,fd=4))
tcp   LISTEN 0      1000         0.0.0.0:22         0.0.0.0:*    users:(("dropbear",pid=400,fd=3))
tcp   LISTEN 0      32           0.0.0.0:53         0.0.0.0:*    users:(("pihole-FTL",pid=444,fd=5))
tcp   LISTEN 0      1024         0.0.0.0:80         0.0.0.0:*    users:(("lighttpd",pid=648,fd=7))
tcp   LISTEN 0      1024            [::]:443           [::]:*    users:(("lighttpd",pid=648,fd=6))
tcp   LISTEN 0      1000            [::]:22            [::]:*    users:(("dropbear",pid=400,fd=4))
tcp   LISTEN 0      32              [::]:53            [::]:*    users:(("pihole-FTL",pid=444,fd=7))
tcp   LISTEN 0      1024            [::]:80            [::]:*    users:(("lighttpd",pid=648,fd=4))

root@dietpi:~# dig @127.0.0.1 -p 5335 google.com
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @127.0.0.1 -p 5335 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

root@dietpi:~# cat /etc/resolv.conf
nameserver 192.168.1.1

192.168.1.1 is the IP of my openwrt router which is running stubby for DOT and with DNS forwardings at 127.0.0.1#5453 with both “DNSSEC” and “DNSSEC check unsigned” enabled, this is what i was using for upstream DNS in Pi-hole before trying Unbound.

The router gives a static IP to my dietpi and that IP is used on my home devices for DNS Adblocking though Pi-hole. The DHCP server of Pi-hole is not running.

Any help appreciated, really want to test Unbound.

hmm looks like Unbound is not working correctly, even if service is up. Did you already tried to reboot?

Actually, it doesn’t make sense to adjust something within PiHole, as long as Unbound has issues. Following need to be working fist.

dig @127.0.0.1 -p 5335 google.com

Yeah i have rebooted multiple times, and uninstalled rebooted reinstalled unbound multiple times also.

Didn’t adjust anything, i just checked within Pi-hole if the Custom IPv4 was correctly set to 127.0.0.1#5335.

For the time being, you would need to switch back PiHole to a different upstream DNS.

In addition, it would be helpful to install tcpdump. There we could try to fetch communication with Unbound.

Thank you for your time,

Pi-hole set to a different working upstream and tcpdump installed.

The subnetcache warnings from journalctl are irrelevant, correct?

I do have the same. Should be irrelevant.

root@DietPiProd:~# journalctl -u unbound.service
Jan 06 22:13:56 DietPiProd systemd[1]: Starting unbound.service - Unbound DNS server...
Jan 06 22:13:57 DietPiProd unbound[495]: [495:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache.
Jan 06 22:13:57 DietPiProd unbound[495]: [495:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
Jan 06 22:13:57 DietPiProd unbound[495]: [495:0] info: start of service (unbound 1.17.1).
Jan 06 22:13:57 DietPiProd systemd[1]: Started unbound.service - Unbound DNS server.
root@DietPiProd:~#

To check network traffic, open 2 SSH sessions in parallel.

