How do I allow DNS traffic from one VLAN to another?

Hello,

I have configured my HAP AC2 to have multiple VLANs. One VLAN is for my home network computers, another for TVs and Roku and the third one is for guests. As it is configured right now, computer in one VLAN cannot access one in the other VLAN. This was the intended setup, until now. I now want to setup a PiHole DNS in my home network and want to allow limited DNS-only traffic from other VLANs. Can’t seem to figure out how to do it.

I’d also like to seek advice if there’s a better way to position the PiHole in my home network so that I don’t have to punch holes in the firewall for cross VLAN traffic.

I’ve pasted my router config below.

Thanks
ZeeKay

Just place a firewall filter rule action=accept chain=forward comment=“VLAN DNS Access Only” connection-state=new in-interface-list=VLAN protocol=udp dst-port=53 dst-address=ip.of.the.pihole just before the action=accept chain=forward comment=“VLAN Internet Access Only” connection-state=new in-interface-list=VLAN out-interface-list=WAN one. To permit TCP DNS queries, just place another copy of that rule to the same place in the chain and change protocol to tcp.

If you’d want to permit access to the pihole to all VLAN subnets without punching a hole in the firewall, you’d have to connect the pihole to the 'Tik using a trunk and put up one interface on the pihole in each VLAN. But in that case, you’d have to be more careful about security at the pihole itself.

Another option: VRF. have isolated routing for each vlan, and insert dns server record as allowed target.
https://wiki.mikrotik.com/wiki/Manual:Virtual_Routing_and_Forwarding

Thanks a lot!
This solved my issue

My setup with pi-hole is:

replace 192.168.100.4 with your pi-hole IP and 176.103.130.130,176.103.130.131 DNS servers with yours

On IP\DNS, setup the DNS server as the Pi-Hole private IP. Only one entry.

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.100.4

On pi-hole, setup the real DNS servers. I use 176.103.130.130 & 176.103.130.131
On IP\NAT, intercept all DNS traffic on port 53 (UDP+TCP) except the private IP of pi-hole.

/ip firewall nat
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
    dst-port=53 protocol=udp src-address=!192.168.100.4 \
    to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
    dst-port=53 protocol=tcp src-address=!192.168.100.4 \
    to-ports=53

This way no clients have to know about the pi-hole, they don’t need to be able reach it or to have it configured as the DNS server via DHCP.
The router will intercept DNS traffic on all interfaces, query the pi-hole, then reply to the client. A benchmark showed no speed penalty in using this setup versus using the pi-hole directly.

Extra tip
In case the pi-hole ever goes offline for some reason, setup a netwatch script in Tools\Netwatch to bypass it.

/tool netwatch
add down-script=":log warning \"Pi-Hole offline. Changing DNS\"\r\
    \n/system script run BeepDown\r\
    \n/ip dns set servers=176.103.130.130,176.103.130.131;" host=\
    192.168.100.4 interval=5s up-script=":log warning \"Pi-Hole back online. C\
    hanging DNS\"\r\
    \n/system script run BeepUp\r\
    \n/ip dns set servers=192.168.100.4;"

later edit: Delete /system script run BeepDown and /system script run BeepUp from the netwatch script, or create the scripts with some sound in them to get audio notifications when the pi-hole goes offline.
Exemple /system script run BeepDown

/beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=370 length=600ms;

and /system script run BeepUp

/beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=870 length=600ms;

Word of caution, using pi-hole and DNS is tricky business. I tried doing it and ended up removing it due to the amount of weird scenarios where family members internet worked sporadically.
Now I am a complete noob at RouterOS and there are so many ways to frig a setup that it should work just fine, just that my experience has not been a happy one.
I reverted to setting a DNS server for each VLAN and not going through the router or Pi-hole at all. Be it 8.8.8.8 or 1.1.1.1 etc… I may try again in the future.

Thanks for another way to set it up. I love the RouterOS because it allows me to accomplish what I want in different ways. Though I’m always curious which one is more elegant and once I forget about it, how easy is it for me to grab the concepts back and trace my setup (that happens a lot I’ve also created a network diagram of my setup so that I can remember what I did. I don’t have a sys admin or networking background - though I did my RHCSA back in the day.

I’m curious … why would you implement DNS this way, vs just add PiHole to the IP > DNS?
What’ll happen if I change DNS on my computer manually to point to CloudFlare DNS or something? Will your solution still hijack the DNS traffic and reroute it via PiHole?

Thanks
ZeeKay

Dude you’re the forum guru and you’re saying you’re a noob. If that’s the case then I haven’t even started yet.

PiHole can be tricky in the beginning but as you learn to use it better it becomes a very useful tool IMO. This is true for any new monitoring / filtering layer you put up on your network. So I won’t ever roll it out with a bang without first running a pilot on few devices and then work out the kinks first. VPN, RDP and other work related scenarios can be tricky and I don’t want to leave people stranded without making sure they work properly. I just started my pilot.

What specific issue got you spooked with PiHole?

Haha Zeekay, I wish I could remove the nick addendum, it only reflects the number of posts not the quality of posts.

I am doing it this way because if I use the pi-hole as a DNS server directly and it ever goes offline, the whole DNS will be offline for the whole DHCP network.
The way I described my setup, if the pi-hole goes offline, the netwatch script will fix it in under 5 seconds and the downtime in DNS service will be minimal.

Yes.
You can even do:

The client will try to connect to another DNS server and will think it is actually connected to it, as you can see from the above screenshot.
I have blacklisted example.com just for testing on pi-hole. As you see, it resolves to 0.0.0.0 “via” google DNS.

I just tested this and the bold is not true entirely.
Your solution does work, but the clients are still aware of pihole’s IP address since RouterOS seems to have an annoying habbit of handing out the DNS server addresses directly to the DHCP client instead of it being the one and only primary DNS (handling everything internally), like all my other routers used to do so far. Is there a way to change this behaviour?

EDIT: Nevermind, it seems that setting the gateway as DNS in /ip dhcp-server network fixes it.
EDIT2: Turns out that you don’t even need any NAT redirect rules with this setup.
/ip dns - set to pihole IP
/ip dhcp-client - turn off peer DNS
/ip dhcp-server network - set gateway and DNS to same IP, so that the clients don’t get the DNS servers directly.

Works on every VLAN, despite them not being able to see each other.

No clue where you got lost. This setup works just fine for hundreds of clients.
If you need a small diagram, reply and will do one.

Ended up this at this post with a similar requirement but the suggest doesn’t fit. My requirement was to allow DNS lookup from a VLAN to the DNS server running on the router itself. Therefore when I first saw the suggestion of a forward rule I was suspicious as the existing firewall filter that was dropping traffic between VLAN and LAN was this one:

/ip firewall filter
add action=drop chain=input comment="drop all not coming from LAN inc. VLAN" in-interface-list=!LAN

Disable this rule and DNS lookups from 10.0.0.x VLAN to 192.168.88.1 worked fine. For my requirement, I needed a input filter:

/ip firewall filter
add action=accept chain=input comment="Allow DNS from VLAN to LAN based DNS server" dst-address=192.168.88.1 dst-port=53 in-interface-list=VLAN protocol=udp

Added before the drop rule above.