About a year ago I purchased myself an OpenWRT router to use on the plane and in hotels.

And so far I really like both the device and the Hong Kong based brand (launching new and updated products, and releasing relatively regular updates for older products). Pick a device that fits your needs (USB powered? LTE? Small form factor?).

The GL-AR750S aka Slate is fully customizable but runs a few nice things out of the box: WireGuard (with a physical button to turn it on or off), OpenVPN, shell access, Tor (requires the latest firmware), IPv6, DoH (Cloudflare only for now), multiple SSIDs (i.e. Guest WiFi), and more.

Oh and I specifically picked this version (compared to other or cheaper ones) because it had both 2.4Ghz and 5Ghz, as well as 3 Gbit ports (1x WAN, 2x LAN).

I use the device on flights, where I connect to the network once in the air, purchase WiFi or use iPass "for one device" and then connect to the interwebs behind my NAT-router from my iPad, phone(s), laptop(s), and even Shan's devices if she is travelling with me.

In hotels, I either connect it to the wired ethernet, if still available (tends to be more stable), or connect it to the guest WiFi and then connect my devices to the router: saves me from connecting to a new network and typing the room number and login/password/family name on every device. And once again hides the true number of connected devices; quite handy trick for those pesky hotels providing free access only to two devices.

Sure it takes a bit of setup every time: find a working USB port, sign in to the web interface, search for new networks if this is a new hotel or I haven't travelled on this airline, connect to said network, sign in with iPass, and optionally enable VPN)...

And once in a while some fiddling with VPN or DNS that's borking up or being blocked by overzealous firewalls.

Also, some in-flight entertainment USB ports don't provide enough power (and/or are often broken -- looking at you Lufthansa in economy) so be sure to carry a couple of these (US-plug works best) -- I've already forgotten one on my last flight from MUC-SIN on LH, but luckily I have pretty easy access to these.

If you travel a lot it's totally worth the money.

The culprit is how EdgeOS deals with its hosts file. Basically it just keeps all the old hosts added and just adds a new line at the end of the file.

NextDNS searches for the first valid entry in that file, which is always going to be an older record.

So the simplest solution I found was the turn off hostfile-update every so often. This clears the hosts file.

So ssh into the device, run configure, and then run these commands:

set service dhcp-server hostfile-update disable
commit
set service dhcp-server hostfile-update enable
commit
save

Update 22 Jun '23:

Be sure to restart NextDNS, or it won't actually publish the up-to-date client hostnames.

sudo /config/nextdns/nextdns restart

Couple of weeks ago I started to play with NextDNS -- and I really recommend anyone that's something privacy minded and cares about the stuff happening on their network.

I've set up several configs (home, parents, FlatTurtle TurtleBox (the NUCs controlling the screens)) and Servers. Once it's out of beta and better supported on Unifi and Ubiquiti hardware I might deploy it to our public WiFi (well, most access points don't look like that -- but you get the point) networks too.

Looking at the logs was an eye-opener seeing what goes through your network. You can play around and block (or whitelist) certain domains.

I figured out my Devialet does an insane amount of requests to cache.radioline.fr for example. This domain has a 30s TTL. It shows that the majority of my DNS requests are actually automated pings and not in any way human traffic.

Anyhow -- I've since installed the NextDNS CLI straight on my EdgeRouter Lite acting as a caching DNS server and forwarding using DoH.

I've turned off dnsmasq (/etc/default/dnsmasq => DNSMASQ_OPTS="-p0") and have NextDNS listen to :53 directly.

Note that every EdgeOS update seems to wipe out the NextDNS installation, and requires a fresh install... Pain in the ass and doesn't seem like that's fixable.

This is my ERL NextDNS config (/etc/nextdns.conf)

hardened-privacy false
bogus-priv true
log-queries false
cache-size 10MB
cache-max-age 0s
report-client-info true
timeout 5s
listen :53
use-hosts true
setup-router false
auto-activate true
config 34xyz8
detect-captive-portals false
max-ttl 0s

The explanation of every flag is explain on their Github page and they are very responsive via issues or through their chat on my.nextdns.io.

All right -- next thing I've noticed is that my Google Home devices are not sending any DNS requests -- which means the devices use hard coded DNS servers.

I have a separate vlan (eth1.90) for Google Home (includes my Android TV, OSMC, Nest Home Hub and all other GHome and Chromecast devices). For this vlan I set up a deflector to be able to cast and ping/ssh from my "main" network/vlan to GHome vlan.

Using this guide I redirected all external DNS traffic to the ERL so I can monitor what's happening. The important part was the following:

yeri@sg-erl# show service nat rule 4053
destination {
port 53
}
inbound-interface eth1.90
inside-address {
address 10.3.34.1
port 53
}
protocol tcp_udp
type destination

This allows to "catch" all UDP and TCP connections to :53 and redirect them the ERL DNS server (10.3.34.1). The GHome devices were acting a bit weird after committing the change, but a reboot of the device fixed it.

Note that you need to set this up per vlan. If you want to catch DNS requests for your Guest or IoT vlan, you'll need to do the same.

Running Wireshark I found that only about 5ish packets got transferred, and all other data to that website abruptly stopped.

I’m using ADSL (EDPnet), which has an MTU of 1492, however, I was able to access all websites from the router (using lynx, for example), but not from any other PC within the network.

# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
inet addr:85.234.196.57  P-t-P:85.234.196.1  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492 Metric:1
RX packets:38804442 errors:0 dropped:0 overruns:0 frame:0
TX packets:28930886 errors:0 dropped:5020 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:45941523311 (42.7 GiB)  TX bytes:2887926670 (2.6 GiB)

Thinking it might have been a firewall issue, I flushed all my iptables rules, and started over from scratch. However, this too didn’t solve my issue.

When I VPN’ed or used my Macbook Pro directly as PPPoE device (by-passing the Gentoo router) I was able to access all the websites as well.

After being close to giving up, I found the following iptables rule:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -t mangle

And try again.

This did solve my issue. :)

This is because the default 100mbit MTU is 1500, instead of 1492 for PPPoE.