Need some help.
I need redirect all dns request on our dns server.
No nat, mikrotik used as bgp border all traffic pass it. Users have a real ip. And can set in properties of connection any dns server.
I wont to block user use all other dns server like google and etc. And collect all dhs request on our dns srevers.
So you’ll need to NAT. Redirect all tcp/53 and udp/53 to the router itself.
Dns server not on mikrotik. Can you help with rule ?
Ah. That’s simple destination NAT then. It’s hard to give you an exact rule without knowing your infrastructure. Assuming clients are behind an interface named LAN and the DNS server you’re trying to force has an IP of 1.1.1.1:
/ip firewall nat
add chain=dstnat in-interface=LAN protocol=tcp protocol=53 action=dst-nat to-addresses=1.1.1.1
add chain=dstnat in-interface=LAN protocol=udp protocol=53 action=dst-nat to-addresses=1.1.1.1
Consider reading the wiki manual on NAT. This is literally the simplest use case and well covered in the available documentation.
5 chain=dstnat action=dst-nat to-addresses=10.50.0.5 to-ports=53
protocol=tcp in-interface=10.50.0.3 dst-port=53
6 chain=dstnat action=dst-nat to-addresses=10.50.0.5 to-ports=53
protocol=udp in-interface=10.50.0.3 dst-port=53
Didnt see any statistic on this rule
Do you really have an interface called 10.50.0.3?
Yep it is LAN interface
It literally has a name of “10.50.0.3”, which is the IP address of your DNS server? That would be odd. You need to substitute the NAME of the LAN interface.
Post the output of “/ip route print detail” and “/interface print detail”, wrapping it in
tags.
Its working i see some stat just recreate rules but now i have next trouble.
root@dhcp:/etc/dhcp3# dig @8.8.8.8 wowmens.ru
; <<>> DiG 9.6.1-P2 <<>> @8.8.8.8 wowmens.ru
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
root@dhcp:/etc/dhcp3# ifconfig vlan5
vlan5 Link encap:Ethernet HWaddr 00:19:66:2b:ac:e1
inet addr:10.50.0.5 Bcast:10.50.0.255 Mask:255.255.255.0
inet6 addr: fe80::219:66ff:fe2b:ace1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:74238 errors:0 dropped:0 overruns:0 frame:0
TX packets:1854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6213003 (6.2 MB) TX bytes:382987 (382.9 KB)
root@dhcp:/etc/dhcp3#
Can you please start by posting the information I requested, together with everything else in my signature, and “/ip dns export”?
I hate guessing games. They waste everyone’s time.
[Gunner@MikroTik] /ip route> print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=178.23.147.53
gateway-status=178.23.147.53 reachable Megaphon check-gateway=ping
distance=1 scope=1 target-scope=10
1 S dst-address=0.0.0.0/0 gateway=10.50.2.1
gateway-status=10.50.2.1 unreachable check-gateway=ping distance=30
scope=1 target-scope=10
2 A S dst-address=10.10.128.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
3 ADC dst-address=10.50.0.0/24 pref-src=10.50.0.3 gateway=10.50.0.3
gateway-status=10.50.0.3 reachable distance=0 scope=10
4 ADC dst-address=10.50.2.0/24 pref-src=10.50.2.2 gateway=Telekey
gateway-status=Telekey reachable distance=0 scope=10
5 A S dst-address=101.0.0.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
[Gunner@MikroTik] /ip route> /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R ;;; Telekey
name="Telekey" type="ether" mtu=1500 l2mtu=1600
1 R ;;; TI
name="10.50.0.3" type="ether" mtu=1500
2 R ;;; Megaphon
name="Megaphon" type="ether" mtu=1500 l2mtu=1600
[Gunner@MikroTik] /ip route> /ip dns export
# oct/13/2011 13:15:32 by RouterOS 4.2
# software id =
#
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=10.50.0.5 secondary-dns=10.50.0.5
/ip dns static
add address=10.50.0.3 disabled=no name=local ttl=1d
Wait.
The DNS server you’re trying to redirect to is using the router itself as a gateway, and is behind the interface you’re redirecting DNS traffic on? Is that right?
You have a very - odd network. It would be better to separate infrastructure such as DNS servers and customers. I wish I had asked for a network diagram to start with.
Add “src-address=!10.50.0.5” to those DNS destination NAT rules. Consider separating infrastructure and customers.
Scheme
bgp vlan5
internet---------mikrotick---------biling--------clients
x.x.x.x 10.50.0.3 | 10.50.0.2
|
dns
10.50.0.5
5 X chain=dstnat action=dst-nat to-addresses=10.50.0.5 to-ports=53
protocol=udp src-address=!10.50.0.5 dst-port=53
6 X chain=dstnat action=dst-nat to-addresses=10.50.0.5 to-ports=53
protocol=tcp dst-port=53
Im use only udp rule dont seen any tcp packets in torch
I think that should be “src-address=!10.50.0.3” not “src-address=!10.50.0.5”…
But yes, this network topology is not ideal…
Rgds,
Wazza
I think that should be “src-address=!10.50.0.3” not “src-address=!10.50.0.5”…
nothing changes
The latest export you’re showing has the UDP rule disabled.
