Dual WAN - DNS not resolve

zorge · December 17, 2012, 9:15am

Hi All. Need you help to solve problem with DNS resolving. I have 2 ISP (MTS-limited, GTS-unlimited) and i want to divide traffic for my address-lists (MY and SMALL) through different ISP . But then i enabled Mangle rules on MT ,DNS resolving stopped to work.Therefore i cant also turn on WebProxy. I did it on this article
http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways

I use static DNS record (MT) on my PC.

/ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-routing new-routing-mark=GTS passthrough=no src-address-list=my 

 1   chain=prerouting action=mark-routing new-routing-mark=MTS passthrough=no src-address-list=small

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          87.0.0.169                             1                    (ROutingMark = GTS)
 1 A S  0.0.0.0/0                          89.0.0.41                             1                     (RoutingMark = MTS)
 2 ADC  87.0.0.168/29  87.0.0.172  ether1                    0
 3 ADC  89.0.0.40/29    89.0.0.43    ether2                    0
 4 ADC  192.168.1.0/24     192.168.1.151   ether6                    0

/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                
 0   ;;; default configuration
     87.0.0.172/29  87.0.0.168  ether1                                                                                                                   
 1   89.0.0.43/29    89.0.0.40    ether2                                                                                                                  
 2   192.168.1.151/24   192.168.1.0     ether6

/ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade src-address-list=my out-interface=ether1 

 1   chain=srcnat action=masquerade src-address-list=small out-interface=ether2

What should i append to mangle chains for properly working DNS?
PS sorry for language

gotsprings · December 18, 2012, 5:25pm

Try adding a static dns.

mixig · December 18, 2012, 7:18pm

put the some public dns servers on mikrotik and/or on your PC˙s

zorge · December 18, 2012, 7:23pm

I have static DNS record on my MT (8.8.8. . When i try send nslookup request to MT it dont resolve any records. DNS records on my PC should be DomainController records ( AD ). DNS on DC redirect requests to MT , but he dont work

mixig · December 19, 2012, 1:11pm

Just for test, in firewall put the output and input chain allow

zorge · December 19, 2012, 1:31pm

This my filter rules, i thing this allow everything, isny it?

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=accept connection-state=established 

 1   chain=forward action=accept connection-state=established 

 2   chain=input action=accept protocol=tcp dst-address=87.XX.XX.XX in-interface=ether1 dst-port=8291 

 3   chain=forward action=accept src-address=192.168.1.0/24 in-interface=ether6

Apparently my MT itself dont know default route cause when i try Tools-Ping google.com (74.125.143.101) it response NO route to HOST . But when i manually set route in Routing Table (Tools-Ping-Routing Table) it successfully pinging…Still NEED your advices!!!

mixig · December 20, 2012, 9:49am

Hi,

in your routing table you have two default routes, each route is default route for packets that has routing mark (my, and small), wehn your are pinging from mikrotik that ping packet doesnt have routing mark because it is not defined in the mangle (mikrotik address is not in you src address list I assume).

But when you add default route 0.0.0.0/0 without routing mark then your mkt has route to the internet

zorge · December 20, 2012, 10:41am

Yes, i dont have mangle chain for MT. My problem is not of pinging addresses, but resolv DNS records (udp). Adding default gateway 0.0.0.0/0 through any of two gateways, as you advised, dont help me, ether as adding MT to mangle prerouting chain. Inet still working with static DNS record except MTs ip.

gogusrl · April 2, 2015, 5:08pm

Sorry for necro, I’m having the same problem. Dual WAN, everything works beside DNS.

mahmoudxp · April 2, 2015, 7:25pm

your config appears to be similar as mine and i think i did it
i will assume that u have primary domain controller (192.168.1.2) and ADC (192.168.1.3) & mikrotik (192.168.1.1) all serving as dns servers , you have 2 isps & 2 ranges in the same subnet lets say (192.168.1.0/25 for isp10) & (192.168.1.128/26 for isp2)

1- mikrotik : set dns servers to (192.168.1.2,192.168.1.1,208.67.220.220)
2- dc1 : set dns servers to 192.168.1.3,192.168.1.1,127.0.0.1
3- dc2: set dns servers to 192.168.1.2,192.168.1.1

4- (try this last) back to mikrotik set firewall rules to force source address 192.168.1.0/25 to (redirect) to your mikrotik & force source address 192.168.1.0/25 to (dst-nat) to 8.8.8.8

please let me know if this work for you

mahmoudxp · April 2, 2015, 7:27pm

4- (try this last) back to mikrotik set firewall rules to force source address 192.168.1.0/25 to (redirect) to your mikrotik & force source address 192.168.1.128/26 to (dst-nat) to 8.8.8.8