I have one LAN that shares a number of peripherals and internet connection. I want to route my known devices to do DNS lookups from one specific DNS server on the LAN. I want visitors to be given the default DNS via the GW, which is a Mikrotik device. I can do this with fixed IPs, but I want to have the Mikrotik doing the DHCP Server for the LAN.
Any suggestions on how to achieve this?
Since your devices are already known, you could create static leases for those.
Let the DHCP server add the lease a to an address list and use this list for your rules.
-Chris
/ip dhcp-server lease
add address=10.0.0.1 mac-address=XX:XX:XX:XX:XX:XX
...
/ip firewall address-list
add address=10.0.0.1 list="my known devices"
...
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list="my known devices" to-addresses=1.1.1.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address-list="my known devices" to-addresses=1.1.1.1
Create static leases and add them to “my known devices” firewall address list.
Replace the 1.1.1.1 by your DNS server for “my known devices”.
Or reserve range for known devices and unknown (guests) AND define different dhcp network configurations for these ranges, where you could specify different dns server.
(similar but simpler)
Hi,
I use this settings and the devices from the list doesn’t receive the DNS IP wanted
Any suggestions please?
See below config exported.
/interface bridge
add admin-mac=YYY auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=YYY user=YYY
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=24m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.74 comment="Notebook Lenovo ThinkPad T450 LAN" \
mac-address=YYY server=dhcp1
add address=192.168.1.75 comment="Notebook Lenovo ThinkPad T450 WIFI" \
mac-address=YYY server=dhcp1
add address=192.168.1.71 client-id=YYY comment=\
"Xiaomi Mi 9T Pro" mac-address=YYY server=dhcp1
add address=192.168.1.72 client-id=YYY comment=\
"Samsung Galaxy Tab S6" mac-address=YYY server=dhcp1
add address=192.168.1.73 client-id=YYY comment=\
"Lenovo T490 WIFI" mac-address=YYY server=dhcp1
add address=192.168.1.76 client-id=YYY comment=\
"Samsung Galaxy Watch 3" mac-address=YYY server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.71-192.168.1.89 list=HOME_SHIELD
add address=192.168.1.2 list=HOME_SHIELD
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=\
"drop Input custom Address List: blacklist" dst-address-list=blacklist
add action=drop chain=forward comment=\
"drop Forward custom Address List: blacklist" dst-address-list=blacklist
add action=drop chain=output comment=\
"drop Output custom Address List: blacklist" dst-address-list=blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. LAN traffic" src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. LAN traffic" \
out-interface-list=WAN src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment="HOME_SHIELD / OPENDNS rules" \
dst-port=53 protocol=udp src-address-list=HOME_SHIELD to-addresses=\
208.67.222.222
add action=dst-nat chain=dstnat comment="HOME_SHIELD / OPENDNS rules" \
dst-port=53 protocol=tcp src-address-list=HOME_SHIELD to-addresses=\
208.67.222.222
/ip service
set telnet disabled=yes port=YYY
set ftp disabled=yes port=YYY
set www address=192.168.1.0/24 port=YYY
set ssh address=192.168.1.0/24 port=YYY
set www-ssl address=192.168.1.0/24 port=YYY
set api address=192.168.1.0/24 disabled=yes port=YYY
set winbox address=192.168.1.0/24 port=YYY
set api-ssl address=192.168.1.0/24 disabled=yes port=YYY
/ip smb
set allow-guests=no domain=HOMENT interfaces=bridge
/ip ssh
set strong-crypto=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system identity
set name="MikroTik RB4011"
/system routerboard settings
set silent-boot=yes
/system scheduler
add interval=1w name=01_UPGRADE_FIRMWARE_PACKAGE on-event=\
"system package update install" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/16/2020 start-time=00:30:00
add interval=1w name=02_UPGRADE_FIRMWARE on-event=":global Var1\r\
\n:global Var2\r\
\n:set Var1 \"\$[/system package get system version]\"\r\
\n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\
\n:if (\$Var1!=\$Var2) do={/system routerboard upgrade;\r\
\n/system reboot;\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/16/2020 start-time=01:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
It is very important to me to filter my son traffic through opendns.
Thanks’