But anyway. Let’s go for a complete current picture as stuff’s been changing throughout this thread. Is the network diagram still the same?
Please post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export”, and “/ip dns export” as it is right now.
[Gunner@MikroTik] > /ip address print detai
Flags: X - disabled, I - invalid, D - dynamic
0 address=194.190.72.254/30 network=194.190.72.252 broadcast=194.190.72.255
interface=Megaphon actual-interface=Megaphon
1 address=10.50.0.3/24 network=10.50.0.0 broadcast=10.50.0.255
interface=10.50.0.3 actual-interface=10.50.0.3
2 address=10.50.2.2/24 network=10.50.2.0 broadcast=10.50.2.255
interface=Telekey actual-interface=Telekey
3 address=178.23.147.54/30 network=178.23.147.52 broadcast=178.23.147.55
interface=Megaphon actual-interface=Megaphon
Gunner@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=178.23.147.53
gateway-status=178.23.147.53 reachable Megaphon check-gateway=ping
distance=1 scope=1 target-scope=10
1 S dst-address=0.0.0.0/0 gateway=10.50.2.1
gateway-status=10.50.2.1 unreachable check-gateway=ping distance=30
scope=1 target-scope=10
2 A S dst-address=10.10.128.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
3 ADC dst-address=10.50.0.0/24 pref-src=10.50.0.3 gateway=10.50.0.3
gateway-status=10.50.0.3 reachable distance=0 scope=10
4 ADC dst-address=10.50.2.0/24 pref-src=10.50.2.2 gateway=Telekey
gateway-status=Telekey reachable distance=0 scope=10
5 A S dst-address=101.0.0.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
6 ADC dst-address=178.23.147.52/30 pref-src=178.23.147.54 gateway=Megaphon
gateway-status=Megaphon reachable distance=0 scope=10
7 A S dst-address=192.168.251.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
8 A S dst-address=194.190.72.0/25 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
9 A S dst-address=194.190.72.128/26 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
10 A S dst-address=194.190.72.192/26 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
11 ADC dst-address=194.190.72.252/30 pref-src=194.190.72.254 gateway=Megaphon
gateway-status=Megaphon reachable distance=0 scope=10
12 A S dst-address=194.190.73.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
13 A S dst-address=194.190.74.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
14 A S dst-address=194.190.75.0/24 gateway=10.50.0.2
gateway-status=10.50.0.2 reachable 10.50.0.3 distance=1 scope=30
target-scope=10
[Gunner@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R ;;; Telekey
name="Telekey" type="ether" mtu=1500 l2mtu=1600
1 R ;;; TI
name="10.50.0.3" type="ether" mtu=1500
2 R ;;; Megaphon
name="Megaphon" type="ether" mtu=1500 l2mtu=1600
[Gunner@MikroTik] > /ip firewall export
# oct/13/2011 23:08:11 by RouterOS 4.2
# software id =
#
/ip firewall layer7-protocol
add comment="" name="\B5TP" regexp="\\x7F\\xFF\\xFF\\xFF\\xAB"
add comment="" name=wow regexp="\\x06\\xEC\\x01"
add comment="" name="\B5TP2" regexp=0000000000380000
/ip firewall address-list
add address=194.190.72.0/22 comment="" disabled=no list=Real
add address=194.190.72.224 comment="" disabled=no list="virus active"
add address=194.190.72.0/28 comment="" disabled=no list=25ignore
add address=115.85.18.35 comment="" disabled=no list=blocked
add address=189.111.223.125 comment="" disabled=no list=blocked
add address=94.73.241.76 comment="" disabled=no list=blocked
add address=87.242.113.165 comment="" disabled=no list=blocked
add address=194.105.17.167 comment="" disabled=no list=blocked
add address=218.108.230.103 comment="" disabled=no list=blocked
add address=184.105.219.136 comment="" disabled=no list=blocked
add address=118.175.23.90 comment="" disabled=no list=blocked
add address=115.85.18.35 comment="" disabled=no list=blocked
add address=213.108.41.190 comment="" disabled=no list=blocked
add address=194.190.72.122 comment="" disabled=no list=spammer
add address=190.145.17.187 comment="" disabled=no list=blocked
add address=65.54.188.72 comment="" disabled=no list=blocked
add address=87.240.128.0/18 comment="" disabled=no list=vkontakt
add address=93.186.224.0/21 comment="" disabled=no list=vkontakt
add address=194.190.72.101 comment="" disabled=no list=mm
add address=217.20.144.0/20 comment="" disabled=no list=vkontakt
add address=66.212.21.135 comment="" disabled=no list=blocked
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="uTP uTorrent " disabled=no \
layer7-protocol="\B5TP" packet-mark="\B5TP"
add action=drop chain=input comment="" disabled=yes protocol=tcp src-port=445
