Mikrotik,pihole & unbound.

shafiqrahman · May 21, 2021, 5:45am

Issue solved thank you @2frogs.
If someone needed:
Mikrotik new subnet

/interface bridge port remove [find interface="ether5"]
/interface list member add interface=ether5 list=LAN
/ip address 
add address=192.168.188.1/24 comment=pinet interface=ether5 network=192.168.188.0
/ip pool
add name=pinet ranges=192.168.188.20-192.168.188.40
/ip dhcp-server
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP
/ip dhcp-server network
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip firewall address-list
add address=192.168.188.20-192.168.188.40 list=allowed_to_router

Nat rules credit goes to @2frogs

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.188.28 dst-port=53 protocol=tcp to-address=192.168.88.1 comment=pihole_bypass disabled=yes
add action=dst-nat chain=dstnat dst-address=192.168.188.28 dst-port=53 protocol=udp to-address=192.168.88.1 comment=pihole_bypass disabled=yes

This portions credit goes to @anav

/ip firewall filter
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24

Credits goes to @rextended

/ip upnp interfaces
add interface=ether5 type=internal

Script credit @hollerauer http://forum.mikrotik.com/t/script-automatically-change-dns-if-pi-hole-is-no-longer-working/140040/1

:local piholeDown [/ip firewall nat print count-only where comment~"pihole_bypass" && disabled]
:local piholeDNS "192.168.188.25"
:local testDomain "www.google.com"

:if ($piholeDown > 0 ) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip firewall nat enable [find comment=pihole_bypass];
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip firewall nat disable [find comment=pihole_bypass];
    } on-error={}
}

In case Mikrotik fails to establish DoH after reboot, credit @DarkNate

/ip dns
set allow-remote-requests=yes query-server-timeout=100ms query-total-timeout=5s
add servers=1.1.1.1,1.0.0.1
set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=104.16.248.249 gateway=pppoe-out1 scope=10
add dst-address=104.16.249.249 gateway=pppoe-out1 scope=10
add distance=1 gateway=104.16.248.249 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=104.16.249.249 routing-mark=to_ISP1 check-gateway=ping

Useful link:http://forum.mikrotik.com/t/how-do-i-connect-two-subnet-in-a-single-router/149158/21