DNS redirect: action redirect VS dst-nat

mur · March 29, 2020, 9:42am

Hi everyone,

In order to force my LAN’s users to use specified DNS server, my Mikrotik router I use this NAT rules:

add action=dst-nat chain=dstnat comment="Make Mikrotik preferred dns server UDP" dst-port=53 protocol=udp to-addresses=192.168.3.1 to-ports=53
add action=dst-nat chain=dstnat comment="Make Mikrotik preferred dns server TCP" dst-port=53 protocol=tcp to-addresses=192.168.3.1 to-ports=53

However, I saw many using the redirect action as well:

somethign like:

/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=local protocol=udp to-ports=53

Why? Is there any real difference between the two action rules?
Thank you

msatter · March 29, 2020, 11:12am

redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router’s local addresses

As long you are redirecting to local address you can use redirect and if it outside then you need to use dst-nat.

local - if dst-address is assigned to one of router’s interfaces

mur · March 29, 2020, 12:13pm

If I got it right, using either redirect or dst action doesn’t make any difference as long as the action is meant for one own LAN?
Correct?
Thanks

msatter · March 29, 2020, 12:39pm

I think you are incorrect but I can’t find any documentation on it right now.

Local are the adresses in /ip address. Redirect carry your packets to the local port of the router with that address, and leave it there. If there is no pick-up service than your packets gets lost.

Pickup service is gateway.

anav · March 29, 2020, 1:14pm

Mur the redirect rule is doing what you state as a requirement in your first post! If forces all LAN requests from PCs (regardless of destination intention of the PC setup or pC user) to the settings you have setup in the router.

mur · March 29, 2020, 2:07pm

here it is stated the same for dst NAT rule:

https://wiki.mikrotik.com/wiki/Force_users_to_use_specified_DNS_server

it isn’t clear enough to me yet
Thanks

anav · March 29, 2020, 2:11pm

I think the key here is any misconception you may have about dstnat. It does not care where the traffic is coming from, so this is applied to ANY traffic attempting to hit port 53 be it incoming traffic from the internet or from the LAN.
The redirect rule ONLY applies to local traffic behind the router that is seeking to hit port 53.

mur · March 29, 2020, 2:22pm

I think the key here is any misconception you may have about dstnat. It does not care where the traffic is coming from, so this is applied to ANY traffic attempting to hit port 53 be it incoming traffic from the internet or from the LAN.
The redirect rule ONLY applies to local traffic behind the router that is seeking to hit port 53.

I think that you’re right. I have always said that I am kind of a newby when it comes to networking and Mikrotik. So, thank you for explanations and patience..sincerely
However, I was trying to understand why the two actions have the same effect. I have set up the two NAT rules you see in my first post and they work well, meaning they do what they are expected to do.
Thanks

mkx · March 29, 2020, 2:56pm

From wiki:

dst-nat - replaces destination address and/or port of an IP packet to values specified by to-addresses and to-ports parameters

redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router’s local addresses

It seems to me that the difference between the two is that with dst-nat you can specify the new destination address dst-address (and can be any address, either internet or LAN or (not sure about this) router’s own), while redirect always sends packet to router itself.

The rest of properties of nat rule serm to be same for both variants.