Hotspot - do not bypass dns router role how ?

JohnTRIVOLTA · February 23, 2019, 1:14pm

Hello friends. I have a router that has multiple networks and the router has a roll for dns. I have a problem with the hotspot, and can not intercept and redirect the different dns server addresses manually seted from clients. The standard rule can not intercept addresses from hotspots network only.
My question is with which rule put in the firewall to redirect to the local router addresses at a hotspot too?

anav · February 23, 2019, 2:56pm

I can only show you what I do…

/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip dhcp-server network
add address=192.168.0.0/24 comment=HomeDHCP dns-server=192.168.0.1 gateway=\
    192.168.0.1
add address=192.168.2.0/24 comment=DMZLan_Network dns-server=192.168.2.1 \
    gateway=192.168.2.1
/ip firewall filter (I only allow certain traffic and use drop rule at end of chains)
{input chain}
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
/ip firewall nat
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
    tcp src-address-list=!VLAN_Interfaces
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
    udp src-address-list=!VLAN_Interfaces

..
In my case I dont care about VLANs with only access to the internet but everything else is forced if attempts are made to bypass the normal router setup.

JohnTRIVOLTA · February 23, 2019, 3:54pm

Hello Anav, thanks for the quick answer!
I already use these rules and work well, but they do not work on the hotspot network unfortunately. There are clients who put a static DNS address and thus jump my router and resolve to the their DNS.
I think there must be some rule/s/ between the dynamic ones that are for hotspot ?
After the client’s authorization passes, the subsequent requests to the static DNS will be redirected to the router, I do not want to block them, but this happens quietly, as with the other networks!

anav · February 23, 2019, 4:05pm

Wow, okay that is good to know. I wonder why hotspot functionality bypasses NAT rules??

JohnTRIVOLTA · February 23, 2019, 6:38pm

This is my question too !

sebastia · February 23, 2019, 7:17pm

I’ve understood that hotspot applies it’s own set of nat rules to control access, which usually (=default) get added in front and hence will take effect before existing rules.

But whatever nat is applied, you can control what passes the router: just block any other dns traffic in “/ip firewall filter chain=forward”