On #1 run tcpdump to capture traffic

tcpdump -i any -c500 -nn port 53 or 5335

On #2 run dig command

dig @127.0.0.1 -p 5335 google.com

Let’s hope that there is not that much “noice” from PiHole

Once captured, you can cancel tcpdump on #1

#1

root@dietpi:~# tcpdump -i any -c500 -nn port 53 or 5335
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:05:03.063920 lo    In  IP 127.0.0.1.55255 > 127.0.0.1.5335: UDP, length 51
17:05:03.064310 eth0  Out IP 192.168.1.228.16743 > 170.247.170.2.53: 42300% [1au] NS? . (28)
17:05:03.441110 eth0  Out IP 192.168.1.228.7956 > 170.247.170.2.53: 25216% [1au] NS? . (28)
17:05:03.818133 eth0  Out IP 192.168.1.228.33468 > 199.7.91.13.53: 2532% [1au] NS? . (28)
17:05:04.194877 eth0  Out IP 192.168.1.228.18156 > 199.7.91.13.53: 65186% [1au] NS? . (28)
17:05:04.571919 eth0  Out IP 192.168.1.228.58798 > 192.112.36.4.53: 31260% [1au] NS? . (28)
17:05:04.948651 eth0  Out IP 192.168.1.228.20760 > 192.112.36.4.53: 60517% [1au] NS? . (28)
17:05:05.325689 eth0  Out IP 192.168.1.228.46421 > 192.58.128.30.53: 12409% [1au] NS? . (28)
17:05:05.702436 eth0  Out IP 192.168.1.228.14214 > 192.58.128.30.53: 10385% [1au] NS? . (28)
17:05:06.079507 eth0  Out IP 192.168.1.228.25688 > 199.7.91.13.53: 5115% [1au] NS? . (28)
17:05:06.836717 eth0  Out IP 192.168.1.228.25262 > 199.7.91.13.53: 4224% [1au] NS? . (28)
17:05:07.590190 eth0  Out IP 192.168.1.228.36280 > 198.97.190.53.53: 27498% [1au] NS? . (28)
17:05:07.966919 eth0  Out IP 192.168.1.228.4872 > 198.97.190.53.53: 57009% [1au] NS? . (28)
17:05:08.069818 lo    In  IP 127.0.0.1.44665 > 127.0.0.1.5335: UDP, length 51
17:05:08.342903 eth0  Out IP 192.168.1.228.43624 > 193.0.14.129.53: 28612% [1au] NS? . (28)
17:05:08.719631 eth0  Out IP 192.168.1.228.11899 > 193.0.14.129.53: 974% [1au] NS? . (28)
17:05:09.096655 eth0  Out IP 192.168.1.228.41918 > 192.5.5.241.53: 32614% [1au] NS? . (28)
17:05:09.473368 eth0  Out IP 192.168.1.228.4974 > 192.5.5.241.53: 18252% [1au] NS? . (28)
17:05:09.850366 eth0  Out IP 192.168.1.228.34935 > 192.33.4.12.53: 24709% [1au] NS? . (28)
17:05:10.227092 eth0  Out IP 192.168.1.228.59469 > 192.33.4.12.53: 13618% [1au] NS? . (28)
17:05:10.604113 eth0  Out IP 192.168.1.228.39331 > 192.58.128.30.53: 36338% [1au] NS? . (28)
17:05:11.357234 eth0  Out IP 192.168.1.228.12443 > 192.58.128.30.53: 62216% [1au] NS? . (28)
17:05:12.110628 eth0  Out IP 192.168.1.228.58444 > 192.112.36.4.53: 7385% [1au] NS? . (28)
17:05:12.863751 eth0  Out IP 192.168.1.228.27018 > 192.112.36.4.53: 45169% [1au] NS? . (28)
17:05:13.074752 lo    In  IP 127.0.0.1.50400 > 127.0.0.1.5335: UDP, length 51
17:05:13.616100 eth0  Out IP 192.168.1.228.18261 > 198.41.0.4.53: 12447% [1au] NS? . (28)
17:05:13.992872 eth0  Out IP 192.168.1.228.58675 > 198.41.0.4.53: 23734% [1au] NS? . (28)
17:05:14.369899 eth0  Out IP 192.168.1.228.41249 > 170.247.170.2.53: 21119% [1au] NS? . (28)
17:05:15.123026 eth0  Out IP 192.168.1.228.11572 > 170.247.170.2.53: 28515% [1au] NS? . (28)
17:05:15.876434 eth0  Out IP 192.168.1.228.19015 > 192.203.230.10.53: 10798% [1au] NS? . (28)
17:05:16.253166 eth0  Out IP 192.168.1.228.13385 > 192.203.230.10.53: 1490% [1au] NS? . (28)
17:05:16.630201 eth0  Out IP 192.168.1.228.55176 > 192.36.148.17.53: 13796% [1au] NS? . (28)
