service work, but i have many errors (traffik from mikrotik DNS server to PC)
End output rules output: in:(unknown 0) out:LAN-bridge, proto UDP, 192.168.66.1:53->192.168.66.6:51496, len 60
Rule
;;; established related chain=output action=accept connection-state=established,related log=no
not accept traffic
Ip firewall filter chain=output is only for connections initiated by router itself. If DNS service is running on router itself (192.168.66.1), then you need rules in chain=input … usually that would be two rules:
The second one should be made more speciffic (e.g. by adding in-interface or src-address or some other property) in order to avoid creation of open relay DNS server accessible from internet.
@mkx, I’m afraid that what the OP is trying to illustrate is the fact that the rule doesn’t count, but it may be a confusion of cause and consequence. If that rule is alone in the output chain, it should match (and thus count) on each DNS response sent by the router, as such a packet definitely matches on connection-state=established. So I’d expect the answer not to be actually sent rather than the rule to miss it.
@LurkerBeta, can you elaborate on what actually happens? Packets are handled by /ip firewall filter rules after they have been routed, so if there is a routing issue of any kind (mangle rules, routing rules, arp responses missing, ethernet interface flapping), this may be a reason why there is no packet the rule could match.
Is that the only rule in chain output of /ip firewall filter?
I figured out the problem, all firewall rules are correct.
The client make DNS request via UDP to the router. The router make DNS request to DNS server in the Internet. If router does not receive a response, then the router responds to the client after the UDP connection timeout expires.
Question: how long does it take for the router to respond to the client if router cannot contact the internet DNS server?