force client to use pi-hole as dns server/ ads blocker

momod · September 10, 2017, 12:56am

Hi,

Finally get RB952ui at home. Plug usb modem to RB.
Start learning ROS.

I have installed pihole on raspberry pi running raspbian inside.
i want all client connected to router to use Pihole as dns server and ads blocker.

just try all guide on wiki with hairpin nat, still no luck, client still using google dns.
Hope you can enlighten me.
Thanks.

rpi=10.8.0.19
rb=10.8.0.1

NAT

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=masquerade chain=srcnat dst-address=10.8.0.19 dst-port=80 \
    out-interface=bridge1-local protocol=tcp src-address=10.8.0.0/24
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=\
    10.8.0.19 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
    10.8.0.19 to-ports=53

Bridge

/interface bridge port
add bridge=bridge1-local interface=ether2-master-local
add bridge=bridge1-local interface=wlan1-ap

Interface

#     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  X  ap-master                           ether            1500  1598
 1  X  ether1-gateway                      ether            1500  1598
 2  RS ether2-master-local                 ether            1500  1598
 3  XS ether3-slave-local                  ether            1500  1598
 4  XS ether4-slave-local                  ether            1500  1598
 5  RS wlan1-ap                            wlan             1500  1600
 6  X  wlan2                               wlan             1500  1600
 7  R  bridge1-local                       bridge           1500  1598
 8  R  ppp-out1                            ppp-out          1500

ip route

#      DST-ADDRESS        PREF-SRC              GATEWAY            DISTANCE
 0 ADS     0.0.0.0/0                                                     10.112.112.127            0
 1 ADC     10.8.0.0/24                10.8.0.1                    bridge1-local             0
 2 ADC      xx.xxx.xxx.xxx/32      xx.xxx.xxx.xx             ppp-out1                  0

ip address, dhcp server

/ip address
add address=10.8.0.1/24 interface=bridge1-local network=10.8.0.0

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1-local name=\
    dhcp_server1
/ip dhcp-server network
add address=10.8.0.0/24 dns-server=8.8.8.8 domain=8.8.4.4 gateway=10.8.0.1

Sob · September 10, 2017, 11:04am

I’d just give 10.8.0.19 as dns resolver to clients (in dhcp server settings). But if you want NAT (e.g. because you can have some clients with hardcoded dns resolver), then you want same masquerade rules for port 53 (both tcp and udp) as you have for tcp 80 (or remove protocol and port from current one and it will work for all).

momod · September 12, 2017, 5:09am

Hi sob, thanks for reply.

I have worked to change nat like you said without luck.
I reseted then reconfigure, still client wont resolve using my dns server.

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       
 0     ether1                              ether      
 1     ether2                              ether      
 2  RS ether3-LAN                          ether      
 3     ether4                              ether      
 4     ether5                              ether      
 5  RS wlan1                               wlan       
 6  X  wlan2                               wlan             
 7  R  XL-4G                               ppp-out          
 8  R  bridge-LAN                          bridge

/ip firewall nat
add action=masquerade chain=srcnat out-interface=XL-4G
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=80 out-interface=bridge-LAN protocol=tcp src-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=80 out-interface=bridge-LAN protocol=udp src-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=53 out-interface=bridge-LAN protocol=tcp src-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=53 out-interface=bridge-LAN protocol=udp src-address=192.168.20.0/24

right now i am running with my dns on dhcp server network and ip dns
it direct dns request to my raspberrypi

/ip address
add address=192.168.20.1/24 interface=bridge-LAN network=192.168.20.0

/ip dns
set allow-remote-requests=yes servers=192.168.20.8

/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.8 gateway=192.168.20.1 netmask=24

Sob · September 13, 2017, 1:40am

And you also kept dstnat rules for port 53, right?

momod · September 14, 2017, 11:19am

/ip firewall nat
add action=masquerade chain=srcnat out-interface=XL-4G
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=53 out-interface=bridge-LAN protocol=tcp \
    src-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=53 out-interface=bridge-LAN protocol=udp \
    src-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=80 out-interface=bridge-LAN protocol=udp \
    src-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.8 dst-port=80 out-interface=bridge-LAN protocol=tcp \
    src-address=192.168.20.0/24
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=192.168.20.8 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=192.168.20.8 to-ports=53

you mean like this? ya but i cant browsing, so i removed it.
with above config, i can browsing, pihole seems working with blocking and caching dns
but there is no packet and bytes count on NAT screen, dont know if this is normal or not

this is very frustrating

mtrimarchi · February 18, 2018, 1:00pm

You have to redirect all lan requests to you local DNS (pihole/rpi) BUT you MUST NOT redirect the DNS server requests because this way you are going to create a loop.