Whats the most easy way to point specific clients to use OpenDNS over the default one in the dhcp server?
I know i can use dst-nat to point specific IP/MAC address but that means maintance when new clients joing wireless network.
I run capsman with 2 SSID, one for 2.4 and one for 5GHz. Can i create 2 new SSID’s using diffrent DNS server?
Create additional network(s) in DHCP Server → Networks just for that address(es) with another DNS server setting.
Now i have a quite standard config with subnet 172.32.100.0/25 set as address on bridge and then a dhcp server running.
Can i create 2 new VLAN’s on the bridge and point the first subnet to this new vlan bridge and then add antoher subnet (for example 172.33.100.0/25) to the other vlan and set its own dhcp server with diffrent dns settings etc?
And then use Capsman config to create 2 additional SSID using this “OpenDNS bridge” insetad by using VLAN mode/ID under datapath config?
Well, you can certainly do that.
But your initial post was about DNS only, and about the easiest way to do it.
And so was my answer.
@xvo, you proposed something which not everybody thinks it’s possible.
@sirlindquist: To illustrate:
/ip address add interface=LAN address=172.32.100.x/25
/ip dhcp-server network
add address=172.32.100.0/25 comment="ordinary settings" dns-server=172.32.100.y gateway=172.32.100.z netmask=25
add address=172.32.100.64/28 comment="some clients with different settings" dns-server=8.8.8.8 gateway=172.32.100.z netmask=25
Then you need to take care (in leases part) to assign IP address from the address range with special settings (172.32.100.64-172.32.100.79) to the special clients.
Note that personally I didn’t test it so perhaps the entries in /ip dhcp-server network have to be ordered differently - more specific higher on the list. Or the addresses (including mask) may not overlap. Or something else. The point is that “dhcp server network address” mask doesn’t have to be the same as served IP network mask.
OK, thanks,I’ll start to explain how setup looks like now with one subnet and what i wanna do 
Router is an RB3011. Bridge configured with 172.32.100.0/25. WAN on SPF1 and Ethernet port 1-10 attached to the main bridge.
Runing an IPSEC tunnel thats why i use netmask 25, the target has the other half of that C-net.
Running CAPsMAn on the router with 2 wAP ac connected. Serving one 2.4GHZ SSID and one 5GHz.
Running DHCP server with standard settings to serve the clients with IP addresses.
Now I want one additional SSID for wifi clients only that will be used by kids and their friends. Thats why i want another DHCP server for this as new clients are bringed into the net and therefore i cant target them all with dst-nat rules to either MAC or IP address.
And here is where I’m unsure howto do this. I get that i need to use the slave configuration under CAPsMAN to provision additional SSID for this. One SSID is enough, i can run both 2.4/5 GHz channel on same SSID and let client choose. The new DHCP server will then serve OpenDNS as DNS (or Pi-Hole if i get time to setup this), anyway, another DNS than the regular one.
Dunno if i will need a new subnet for this or as suggested above, 172.32.100.64/28? Is there any difference? Will the IPsec tunnel work proper with this? I dont want any port on router to be assigned to any other bridge than default one. I dont get how i can get this to work without an additional bridge?
Wow.. if your intention was never to separate your networks, but (quoted from opening post) “to point specific clients” to another dns server:
/ip dhcp-server option
add code=6 name="opendns" value="'208.67.222.222''208.67.220.220'"
/ip dhcp-server lease
add address=172.32.100.65 dhcp-option="opendns" mac-address=aa:bb:cc:dd:ee:dd server=default
add address=172.32.100.66 dhcp-option="opendns" mac-address=aa:bb:cc:dd:ee:ee server=default
add address=172.32.100.67 dhcp-option="opendns" mac-address=aa:bb:cc:dd:ee:ff server=default
Yes, then separate subnets, add ip, bridge, dhcp server, dhcp network, ip pool, capsman configuration for guest network, update provisioning rule with new guest network and check your firewall rules.
You could reverse logic: set static entries with own dns for known devices and set opendns in dhcp network config for all other/unknown devices
And it has not to be VLAN etc? Im not familair with using VLAN.
Can i just add another bridge like 172.33.100.0/25 and then a new DHCP server with the settings i want and run that DHCP server on that new bridge? Then new datapaths etc under CAPSMAN where i specify which bridge to acutally use and then slave configs for the new SSID?
The easiest way is to use capsman forwarding mode, by defining the bridge in capsman datapath configuration and not enabling local forwarding traffic for the new ssid will be sent to the bridge without vlans.
Why not local forward? i have that now on the main config.
By not enabling local forwarding, the traffic will be forwarded to the CAPsMAN manager, effectively creating a new data path and separating the traffic from your home network.
OK but the main SSID/Wifi on 172.32 network should have local forward enabled?
Works exactly as excepted! Thank you.
But OpenDNS aint blocking a shit in this state like sex sites etc Guess i need a Pi-Hole and then configure OpenDNS inside there with an account.
Do you mind a PM?
Afaik OpenDNS has configurable options, so better check that out. Pihole is targeted towards ads but maybe you can find porn based block lists.
If you don’t mind slowing your throughput to a crawl… Go right ahead and do this.