DNS redirect using NAT adding VLAN issue

RouterOS General
1

Hi folks,

I’ve had a working setup for a while now on a single default VLAN 1 with everything all talking nicely. I’ve wanted to segment the network with VLANs and I have run into my first issue.

I have a RaspberryPi running PiHole for DNS and I have the MikroTik setup to redirect any DNS request to the PiHole, just in case some sneaky manufacturer hard codes DNS into their appliance.

Using this in my config to achieve the redirect.

add action=dst-nat chain=dstnat comment="DNS Rerouting" dst-address=\
    !192.168.88.3 dst-port=53 log=yes log-prefix=redirect-gdns-udp protocol=\
    udp src-address=!192.168.88.3 to-addresses=192.168.88.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 log=yes \
    log-prefix=redirect-gdns-tcp protocol=tcp src-address=!192.168.88.3 \
    to-addresses=192.168.88.3 to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 \
    log-prefix=masq protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 \
    log-prefix=masq protocol=tcp src-address=192.168.88.0/24

PiHole is on 192.168.88.3

This all works just fine. Now today I have added in a VLAN and in DHCP server I specified 8.8.8.8 as the DNS server, which is fine as it should be redirected but it doesn’t respond. If I disable the NAT rule it works fine. I’m failing to see my mistake here, and ideally I’d like to be able to not redirect to PiHole, perhaps for a Guest VLAN that can do whatever it wants.

It might be the way I have implemented the VLAN, so I include that here:

/interface vlan
add interface=bridge name="VL666 Cisco" vlan-id=666

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_vlan666 ranges=192.168.66.2-192.168.66.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=LANDHCP
add address-pool=dhcp_vlan666 disabled=no interface="VL666 Cisco" name=Cisco

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether5

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=666

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.66.1/24 interface="VL666 Cisco" network=192.168.66.0

/ip dhcp-server network
add address=192.168.66.0/24 dns-server=8.8.8.8 gateway=192.168.66.1
add address=192.168.88.0/24 dns-server=192.168.88.3 gateway=192.168.88.1

Please excuse the VLAN name, it started out as a way to put a single device on a VLAN, a Cisco box that acts as a mobile (cell) phone in my house.

I have started a diagram, which I’ve attached.
HomeLAN.png

2

Nice diagram by the way.
I am getting my pi 3+B this week so I plan on something similar
All my subnets running PCs will have to go through pi for dns resolving and add blocking.
For my smart devices, media devices, game devices, dont think it really matters unless someone has a compelling reason.

I should be able then to of more assistance.
In the meantime for you vlan setup, this is the best reference.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

Oh wow, that thread is great. Thanks!

4

OK so my VLAN setup wasn’t bad. I was however setting the VLAN tag on each wlan interface and adding it as a tagged interface instead of using PVID and then putting it untagged, so I swapped those over. Working fine.

I think I have a fix for my PiHole conundrum.

So I only want my main LAN using the PiHole for now, and any Guest or other VLANs using a.n.other DNS provider.

So I did this:

/ip firewall address-list
add address=192.168.88.3 list=PiHole

Then updated the DNS Rerouting NAT entries to this:

add action=dst-nat chain=dstnat comment=“DNS Rerouting” dst-address=
!192.168.88.3 dst-port=53 log=yes log-prefix=redirect-gdns-udp protocol=
udp src-address=192.168.88.0/24 src-address-list=!PiHole to-addresses=
192.168.88.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 log=yes
log-prefix=redirect-gdns-tcp protocol=tcp src-address=192.168.88.0/24
src-address-list=!PiHole to-addresses=192.168.88.3 to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53
log-prefix=masq protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53
log-prefix=masq protocol=tcp src-address=192.168.88.0/24

I’m not sure if this is the correct way to achieve the result but it does work. I’m always concerned about hacking something in when there is a more efficient way of doing it.