add action=drop chain=forward comment="" disabled=yes dst-address-list=\
blocked protocol=icmp
add action=drop chain=input comment="" disabled=yes dst-port=1723 \
in-interface=Telekey protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
2d chain=forward comment="SPAM detector" connection-limit=5,32 disabled=\
no dst-port=25 protocol=tcp src-address-list=!25ignore
add action=drop chain=forward comment="drop spamers" disabled=no dst-port=25 \
protocol=tcp src-address-list=spammer
add action=drop chain=forward comment=hackerz disabled=no src-address-list=\
blocked
add action=drop chain=forward comment="virus active" disabled=no dst-port=445 \
protocol=tcp src-address-list="virus active"
add action=drop chain=forward comment="" disabled=yes protocol=tcp \
src-address=194.190.72.2 src-port=25
add action=drop chain=forward comment="" connection-mark=vkotakt disabled=no \
dst-address-list=mm
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark p2p connection" \
disabled=yes new-connection-mark=p2p-connection p2p=all-p2p passthrough=\
yes
add action=mark-packet chain=prerouting comment="mark p2p packets" \
connection-mark=p2p-connection disabled=yes new-packet-mark=p2p-packet \
passthrough=yes
dd action=mark-packet chain=prerouting comment="mark non p2p packets" \
connection-mark=!p2p-connection disabled=yes dst-port=!80 \
new-packet-mark=non-p2p passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="mark mtorrent connction" \
connection-state=new disabled=no layer7-protocol="\B5TP2" \
new-connection-mark="\B5TP" passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="mark mtorrent packets" \
connection-mark="\B5TP" disabled=yes new-packet-mark="\B5TP" passthrough=\
yes
add action=mark-connection chain=prerouting comment="mark wow connection" \
disabled=yes new-connection-mark=wow passthrough=yes src-address-list=wow
add action=mark-connection chain=prerouting comment="" disabled=yes \
dst-address-list=wow new-connection-mark=wow passthrough=yes
add action=mark-packet chain=prerouting comment="mark wow packet" \
connection-mark=wow disabled=yes new-packet-mark=wow-packet passthrough=\
yes
add action=mark-connection chain=prerouting comment="http connection" \
disabled=no dst-port=80 new-connection-mark=http passthrough=yes \
protocol=tcp
add action=mark-packet chain=prerouting comment="http packet" \
connection-mark=http disabled=no new-packet-mark=http-packet passthrough=\
yes
add action=mark-connection chain=prerouting comment="" disabled=no \
new-connection-mark=vkotakt passthrough=yes src-address-list=vkontakt
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no dst-address-list=!Real \
ipv4-options=none src-address=192.168.251.0/24 src-address-list=!Real \
src-address-type="" to-addresses=194.190.72.254
add action=src-nat chain=srcnat comment="" disabled=no dst-address-list=!Real \
src-address=10.10.128.0/24 src-address-list=!Real to-addresses=\
194.190.72.254
add action=src-nat chain=srcnat comment="" disabled=no src-address=\
101.0.0.0/24 to-addresses=194.190.72.254
dd action=dst-nat chain=dstnat comment="\D3\E4\E0\EB\E5\ED\EA\E0 \F1 \E2\ED\
\E5\F8\EA\E8 \EB\FE\E1\EE\E9 \ED\E0 TI" disabled=yes dst-port=3389 \
protocol=tcp to-addresses=192.168.251.1
add action=src-nat chain=srcnat comment="" disabled=yes src-address=\
10.50.2.0/25 to-addresses=194.190.72.254
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=53 protocol=\
udp src-address=!10.50.0.3 to-addresses=10.50.0.5 to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=53 protocol=\
tcp to-addresses=10.50.0.5 to-ports=53
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[Gunner@MikroTik] > /ip dns export
# oct/13/2011 23:14:16 by RouterOS 4.2
# software id =
#
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=10.50.0.5 secondary-dns=10.50.0.5
/ip dns static
add address=10.50.0.3 disabled=yes name=local ttl=1d
add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=53 protocol=\
udp src-address=!10.50.0.3 to-addresses=10.50.0.5 to-ports=53
That rule has to be enabled for any of this to work. The src-address should be ‘!10.50.0.5’ so that the DNS server itself doesn’t redirected to itself, leading to a loop for resolution.
If that doesn’t do it I have no idea.
if its enabled no one dns server resolved. it not test machine its working border.
Quote:
I think that should be “src-address=!10.50.0.3” not “src-address=!10.50.0.5”…nothing changes
im just disable it
try to wiresharked packets in 5 vlan tomorrow