DNS glitch

axotik · August 23, 2022, 7:51pm

Hi guys.
I setup a Hairpin rule to make a web server accessible from the LAN, and somehow if any of the clients connecting to the router from inside the network, try to use
10.0.0.1 as the DNS server, they do not have access to the internet.
Under IP>DNS i see 10.0.0.1 is enabled. And 8.8.8.8 is being used on some clients i had to setup manually to make them work.

I guess i need to add 8.8.8.8 but the question is Where? i see so many places it can be setup. Should i do it in the DHCP IP pool?
Sorry for the noob question, i just do not want to break anything as it took me a long time to figure how to make the hairpin work for the nextcloud server.

Here is my config:
Thanks a lot.

# aug/23/2022 15:29:50 by RouterOS 6.49.6
# software id = W0PA-KWSM
#
# model = CRS109-8G-1S-2HnD
# serial number = D5XXXXXXXA
/interface bridge
add arp=proxy-arp name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
    ssid=CCStudio wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,3des
add enc-algorithm=aes-256 name=profile1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="ae\
    s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-\
    128-ctr,aes-128-gcm" lifetime=0s pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.244
add name=l2tppool1 ranges=10.0.0.245-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=10.0.0.1 name=\
    vpn-prof remote-address=l2tppool1 use-upnp=no
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=\
    10.0.0.1 remote-address=l2tppool1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 fast-leave=yes interface=*D
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=vpn-prof enabled=yes \
    one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2 certificate=SERVER enabled=yes force-aes=yes pfs=\
    yes port=4430
/ip address
add address=10.0.0.1/8 interface=bridge1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10h10m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.15 client-id=1:fc:aa:17:28:e2:4b mac-address=\
    fc:aa:17:28:e2:4b server=dhcp1
add address=10.0.0.13 mac-address=40:F5:26:40:53:09 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/8 gateway=10.0.0.1 netmask=8
/ip dns
set servers=10.0.0.1
/ip firewall address-list
add address=10.0.0.0/8 list=LAN
add address=d54e0xxxxxxx.sn.mynetname.net list=WAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="Nextcloud 80" disabled=yes \
    dst-address=10.0.0.15 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Nextcloud 443" disabled=yes \
    dst-address=10.0.0.15 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
    tcp
add action=accept chain=input comment="SSTP server joe 4430" dst-port=4430 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="RDP red devil" dst-address=10.0.0.15 \
    dst-port=5700 protocol=tcp src-port=5700
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes in-interface-list=WAN \
    src-address-list=CountryIPBlocks
add action=accept chain=input disabled=yes dst-port=443 in-interface-list=WAN \
    protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=WAN \
    new-connection-mark=Hairpin_NAT src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    Hairpin_NAT
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=80 protocol=tcp \
    to-addresses=10.0.0.15 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=443 protocol=\
    tcp to-addresses=10.0.0.15 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=3478 protocol=\
    tcp to-addresses=10.0.0.15 to-ports=3478
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=8443 protocol=\
    tcp to-addresses=10.0.0.15 to-ports=8443
add action=dst-nat chain=dstnat comment="RDP Red devil" dst-port=5700 \
    protocol=tcp src-address-list=WAN to-addresses=10.0.0.15 to-ports=5700
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=3478 protocol=\
    udp to-addresses=10.0.0.15 to-ports=3478
add action=dst-nat chain=dstnat comment=WEB disabled=yes dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.0.10 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.0.0.1 name=joejoevpn profile=vpn-prof remote-address=\
    10.0.0.252 service=l2tp
add name=joetest profile=vpn-prof service=l2tp
add local-address=10.0.0.1 name=joetunel remote-address=10.0.0.2 routes=\
    "192.168.88.0/24 10.0.0.2 1" service=sstp
add local-address=10.0.0.1 name=nctuneljoe remote-address=10.0.0.3 routes=\
    "192.168.90.0/24 10.0.0.3 1" service=sstp
/system clock
set time-zone-name=America/New_York
/system identity
set name=CCStudio
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29

Sob · August 23, 2022, 8:20pm

The 10.0.0.1 is your router’s address. If client wants to use it as DNS resolver (that’s fine), then router itself uses DNS resolvers defined in “/ip dns”. And it definitely can’t be its own address, so you can remove that. You should have either dynamic ones added by DHCP client, or if not, then you’d need to add some manually (e.g. public ones like 8.8.8.8, 1.1.1.1, …).

So you can choose. Either you can have router as DNS cache (external servers in “/ip dns”, router as DNS server in “/ip dhcp-server network”) or clients talking to external servers directly (external servers in “/ip dhcp-server network”). There’s not much difference, the former will save you few milliseconds for cached queries, but you probably won’t notice. It also allows to override some records (in “/ip dns static”), but you shouldn’t need that anyway (not for hairpin NAT, point of that is to avoid need to do anything special with DNS).

axotik · August 24, 2022, 11:57am

{Removed unneded quotation]
Thank you so much Sob!!

So i added the DNS manually under IP>DHCP Server>Networks like this:

But now i realize, the issue is the actual DHCP server or something in the firewall maybe?
I am testing with a VM client, rebooting from scratch every time to avoid any catching..
If the client is automatic, it gets the IP and DNS from the router, but it is not able to ping it (10.0.0.1), nor any other domain as shown here:

But if i setup the client manually, with an IP and the DNS, it works.

I have most of this network set manually with static IPs and the clients are working,
but i need the DHCP server to work for some visitor Wifi clients and a smart TV set to get an ip automatically.
What am i missing?
Thank you for the help.

Sob · August 24, 2022, 8:51pm

Your address pool for DHCP (10.0.0.2-10.0.0.244) overlaps with addresses used for VPN clients (10.0.0.2, 10.0.0.3), so if 10.0.0.2 is active there, it won’t work in LAN. Other than that, I don’t see anything wrong.

axotik · August 25, 2022, 7:42am

{Removed unneded quotation]
Man i scratched my head the last 2 days and did all kind of experiments trying to find the issue. It was right in front of my nose.
THANK YOU A MILLION TIMES!!!

I changed the DHCP pool to 10.0.0.100-10.0.0.244 and now i got the DHCP clients connected.
I can’t rant about RouterOS not realizing the IP was already in use by the VPN client, i guess it is the equivalent of having a static IP setup at the client side,
but the DHCP server should check first if the ip is already in use and not assign it to the first DHCP client… clunkiness example, but now i see the obviousness of my fault setting up the configuration.

Good luck

Sob · August 25, 2022, 7:27pm

RouterOS uses low-level approach, which means, in short, that you need to be careful. It checks some things (e.g. I think that used addresses from pool should be checked even when pool is used in different places), but it would be difficult to check everything (like in your case, when you had 10.0.0.2 as static config for VPN user, i.e. without using pool). The system is too configurable. As a result, there are too many possibilities how you can create conflicts. Checking for all that would either have to be very clever, or it would require limiting what can be done, to make it simpler, but that would be bad.

mkx · August 25, 2022, 7:37pm

I guess that @axotik meant that DHCP server should check if IP address, about to be offered in lease, is indeed unused at that moment.

Actually DHCP server does it, but it assumes that address is supposed to be used in served L2 domain, so it only checks there. In case VPN uses overlaping address space, DHCP server doesn’t check it over VPN interfaces … also checks likely wouldn’t apply there as they use ARP whohas queries while VPN interfaces are often L3 interfaces not supporting ARP procedures.