5

Good questions…
I see what you are doing wrt to redirect!! Except you need to use action=redirect
Perhaps we can simplify those rules.

add action=redirect chain=dstnat
dst-port=53 log=yes log-prefix=redirect-gdns-udp
protocol=udp

add action=redirect chain=dstnat
dst-port=53 log=yes log-prefix=redirect-gdns-tcp
protocol=tcp

In IP DNS settings, you allow remote requests.
You can put a few servers in there 8.8.8.8, 8.8.4.4 for example.
For each subnet network configuration under DNS SERVER you put.
192.168.88.3 (for all those you want to force to pi-hole).
192.168.X.1 (same as the subnets gateway setting and this is for subnets which dont require redirection)

As far as masquerade rules go, dont confuse them with DNS redirect etc…
Its normally for source nat use cases and typically for nat translation out and back to the internet.

add action=masquerade chain=srcnat out-interface=eth1

6

Cheers. I will give that a go and report back.

7

Just remember, that I am no IT networking guru and wont have my PI device to confirm until later this week.

8

I work in IT but I’m servers and storage not networking. This is a new world to me.

9

Natting will work for redirecting naturally, but maybe cleaner / simpler: define different dns server depending on network segment?

So, ex:

/ip dhcp-server network
add address=192.168.88.0/26 dns-server=192.168.88.1 domain=local gateway=192.168.88.1 ntp-server=192.168.88.1
add address=192.168.88.64/26 dns-server=8.8.8.8 domain=guest.local gateway=192.168.88.1 ntp-server=192.168.88.1
10

Oh yeah I have the PiHole specified as the DNS server given out by DHCP but I have found some devices cough Google Android cough ignore those if it pleases them and do direct calls out to 8.8.8.8 and 8.8.4.4.

This dst-nat rule will capture any outgoing connections on udp53 and re-direct them to the PiHole.

If you don’t have the dst-nat rule then certain apps on Android will still show adverts, as they bypass local DNS lookup. Doing the dst-nat they are all disabled and blocked by PiHole.

Works great! :slight_smile:

11

dnat is a sure way to force your way

12

Okay I am ready to deploy my Rasp PI with Hole Ad blocking but I have a dilemma.
The questions is how to implement in a multi-VLAN universe.
I have two options ( I will be using an available port on the router as I thought the closer to source the better).
Option A. Create a pi-hole VLAN for this purpose lets say vlan15
Option B. Put the pi-hole on the main house vlan (vlan11)

The issues I have is that if the pi-hole is on a port on the router and if Assign it to my home vlan, it will be an access port??? (or to vlan15 for that matter)
So how do I get multiple vlans to talk to the pi-hole. How do I get pi-hole to respond to non vlan11 traffic
How do I ensure that non vlan11 traffic doesnt get stripped when ingressing the port.
As you can see either way I am stumped on how to handle all traffic going to port 53 on this address.
Will firewall rules do the trick all that is needed? But vlan filtering doesnt care about fw rules…

The best best would be to make the ethernet connection on the raspberry pi a trunk port but not sure that is possible as it assumes the port it will connect to is capable of being a hybrid port.
For example untagged for vlan11 on eth0 and then tagged for the rest of the vlans… (RouterOS does not do hybrid ports).
Stumped for now.

13

I hope I’m understanding your issue right. The Rasp Pi can support as many VLANs as you need, right? Setup in /etc/dhcpcd.conf. I have 2 on mine with separate DHCP on each, but expect to go to 4 soon. Doesn’t seem to cause any issue for the Pi-Hole app. It just shows the appropriate originating IP.

14

You don’t have to use untagged on rpi (linux). It’s perfectly fine to make rpi-connecting port trunk and configure network on rpi as tagged-only. @cifzo already hinted at how it’s done. Network configuration is likely in /etc/network/interface … if it’s not, tell us and I’ll enlighten you further :wink:

# automatically start a few network interfaces
auto lo eth0.11 eth0.15

# VLAN 11
iface eth0.11 inet static
    address 192.168.11.13     # set a VLAN11 address here
    netmask 255.255.255.0     # adjust netmask if this network is not /24
    network 192.168.11.0      # set network address
    broadcast 192.168.11.255  # set correct broadcast address
    gateway 192.168.11.1      # enter router's VLAN11 IP address here