17:05:17.006926 eth0  Out IP 192.168.1.228.54153 > 192.36.148.17.53: 42427% [1au] NS? . (28)
17:05:17.383941 eth0  Out IP 192.168.1.228.17727 > 198.97.190.53.53: 26673% [1au] NS? . (28)
17:05:18.137108 eth0  Out IP 192.168.1.228.15097 > 198.97.190.53.53: 15930% [1au] NS? . (28)
17:05:18.890522 eth0  Out IP 192.168.1.228.48035 > 202.12.27.33.53: 44212% [1au] NS? . (28)
17:05:19.267255 eth0  Out IP 192.168.1.228.18115 > 202.12.27.33.53: 17068% [1au] NS? . (28)
17:05:19.644251 eth0  Out IP 192.168.1.228.59008 > 192.5.5.241.53: 39627% [1au] NS? . (28)
17:05:20.397356 eth0  Out IP 192.168.1.228.9412 > 192.5.5.241.53: 756% [1au] NS? . (28)
17:05:21.150780 eth0  Out IP 192.168.1.228.36555 > 202.12.27.33.53: 31609% [1au] NS? . (28)
17:05:21.903898 eth0  Out IP 192.168.1.228.50775 > 202.12.27.33.53: 18722% [1au] NS? . (28)
17:05:22.657297 eth0  Out IP 192.168.1.228.17127 > 192.203.230.10.53: 46860% [1au] NS? . (28)
17:05:23.410418 eth0  Out IP 192.168.1.228.9308 > 192.203.230.10.53: 55402% [1au] NS? . (28)
17:05:24.163832 eth0  Out IP 192.168.1.228.40055 > 199.7.83.42.53: 44011% [1au] NS? . (28)
17:05:24.540559 eth0  Out IP 192.168.1.228.50832 > 199.7.83.42.53: 26232% [1au] NS? . (28)
17:05:24.917563 eth0  Out IP 192.168.1.228.44926 > 192.33.4.12.53: 61615% [1au] NS? . (28)
17:05:25.670676 eth0  Out IP 192.168.1.228.32513 > 192.33.4.12.53: 53223% [1au] NS? . (28)
17:05:26.424078 eth0  Out IP 192.168.1.228.20275 > 193.0.14.129.53: 21283% [1au] NS? . (28)
17:05:27.177198 eth0  Out IP 192.168.1.228.12651 > 193.0.14.129.53: 5435% [1au] NS? . (28)
17:05:27.930595 eth0  Out IP 192.168.1.228.37498 > 192.36.148.17.53: 39024% [1au] NS? . (28)
17:05:28.683704 eth0  Out IP 192.168.1.228.17351 > 192.36.148.17.53: 8821% [1au] NS? . (28)
17:05:29.437152 eth0  Out IP 192.168.1.228.49735 > 199.7.83.42.53: 40902% [1au] NS? . (28)
17:05:30.190266 eth0  Out IP 192.168.1.228.57810 > 199.7.83.42.53: 19430% [1au] NS? . (28)
17:05:30.943656 eth0  Out IP 192.168.1.228.47276 > 198.41.0.4.53: 40723% [1au] NS? . (28)
17:05:31.696796 eth0  Out IP 192.168.1.228.6114 > 198.41.0.4.53: 6124% [1au] NS? . (28)
17:05:32.450218 eth0  Out IP 192.168.1.228.10994 > 198.97.190.53.53: 14135% [1au] NS? . (28)
17:05:33.956077 eth0  Out IP 192.168.1.228.21677 > 198.97.190.53.53: 20653% [1au] NS? . (28)
17:05:35.462251 eth0  Out IP 192.168.1.228.47397 > 192.36.148.17.53: 58018% [1au] NS? . (28)
17:05:36.968124 eth0  Out IP 192.168.1.228.15064 > 192.36.148.17.53: 37050% [1au] NS? . (28)
17:05:38.474272 eth0  Out IP 192.168.1.228.37535 > 198.41.0.4.53: 61967% [1au] NS? . (28)
17:05:39.980143 eth0  Out IP 192.168.1.228.47439 > 198.41.0.4.53: 45376% [1au] NS? . (28)
17:05:41.486289 eth0  Out IP 192.168.1.228.12482 > 192.112.36.4.53: 34108% [1au] NS? . (28)
17:05:42.992145 eth0  Out IP 192.168.1.228.64332 > 192.112.36.4.53: 22384% [1au] NS? . (28)
17:05:44.498274 eth0  Out IP 192.168.1.228.13996 > 199.7.83.42.53: 54090% [1au] NS? . (28)
17:05:46.004148 eth0  Out IP 192.168.1.228.25750 > 199.7.83.42.53: 9226% [1au] NS? . (28)
17:05:47.510288 eth0  Out IP 192.168.1.228.12067 > 170.247.170.2.53: 11250% [1au] NS? . (28)
^C
66 packets captured
70 packets received by filter
0 packets dropped by kernel

