Block Pihole webgui

aW50ZXJuZXQ · May 8, 2022, 10:37am

Hello!

I have an IoT-VLAN that I want to isolate from all my another VLANs but not internet. It works well except for Pihhole gui (10.10.30.2) which is also the dns. How should I write the rule to block even the http. Tried tcp port 80 both forward and input.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Isolate IoT-vlan" dst-address-list=lan-without-iot-vlan src-address-list=\
    iot-vlan
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="Isolate IoT-vlan" dst-address-list=lan-without-iot-vlan src-address-list=\
    iot-vlan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

erlinden · May 8, 2022, 11:12am

Input is for access to the router, forward is for access all other devices.

I prefer to block everything (as last rule in both input and forward chains) and from there add accept rules for everything you want to allow access to. This way you are complete aware of what your are allowing on your network. But be aware that by this approach you could loose access to the router.

I assume that IoT only should have access to port 53 (TCP& UDP) on the PiHole?

aW50ZXJuZXQ · May 8, 2022, 3:07pm

Thanks!

It does not seem to work with just dns. mikrotik gui 10.10.30.1 gets blocked but not 10.10.30.2

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept mikrotik-gui from admin-vlan" dst-address=10.10.60.1 src-address=\
    10.10.60.0/24
add action=accept chain=input dst-address=10.10.30.2 dst-port=53 protocol=udp src-address=10.10.30.0/24
add action=accept chain=input dst-address=10.10.30.2 dst-port=53 protocol=tcp src-address=10.10.30.0/24
add action=drop chain=input
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN