I would like to configure routerOS to require WLAN1 users to use only a specific pair of DNS servers, and require all other users to use only a different pair of DNS servers. I configure the WLAN users to get their DNS server assignment via the DHCP configuration and everyone else via the IP/DNS configuration. The problem seems to be that when WLAN users cannot get DNS info because their server is blocking it, they are given access to the DNS servers configured in IP/DNS.
Can someone suggest a solution or a document describing the decision tree for dns? Thanks.
Do all need access to same subnet, or is this a guest wlan configuration? Can u use 2 DHCP servers on 2 separate subnets? Why such a demand…
Sent from my LG-H960 using Tapatalk
prefer not to use DHCP on wired subnet, just on guest WLAN.
There are several subnets connected to the router. One subnet uses DHCP. That subnet must use only a web filtering DNS server. The other subnets use non web filtering DNS servers.
When the router is configured to use the web filtering DNS server in the DHCP configuration AND the IP/DNS configuration, then the specified subnet is actually web filtered.
But when the router is configured to use the web filtering DNS server only in the DHCP configuration, while the IP/DNS configuration uses a non web filtered DNS server, then the specified subnet is not web filtered.
This suggests that when a client on the specified subnet cannot access a site because the web filtered DNS server will not provide DNS info for it, the client is automatically shunted to the DNS server configured in IP/DNS and then is able to access the site which should be inaccessible. Is this a bug or a feature?
How do I stop only the the DHCP subnet from using the DNS servers specified in IP/DNS?
DNS decision tree:
ask the DNS server configured on the host
if request fails, then use secondary server configured on the host.
If request fails, then fail to resolve IP.
if request succeeds, use the IP that was received in the reply.
In other words, there’s no “use the server in IP>DNS if the one I got from DHCP fails”
The client doesn’t know or care what servers the router happens to be using for its own DNS queries.
Now - if you assign the ROUTER as a DNS resolver, then of course the answer is going to come from whatever server the router is using.
You can specify DNS servers in the DHCP scope - and clients will use that information to configure their DNS resolvers.
If you want to force things, then you can use the dstnat table:
/ip firewall nat
add chain=dstnat in-interface=wlan1 protcol=udp dst-port=53 action=dst-nat to-addresses=x.x.x.x
This will map all dns requests arriving from wlan1 to go to host x.x.x.x instead of whatever IP they were trying to use.
I would say that on your static-configured LANs, use the Mikrotik as the DNS server, and set the IP>DNS to point to the non-filtered servers, and assign the filtering DNS servers in your DHCP scope for the wlan, and also use the above NAT rule to force the issue even more in case a user decides to manually input 8.8.8.8 as their DNS server (a very well-known DNS server).
Thanks ZeroByte. Your comments are helpful. But it appears your sentence about clients using the DNS server specified in the scope is not true here and I am trying to determine why.
As I have looked at this since my last post I find I have misunderstood much.
The issue, as I would describe it now, is that all hotspot users, using the hotspot configured through the Hotspot Setup in IP/Hotspot, use the DNS server configured at IP/DNS. This is regardless how the DHCP scope is configured. Even if the DNS servers are manually configured at the client. I wonder if this behavior is resulting from the Hotspot Setup configuration somehow but I have not looked at that yet.
I have not yet tried your NAT recommendation but I’ll give it a try.
What does work is to configure the filtered DNS server at IP/DNS, then manually configure the DNS for the non-filtering clients, or to use DHCP for the non-filtering clients and configure the scope to use a non-filtering DNS server. Then the hotspot users are forced to the filtering DNS server.
I see that your comments should be correct but its not what I am seeing here and I’m still working on why.
Thanks ZeroByte.
I think Hotspot redirects all DNS packets to the Mikrotik, which then will of course use its configured IP/DNS server.
This is the NAT destination method I mentioned before.
Look in the hs-auth chain of the nat table of the firewall - you will probably find a rule with action=redirect (or dst-nat) and protocol udp, port 53.
ZeroByte, you have me on the right track.
But now I find I am unable to disable the redirect in NAT. I have put a dummy redirect in front of it which points to a random port which certainly stops wifi users from using the router’s DNS, but also stops the wifi from getting any DNS service at all.
Would you suggest that I create a new service configured with the DNS servers the wifi users should get, or remove the hotspot configured via the “Hotspot Setup” wizard and create my own from scratch, or some other course?
I cannot find documentation for either course of action. Can you recommend a location on the wiki? The wiki describes how to setup a hotspot using the wizard, but not manually. Similar confusion regarding hotspot services.
Thanks ZeroByte.
Why not make that “dummy redirect” point to the filtered DNS servers you want the Hotspot to use?
Why not make that “dummy redirect” point to the filtered DNS servers you want the Hotspot to use?
It appears to be ineffective. If I delete the redirect and put in its place a new nat rule, the changes are rolled back when the router reboots. It looks like any changes I make to the NAT rules applied by the Hotspot Setup wizard are removed when the router is rebooted. This is a very persistent area.
Other ideas?
Now that I think about it, the hotspot wants to be able to intercept DNS so that the hotspot name (for instance) can be resolved by clients.
Is there anything in the filtered DNS service that would prevent the Mikrotik from doing its job as a router?
Probably not - so why not use the filtered DNS service as the Mikrotik’s DNS configuration, and then assign normal DNS servers in the DHCP scope for the LAN segment?
I had thought this behavior was to limit wifi users from using an unauthorized DNS server, but your thought sounds about right.
And the solution I have been using is to give the wired users the unfiltered server and configure the filtered server in IP/DNS. That is working, but I thought there would be a way to configure the hotspot directly with a DNS server of choice.
Thanks so much for the help ZeroByte.
hi friend.
maybe i have same problem,
i have two routers, RB2011 for merge 2 links dsl, and RB1100 for sharing internet , and i have problem , that laptops connect to network but there is no service( no internet) , and show this error in the browser(DNS_PROBE_NO_INTERNET"), and there is no problem with mobile but i feel sometimes slow browsing in mobile , i don’t know if that cause of wrong setting in dns between two routers or in wrong connect ?
can you help me please ?
and this is the configuration for RB2011
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether6 ] speed=1Gbps
set [ find default-name=ether1 ] comment=ether1 name=wan1
set [ find default-name=ether4 ] comment=ether4 name=wan2
/ip neighbor discovery
set ether6 discover=no
set wan1 comment=ether1 discover=no
set wan2 comment=ether4 discover=no
set bridge discover=no
/ip pool
add name=dhcp_pool1 ranges=192.168.80.25-192.168.80.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge lease-time=50m name=\
dhcp1
/interface bridge port
add bridge=bridge interface=ether6
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.2/24 interface=wan1 network=192.168.1.0
add address=192.168.0.2/24 interface=wan2 network=192.168.0.0
add address=192.168.80.1/24 interface=bridge network=192.168.80.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid interface=wan2
/ip dhcp-server network
add address=192.168.80.0/24 gateway=192.168.80.1
/ip dns
set max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-connection chain=input in-interface=wan1 new-connection-mark=\
wan1_conn
add action=mark-connection chain=input in-interface=wan2 new-connection-mark=\
wan2_conn
add action=mark-routing chain=output connection-mark=wan1_conn hotspot=auth \
new-routing-mark=wan1
add action=mark-routing chain=output connection-mark=wan2_conn hotspot=auth \
new-routing-mark=wan2
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=wan1_conn \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=wan2_conn \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
in-interface=bridge new-routing-mark=wan2
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
in-interface=bridge new-routing-mark=wan1
add chain=prerouting dst-address=192.168.1.0/24 in-interface=bridge
add chain=prerouting dst-address=192.168.0.0/24 in-interface=bridge
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=wan1
add action=masquerade chain=srcnat out-interface=wan2
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=wan1
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=wan2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.1
/system ntp client
set enabled=yes primary-ntp=41.204.120.137 secondary-ntp=8.8.8.8
and this is the configuration for RB1100
# may/23/2016 19:47:11 by RouterOS 6.35.2
# software id = 0Q7Z-F6FF
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=reply-only
set [ find default-name=ether6 ] arp=reply-only
set [ find default-name=ether7 ] arp=reply-only
/ip neighbor discovery
set ether1 discover=no
set ether6 discover=no
set ether7 discover=no
/interface vlan
add interface=ether6 name=vlan100 vlan-id=100
add interface=ether6 name=vlan101 vlan-id=101
add interface=ether6 name=vlan102 vlan-id=102
add interface=ether6 name=vlan104 vlan-id=104
add interface=ether7 name=vlan106 vlan-id=106
add interface=ether7 name=vlan107 vlan-id=107
add interface=ether7 name=vlan108 vlan-id=108
add interface=ether7 name=vlan110 vlan-id=110
add interface=ether7 name=vlan111 vlan-id=111
/ip neighbor discovery
set vlan100 discover=no
set vlan101 discover=no
set vlan102 discover=no
set vlan104 discover=no
set vlan106 discover=no
set vlan107 discover=no
set vlan108 discover=no
set vlan110 discover=no
set vlan111 discover=no
set vlan112 discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=www.sert.com hotspot-address=192.168.88.1 html-directory=\
hotspot name=hsprof1 use-radius=yes
/ip hotspot
add disabled=no idle-timeout=5h interface=bridge1 login-timeout=10m name=\
hotspot1 profile=hsprof1
/ip pool
add name=pool1 ranges=192.168.88.25-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=pool1 disabled=no interface=bridge1 lease-time=\
30m name=dhcp1
/interface bridge filter
add action=drop chain=forward mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=vlan100
add bridge=bridge1 interface=vlan101
add bridge=bridge1 interface=vlan104
add bridge=bridge1 interface=vlan102
add bridge=bridge1 interface=vlan106
add bridge=bridge1 interface=vlan107
add bridge=bridge1 interface=vlan108
add bridge=bridge1 interface=vlan110
add bridge=bridge1 interface=vlan111
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.80.253/24 interface=ether1 network=192.168.80.0
/ip arp
add address=192.168.80.1 interface=ether1 mac-address=xxxxxxxxxx
add address=192.168.88.12 interface=bridge1 mac-address=xxxxxxxxxxxx
add address=192.168.88.13 interface=bridge1 mac-address=xxxxxxxxxxxxxxxx
add address=192.168.88.17 interface=bridge1 mac-address=xxxxxxxxxxxxxxxx
add address=192.168.88.15 interface=bridge1 mac-address=xxxxxxxxxxxxxxxx
add address=192.168.88.11 interface=bridge1 mac-address=xxxxxxxxxxxxx
add address=192.168.88.22 interface=bridge1 mac-address=xxxxxxxxxxxxxxx
add address=192.168.88.23 interface=bridge1 mac-address=xxxxxxxxxxxxxx
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment="hotspot network" gateway=192.168.88.1
/ip dns
set cache-max-ttl=1h cache-size=8192KiB max-udp-packet-size=8192 servers=\
208.67.222.222,208.67.220.220
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes in-interface=ether1 \
new-packet-mark=client_upload
add action=mark-packet chain=prerouting disabled=yes in-interface=bridge1 \
new-packet-mark=client_download
add action=mark-connection chain=forward disabled=yes new-connection-mark=\
users-con src-address=192.168.88.0/24
add action=mark-packet chain=forward connection-mark=users-con disabled=yes \
new-packet-mark=users
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.88.0/24
/ip hotspot ip-binding
"-------------IP&MAC ACCESS POINT------------"
add address=192.168.88.16 disabled=yes mac-address=xxxxxxxxxx type=\
bypassed
add address=192.168.88.19 disabled=yes mac-address=xxxxxxxxxxxxx type=\
bypassed
add address=192.168.88.18 disabled=yes mac-address=xxxxxxxxxx type=\
bypassed
add address=192.168.88.20 disabled=yes mac-address=xxxxxxxxxxxxx type=\
bypassed
add address=192.168.88.21 disabled=yes mac-address=xxxxxxxxxxxxxxxx type=\
bypassed
add address=192.168.88.1 comment=\
"---------------SERVER ---------------------" mac-address=\
xxxxxxxxxxxxxxxxx server=hotspot1 to-address=192.168.88.1 type=blocked
/ip hotspot service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=192.168.80.1
/ip service
set ftp disabled=yes
/radius
add address=127.0.0.1 secret=123321 service=hotspot
/radius incoming
set accept=yes