I have bought the mikrotik router-board hap ac2 for my home. Since I have poor network konwledge, I have a problem.
When I don’t create vlan interface in lan bridge, i use
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=local protocol=udp to-ports=53
to redirect dns to local server, it works.
But when I use vlan, I try to change it to
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface-list=lan protocol=udp to-ports=53
the interface list lan contain all lan vlan interface, but it doesn’t work.
I have to use this stupid method
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=local.vlan10 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=local.vlan20 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=local.vlan30 protocol=udp to-ports=53.
I want to simply it to one rule, can you help me?
It should work the way you intend. What does /interface list member export show?
I am struggling with VLANs myself (which is how I found this thread) for a different reason but I too want to direct hosts to the local server for both IPV4 and IPV6. For IPV4 I do it through an IP DHCP server. Using the DHCP Setup button in Winbox, I put the server on the LAN bridge, defined the address space (192.168.1.0/24 for me), let it define the gateway (192.168.1.1) and the addresses to give out. There is no Relay and I don’t specify a DNS server. It will dynamically create the allocation pool but using Winbox IP Addresses, you need to add the address (192.168.1.1/24 for me), network (192.168.1.0 for me) and interface (the name of your bridge). Using Winbox IP DNS, I have a list of external servers for the internal DNS server to use (I chose to not use the dynamic servers from my ISP but they may be all you need) and checked the box to allow remote requests. The hosts don’t get any DNS server information from the DHCP server so they send DNS requests to the gateway which gets them to the internal server.
IPV6 is more complicated but I can describe it if you need it.
I can see different names of the vlan interfaces here than in your earlier posts (local.vlan10 is not the same like lan.vlan10.network). Is it a result of some beautification or is it real? Better post the complete export of your configuration following the suggestion in my automatic signature.
OK, it’s modify to the same. the result is real, thanks you suggestion.But, my question is why it doesn’t work?Can you help me?
Post the complete configuration export as I don’t know what you have aligned and what not, see instructions below in the signature.
Follow up to my post in case you decide to go that route. One more step is needed. After completing the DHCP Setup, go to the Networks tab of the DHCP window. Open the network just created and add a single DNS server being the same address as the gateway. I discovered that without it, the clients are given a list of servers that consists of the gateway address and the servers in in the DNS configuration. By explicitly specifying the single DNS server for the Network configuration, they are only given that single address which was the goal.
# sep/28/2018 10:12:02 by RouterOS 6.43.2
#
# model = RBD52G-5HacD2HnD
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan speed=100Mbps
set [ find default-name=ether2 ] name=ether2 speed=100Mbps
set [ find default-name=ether3 ] name=ether3 speed=100Mbps
set [ find default-name=ether4 ] name=ether4 speed=100Mbps
set [ find default-name=ether5 ] name=ether5 speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=ether1-wan.pppoe-out1 use-peer-dns=yes user=pppoe-username
/interface vlan
add interface=lan name=lan.vlan10 vlan-id=10
add interface=lan name=lan.vlan20 vlan-id=20
add interface=lan name=lan.vlan30 vlan-id=30
/interface ethernet switch port
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=20 vlan-mode=secure
set 4 default-vlan-id=20 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-key-update=1h mode=dynamic-keys name=2g supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-key-update=1h mode=dynamic-keys name=5g supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=china disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=2g ssid=MikroTik_2G vlan-id=40 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=china disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=5g ssid=MikroTik_5G vlan-id=40 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp.vlan10 ranges=172.16.10.70-172.16.10.230
add name=dhcp.vlan20 ranges=172.16.20.90-172.16.20.230
add name=dhcp.vlan30 ranges=172.16.30.40-172.16.30.230
/ip dhcp-server
add address-pool=dhcp.vlan10 disabled=no interface=lan.vlan10 name=dhcp.vlan10
add address-pool=dhcp.vlan20 disabled=no interface=lan.vlan20 name=dhcp.vlan20
add address-pool=dhcp.vlan30 disabled=no interface=lan.vlan30 name=dhcp.vlan30
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add interface=ether1-wan.pppoe-out1 list=WAN
