how to use PI-Hole with mikrotik netwrok?

David1234 · July 11, 2021, 3:18pm

Hello,
I have a router that I use it as WiFi router -
mikrotik(10.0.0.253)----->Fortigate(10.0.0.254)------internet(0.0.0.0/0)

in the mikrotik I have DHCP setting for WiFi users (172.16.45.0/24 is the WiFi network, 10.0.0.254 is the router gateway)
what do I need to in order to start using the PI-Hole? (address 10.0.0.150)?

what do I need to change in the router settting \ DHCP setting ?
or I only need to change the DNS to 10.0.0.150?

Thanks ,

IYARINDRA · July 11, 2021, 3:33pm

In winbox go to IP > DHCP Server > Network
Then add yours, double click on your network and add pihole address as you dns server.

When the clients do the connection, it will go together with the dhcp lease.
The existing connection have to wait 'till it updates. Or you can force it.

jvanhambelgium · July 11, 2021, 3:54pm

Apart from that there is some “extra’s” you can / should add

DROP any outgoing DNS-packets NOT originating from your Pihole. I notice here that some Android client just have Google IP’s hardcoded in them and they still are doing lookups to 8.8.8.8 / 8.8.4.4 even while having the Pihole offered to them via DHCP
Alternative to DROP is to “intercept” them and deliver them to the Pi-hole. I do that via a “mangle” rule.
Perhaps have some scripts on the Mikrotik running to “check” if your Pi-hole can still resolve ? Sort of a “backup” plan, unless you have perhaps 2 Pi-hole devices running on the network?
There are several posts on the forum concerning this.

…and then there is also the DNS-over-HTTPS and DNS-over-TLS that you see more and more.
I drop all of this traffic trying to go out, but probably cannot capture all of it all the time.
I use a list that I fetch that contains a lot of public DOH/DOT servers, but not sure how accurate/up-to-date it is.

erkexzcx · July 11, 2021, 4:30pm

Here is the code that automatically performs backup to another DNS server if your pihole is not reachable. Works like a charm, like HA Pihole

“/system scheduler”. Any name you want, interval set to 30s (or 10s) and put this code:

:local currentDNS [/ip dns get server]
:local piholeDNS "192.168.0.10"
:local backupDNS "1.1.1.2,1.0.0.2"
:local testDomain "www.google.com"

:if ($currentDNS = $piholeDNS) do={
    :do {
        :resolve $testDomain server=$piholeDNS
    } on-error={
        /ip dns set servers=$backupDNS
    }
} else={
    :do {
        :resolve $testDomain server=$piholeDNS
        /ip dns set servers=$piholeDNS
    } on-error={}
}

Also note that Pi-Hole is not something unique. There are other projects, I am personally fan of https://github.com/0xERR0R/blocky as it is single project (no http/php/dnsmasq etc dependencies), supports DOH and works like a charm.

David1234 · July 12, 2021, 6:04am

Ok ,
I will use the DNS Script ,
and I have I cahnge the DNS in the DHCP server setting
Thank you all.

by the way - does any one know if I can use the PI-hole as proxy server?
I can see it’s blocking the ads without any problem(so he can tell when there is an image\video I assume) , but can I also block images(*.jpg) for exmpale ?
or if I go further can I put my own jpg instead of the website jpg?

I have a small project that I want to use the PI-hole (or if someone have a better free blocl project) in a palce with kids
and I don’t want them \ any one around the area to get p0rn \ nude images
so I thought maybe I can block the images from that website - and put a smiley face \ peace sign or something llike this

Thanks ,

Jotne · July 12, 2021, 7:01am

Chromecast is one of them with fixed DNS to google.

himala002 · July 12, 2021, 8:14am

/ip firewall nat
chain = dstnat, protocol = udp, dst. port = 53,5353, src address-list = <address/network>, action = dst-nat, To address = , to ports = 53

try this one…
in src address-list is the list of who use of your Pihole server

Jarek9008 · January 19, 2022, 10:27pm

Hi David,

For sure if You are using this script Your DNS is changing in IP/DHCP-SERVER/NETWORK/DNS-SERVERS?

Jarek9008 · January 24, 2022, 6:29pm

Hi, how I can force existing connections? Any script?

woland · January 24, 2022, 7:20pm

Hi!

Instead of relying on DHCP you can just make a destination nat:
-set the DNS server via DHCP to the Mikrotiks IP (default GW)
-set up a DNS Server on the MT (that´s just for fallback)
-set up a destination nat for DNS requests to your PIHole
-use Tools/Netwatch and a script to monitor PIHole reachability and disable the DNAT rule

Thats how I do it. Unfortunately I don´t have that script at hand now. But I have found mine somewhere burried in these forums.

Woland

Jarek9008 · January 29, 2022, 9:12pm

Hi,
Thx, but can You tell me how should look destination NAT rule?

anav · January 30, 2022, 12:14am

@erkexzcx How do you apply that in MT, docker container ??

holvoetn · January 30, 2022, 12:34pm

Short version: Kill all DHCP leases.
They will come back again for a new lease, with a new DHCP entry being presented.

Jarek9008 · January 30, 2022, 5:10pm

Hi, but how to do it?

holvoetn · January 30, 2022, 5:21pm

Winbox
Ip
Dhcp server tab leases

Jarek9008 · January 31, 2022, 2:56pm

Hi, I know it, but how do to it via any script? Sorry, if it is simple question, but I am beginner with using MT i ROS..

holvoetn · January 31, 2022, 3:04pm

Why via script ?
Once you have your pi-hole setup, it should always be used as DNS server.
It’s a one-time start-up action.

Jarek9008 · January 31, 2022, 5:20pm

Only in emergency situation, when Pi Hole will be breakdown, and I will not have possibility to manually reset leases - to safe my family against “NO INTERNET ACCESS”