I have an AdGuard container on mikrotik. It works perfectly. I wanted to make a node that if someone changes the dns in the network card all traffic is directed to AdGuard. I created this rule..
/ip firewall nat add chain=dstnat src-address-list=!pi-hole protocoll=udp dst-port=53 action=dst-nat to-address=10.1.1.2
where, 10.1.1.2 is the DNS server. is that all? or am I missing something?
Ensure all users requiring adguard have a forward chain allow rule to reach 10.1.1.2
You need two dstnat rules (one for udp and one for tcp) and protocol has to spelled correctly
SO
/ip firewall nat
add chain=dstnat src-address-list=!pi-hole protocol=udp dst-port=53 action=dst-nat to-address=10.1.1.2
add chain=dstnat src-address-list=!pi-hole protocol=tcp dst-port=53 action=dst-nat to-address=10.1.1.2
Assuming the source address list at a minimum includes 10.1.1.2 and perhaps any other devices not being pushed to adguard.
Also note in the dhcp server network for adquard be careful that you dont loop adguard to itself there either…
For example assuming 3 subnets, you should be doing this:
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=10.1.1.2 gateway=192.168.1.1
add address=192.168.2.0/24 comment=defconf dns-server=10.1.1.2 gateway=192.168.2.1
add address=10.1.1.0/24 comment=defconf dns-server=10.1.1.1 gateway=10.1.1.1
Adguard is in container in mikrotik itself so it has a veth /30 the clients are on multiple vlans with different subnets to the server
I think the problem is DOH, if I do a torch I see requests towards 8.8.8.8:443. so AdGuard is skipped. How do I manage these requests to process everything from AdGuard?
You don’t manage DoH requests, you live with it.
could this solve it?
https://github.com/ncravino/mikrotik_enforce_dns_block_doh#redirecting-all-tcpudp-dns-requests-to-your-router
Yes, this would help … but you’d have to constantly update the list of DoH servers … so it’s a moving target.
I solved implementing a DoH list and a list update script