add interface=lan list=LAN
add interface=lan.vlan10 list=LAN
add interface=lan.vlan20 list=LAN
add interface=lan.vlan30 list=LAN
add disabled=yes interface=ether1-wan list=WAN
add interface=ether1-wan list=WAN-MODEM
/ip address
add address=172.16.10.254/24 interface=lan.vlan10 network=172.16.10.0
add address=172.16.20.254/24 interface=lan.vlan20 network=172.16.20.0
add address=172.16.30.254/24 interface=lan.vlan30 network=172.16.30.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1-wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.254 gateway=172.16.10.254
add address=172.16.20.0/24 dns-server=172.16.20.254 gateway=172.16.20.254
add address=172.16.30.0/24 dns-server=172.16.30.254 gateway=172.16.30.254
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=forward comment="drop guest to private network" in-interface=lan.vlan30 out-interface-list=!WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN-MODEM
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-wan.pppoe-out1 type=external
add interface=lan.vlan10 type=internal
add interface=lan.vlan20 type=internal
add interface=lan.vlan30 type=internal
add disabled=yes interface=lan type=internal
add disabled=yes interface=ether1-wan type=external
/system clock
set time-zone-name=Asia/Shanghai
/system ntp client
set enabled=yes primary-ntp=17.253.114.253
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
here is my full export. (contain the dns dst-nat)
when delete
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
the system is work well.
if use
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan10 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan20 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan30 protocol=udp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan10 protocol=tcp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan20 protocol=tcp to-ports=53
/ip firewall nat add action=redirect chain=dstnat dst-port=53 in-interface=lan.vlan30 protocol=tcp to-ports=53
also work.
if use
add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
everybody can’t access internet.
By your method, the guest can change the DNS server in their phone to not use the gateway DNS server.
I want to force user use gateway DNS server.
True. In fact some devices seem to have Google server and OpenDNS addresses hard coded, such as Firestick, Roku stick and even iPad. They usually use the router DNS server but sometimes go to the Internet. I have firewall rules to log their IP addresses and destinations. In your case, you could create firewall rules to block any DNS access but the local server.
If that is the full export, it is not supposed to work at all, because the interface named lan which all your /interface vlan use as a bearer interface is not defined anywhere in the configuration. So it may work somehow by chance but not the way it should, and in such case unexpected things may happen at firewall level.
So unless you’ve removed that part of the configuration from the export intentionally or unintentionally, I would first do the following:
/interface bridge
add name=lan protocol-mode=none
/interface bridge port
add bridge=lan interface=ether3
add bridge=lan interface=ether4
add bridge=lan interface=ether5
/interface list member
remove [find list="LAN" interface="lan"]
And I do know that you handle VLANs on the switch chip; nevertheless, the bridge has to be defined.
I have this configure, but I don’t know why it doesn’t export when I use command in your signification.
Here is the export about that:
[root@MikroTik] > /interface bridge export
# oct/03/2018 10:24:27 by RouterOS 6.43.2
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=00:00:00:00:00:00(I have hid the true mac) auto-mac=no comment=defconf name=lan
/interface bridge port
add bridge=lan comment=defconf interface=ether3
add bridge=lan comment=defconf interface=ether4
add bridge=lan comment=defconf interface=ether5
add bridge=lan comment=defconf interface=wlan1
add bridge=lan comment=defconf interface=wlan2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
[nikros@MikroTik] > /interface list member export
# oct/03/2018 10:24:45 by RouterOS 6.43.2
#
# model = RBD52G-5HacD2HnD
/interface list member
add interface=ether1-wan.pppoe-out1 list=WAN
add interface=lan list=LAN
add interface=lan.vlan10 list=LAN
add interface=lan.vlan20 list=LAN
add interface=lan.vlan30 list=LAN
add disabled=yes interface=ether1-wan list=WAN
add interface=ether1-wan list=WAN-MODEM
And why need to use command?
/interface list member
remove [find list="LAN" interface="lan"]
I try to use that, but also can’t work well. It also need use the stupid method in the top topic.(Forgive me for my poor English)
Oh, I have solved the problem with this command.
/interface bridge settings set use-ip-firewall-for-vlan=no
After that, all work well.
But, can you tell me the reason?