The problem is that it blocks the requested website for all my DHCP clients. I’ve searched a lot but haven’t found a way to etheir withelist certain dhcp client or to blacklist others.
The only way I’ve found was to manually input external dns to computer that weren’t included the DNSBlacklist address-list but this has to be done manually and I’d like to avoid manual config on the computers.
Ok but will the two Vlans with different dhcp servers, be able to talk to each others (which I need), also do I need managed switches to do that, I like to keep things simple.
Since they are different subnets they will have to go through the router to talk to each other. So just block it in the firewall. You CANNOT however just stick them both onto a single unmanaged switch. You can do it with a managed switch or two unmanaged switches (one for each vlan) if the ports on the device aren’t enough.
If you can determine the MAC addresses of clients which are not to be blocked you can have DHCP provide static IP to those clients and then adjust the rules to not block that sub-range.
By isolating the two groups into specific IP ranges you can either:
A) Use DST NAT rules to drive certain clients to either the internal or external DNS server, or
B) Allocate different DNS servers to different clients using those different IP ranges.
As regards B) - say you have a subnet 192.168.1.0/24 and you would normally have a DHCP Server “network” entry for 192.168.1.0/24. Instead, have two entries - one for 192.168.1.0/25 and one for 192.168.1.128/25. Have each entry allocate a different DNS server while keeping the mask and gateway the same for both. Now DHCP clients being allocated an IP number in the lower half of 192.168.1.0/24 range.1 will receive one DNS server while those being allocated an IP number in the upper half of 192.168.1.0/24 will be allocated a different (DNS server.
This automates the manual process that the OP is currently using to allocate external DNS servers to certain clients.
Can you give me the specific NAT rules I need to implement to get the clients (I would use an address-list) to use the external DNS (like 8.8.8.8 and 8.8.4.4)
Will using external DNS cause problems for those clients in terms of name resolving on local network (like \server.local for example)
Create an address list of clients who are to be ‘whitelisted’:
/ip firewall address-list list=dns_whitelist address=192.168.88.5
/ip firewall address-list list=dns_whitelist address=192.168.88.6
/ip firewall address-list list=dns_whitelist address=192.168.88.7Change the IP’s to ones you require.
Next, set up a nat rule
/ip firewall nat add action=netmap chain=dstnat dst-address= dst-port=53 protocol=udp src-address-list=dns_whitelist to-addresses= to-ports=53Then any DNS requests from those listed under dns_whitelist will go via the external DNS.
Things such as \servername.local etc, will only stop working if you have statically set this DNS in the mikrotik. If you haven’t, and they are working automatically, then they will continue to do so. (They transmit themselves on a L2 level protocol i believe).
Look at my original description of the DHCP network entries. Rather than have one network entry for a /24 have 2 each covering a /25. Then allocate the IPs into the bottom and top halves of the original /24.
In option A, you can’t really select a secondary. You could possibly have external script monitor DNS for primary and secondary and change the rule as needed via API, but it would be rare 8.8.8.8 would be down.
If it is, just a quick rule change to any other public DNS and you are set, so only a little bit of possible problems.
Ok if I understand correctly /25 would give 2 X 128 IP ranges, now how do I allocate user to each range, by static lease and just put the IP in the upper or lower range? and how can I choose the default range?
You can have the DHCP server only allocate dynamic numbers in (say) the lower range but add static allocations for certain hosts and place those in (say) the upper range.