#2

root@dietpi:~# dig @127.0.0.1 -p 5335 google.com
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @127.0.0.1 -p 5335 google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

Hmm it looks like unbound is not able to connect to upstream root DNS server. You see request going out but never come back. Could there be component on your network blocking outgoing DNS traffic?

I don’t see anything blocking it but also nothing allowing it at the same time. Maybe something has to be done on my OpenWRT Firewall Traffic Rules settings?

I don’t use OpenWRT, so not sure. Which upstream DNS server you use in PiHole?

As i wrote on my first post i use stubby on my OpenWRT router to encrypt my DNS traffic through DOT. The current upstream DNS servers i am using are these:

config resolver
       option address '185.95.218.42'
       option tls_auth_name 'dns.digitale-gesellschaft.ch'

config resolver
       option address '185.95.218.43'
       option tls_auth_name 'dns.digitale-gesellschaft.ch'

config resolver
       option address '5.9.164.112'
       option tls_auth_name 'dns3.digitalcourage.de'

My Pi-hole currently is set to use those above simply with the custom IPv4 setting to my OpenWRT address of 192.168.1.1

Probably you would need to allow traffic on port 53 from and to device hosting unbound

sshot950×152 11.2 KB

Those 2 entries in Port Forwards are giving me some progress as you suggested. I am allowing UDP and TCP protocols, don’t know if TCP is needed.

root@dietpi:~# dig @127.0.0.1 -p 5335 google.com

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @127.0.0.1 -p 5335 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19469
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 24 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Sat Jan 20 00:46:25 EET 2024
;; MSG SIZE  rcvd: 39

Repeat steps for tcpdump to check what is missing. actually I’m not sure if port forwarding is correct way as it would allow to access your DNS server from external.

@trendy do you have any knowledge on OpenWRT?

I do use OpenWrt as well. By default there is no need for any additional rule or port forwarding in OpenWrt to allow lan->wan traffic. @them
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button.
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Since you use Pi-hole/Unbound, the OpenWRT DNS/stubby is unused, isn’t it? Probably there is some automatic firewall entry used in case you use stubby, to prevent plain DNS from the LAN (port 53) and hence assure that all DNS requests are going through the router. On the other hand, Pi-hole without Unbound is working with an upstream DNS?

Uh, what? Those are port forwarding rules to allow anyone from the Internet using your Pi-hole, which can be terribly misused for cyber attacks. Remove those ASAP. What we are looking for is firewall rules for outbound traffic, not port forwarding!

By default UDP is used and needed only, but the DNS standard itself supports TCP as well. In case, its best to allow both (in firewall for outbound traffic on port 53, not port forwarding).

Yeah not feeling confident doing that, also when i have those two enabled they break my current DNS working setup.

The following commands should be run on OpenWRT, correct?

That’s right.

{
        "kernel": "5.15.137",
        "hostname": "",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 4040",
        "board_name": "avm,fritzbox-4040",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 '0'
        option peerdns '0'
        option dns '127.0.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option reqprefix 'no'
        option peerdns '0'
        option dns '0::1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option dnssec '1'
        list server '127.0.0.1#5453'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name ''
        option dns '1'
        option mac ''
        option ip '192.168.1.104'

config host
        option name 'dietpi'
        option dns '1'
        option mac ''
        option ip '192.168.1.228'

package firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet PUBLICIP peer GATEWAY scope global pppoe-wan
       valid_lft forever preferred_lft forever
default via GATEWAY dev pppoe-wan
GATEWAY dev pppoe-wan scope link  src PUBLICIP
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
local PUBLICIP dev pppoe-wan table local scope host  src PUBLICIP
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Nov 14 15:38 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Dec  8 14:50 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            37 Dec  8 14:51 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            50 Dec  8 14:51 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            37 Dec  8 14:51 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
# Interface wan
nameserver 127.0.0.1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver ISP
nameserver ISP

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 127.0.0.1

I hope i did it correctly.