# VLAN 15
iface eth0.15 inet static
    address 192.168.15.42     # set a VLAN15 address here
    netmask 255.255.255.0     # adjust netmask if this network is not /24
    network 192.168.15.0      # set network address
    broadcast 192.168.15.255  # set correct broadcast address
    gateway 192.168.15.1      # enter router's VLAN15 IP address here
    
# add some confguration for MGMT VLAN as well.
# After that, you should set up firewall on rpi.
# Study iptables ... essentially the logic behind iptables is the same
# as logic behind /ip firewall filter ... the later being CLI for iptables ;-)

You should adjust the base network interface name … in the code above it’s eth0, but it might be something else (such as eno1 or enp0s3 or something). You can get it either from current setup or issuing command ip address

15

OMG, I am getting ill, I am going to have to program another box, this time in snotty linus code… Egads, I am really stooping low here. Where is my spoon its feeding time. :wink:
Okay so put vlan11 on the eth0 port and with a fixed static LANIP. That part seems okay.
Next are you saying I have to add EVERY OTHER FRICKEN VLAN setup (same as for vlan11), assign a static IP for each vlan and use a diff ethport???

Hmmm I guess than I just tag eth4 with all the vlans…
Also I could create a vlan just for the pi but that means one more vlan to setup LOL…

What about firewall rules…
PI to router?? (I dont think so and I can get rid of my input chain lan to router for port 53 rules?? but still keep my allow remote IP dns)
PI to internet on port 53, udp and tcp (most likely)
All vlans to PI address on port 53, udp and tcp (most likely) BUT NOT the reverse right!!! (return packets allowed thus no need for PI to vlans rule)

++++++++++++++++++++++
Wait, what if for the vlans I want lets say vlan11,100,200,69,66 I use the gateway IP of the associated subnet as the DNS server (AS I DO NOW).
Then since its really the router I am pointing them at… I tell the router send all my DNS requests to the pi-hole.
Is that possible?? Some sort of redirect function. Thus I dont have to do anything too funky.
(if so, would it be best to put the pi hole on ether4 not on a bridge but on its own LANX for example).
(I would only need one LANX static IP for the pi-hole and I assume some vlan to LAX fw filter rules).

16

As you know, it’s best if I stay away from VLAN questions. :slight_smile: I have my RPI on x.x.x.4 on each subnet. Then I specify that IP as the primary DNS in the DHCP server. Unfortunately, that does put the DNS traffic outside the router. But that’s fine in my scenario.

17

Can you elaborate? Is the RPI connected to the router on its own LAN? Not sure what you mean by .4 on each subnet? Diagram?
How is your RPI configured?

18

Just using MKX’s rpi configuration… It’s got the rpi on 192.168.11.13 as a static IP on VLAN 11, and on 192.168.15.42 as a static IP on VLAN 15.

So on the router…
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=
192.168.11.13,208.67.222.222,208.67.220.220 gateway=192.168.11.1
add address=192.168.15.0/24 dns-server=
192.168.15.42,208.67.222.222,208.67.220.220 gateway=192.168.15.1

19

So you configured the RPI itself with multiple VLAN subnets??

20

The best source I’ve found on Rpi VLANs is:
https://www.sbprojects.net/projects/raspberrypi/vlan.php (unfortunately, Raspbian changed how it does things, so anything over a year old isn’t completely correct)

If you do the VLANs first, and then install pihole, you get prompted for which interface to use. Choose whichever you plan to administer the pihole through. By the way, the pihole install has you set up a static IP, so no need to mess with that in advance.

After the VLANs are up and the pihole is running, go to pihole web interface. Under Settings, go to the DNS tab. There, you need to check ‘Listen on all interfaces’.

Assuming you’ve got active clients on your VLAN, you should be able to check the pihole, and see those IPs come through.

There may well be a way to do this in the router. I’m just slightly better at Linux than I am at Mikrotik. :slight_smile:)