Mikrotik,pihole & unbound.

shafiqrahman · April 29, 2021, 2:27pm

I have been using my mikrotik with DoH since last year without any issues. So, I recently bought a raspberry pi for the purpose of blocking ads. My previous attempt of blocking ads with scripts in mikrotik doesn’t go well. Though, pi hole itself has its own issue, but the main thing is that its reliability can be solved by a simple script http://forum.mikrotik.com/t/script-automatically-change-dns-if-pi-hole-is-no-longer-working/140040/20 Then if I use unbound as resolver, its fails to resolve some pages and if I use unbound as a forwarder it works. So, to my understanding my mikrotik is doing that forwarding for years. Which makes unbound as resolver useless. So, is there is away that I can use my mikrotik as a dns server with DoH that I was using before but only ads being removed through the pihole and in case of pihole failure it won’t break the internet? And when the pihole is up again it will start filtering ads again. Tried this

/ip firewall nat add
chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 to-address=192.168.88.5

Where 192.168.88.5 is the pihole address and in pihole dns I added 192.162.88.1(router).
Such as:

Client → Mikrotik–>pihole–>Mikrotik as a DNS–> wan

Cablenut9 · April 29, 2021, 3:21pm

You can’t use a Mikrotik device as a DoH server, only a client.

Here are some good things you can do to make a better DNS setup:
→ Set up a Netwatch to disable the redirect when the PiHole goes down.
→ Exclude the PiHole’s address from the DNS redirect.
→ Set up a backup PiHole that gets used when the main one goes down.

shafiqrahman · April 29, 2021, 4:17pm

Yes, as a Doh client, following this post http://forum.mikrotik.com/t/doh-server-connect-error-network-is-unreachable/141603/10 Netwatch will solve the dns reliability problem. Currently getting a second pihole is not an option. I will be okay without the 2nd pihole. But , how do I route the dns traffic through the pihole, where my router will still be the main dns server?

/ip firewall nat
add action=dst-nat chain=dstnat comment=dns_redirect dst-port=53 in-interface-list=LAN protocol=udp src-address=!192.168.88.5 to-addresses=192.168.88.5 to-ports=53
add action=masquerade chain=srcnat comment=dns_redirect dst-address=192.168.88.5 dst-port=53 protocol=udp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=dns_redirect dst-port=53 in-interface-list=LAN protocol=tcp src-address=!192.168.88.5 to-addresses=192.168.88.5 to-ports=53
add action=masquerade chain=srcnat comment=dns_redirect dst-address=192.168.88.5 dst-port=53 protocol=tcp src-address=192.168.88.0/24

used this but pihole not getting any traffic. 192.168.88.5 is pihole address.

shafiqrahman · May 5, 2021, 9:35pm

Figured it out using

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.5 gateway=192.168.88.1 netmask=24

add address=192.168.88.5/32 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24

Solution by @vecernik87 http://forum.mikrotik.com/t/alternate-dns-for-specific-ip-on-lan-is-it-possible/125145/1
Now, how do I add a fallback script, something like this,with the above code:

:local currentDNS [/ip dns get server]
:local piholeDNS "192.168.88.5"
:local backupDNS "8.8.8.8,8.8.4.4"
:local testDomain "www.google.com"

:if ($currentDNS = $piholeDNS) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip dns set servers=$backupDNS
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip dns set servers=$piholeDNS
         } on-error={}
}

2frogs · May 6, 2021, 11:31pm

It is better to have your PiHole on a different subnet, this way you can use dst-nat to do the fail over. You will not have to wait for your dhcp-lease on each device to renew before the fail over works.

/ip route
add dst-address=192.168.188.2 gateway=bridge

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.188.2 gateway=192.168.88.1
add address=192.168.188.2/32 dns-server=192.168.88.1 gateway=192.168.88.1

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.188.2 dst-port=53 protocol=tcp to-address=192.168.88.1 comment=pihole_bypass disabled=yes
add action=dst-nat chain=dstnat dst-address=192.168.188.2 dst-port=53 protocol=udp to-address=192.168.88.1 comment=pihole_bypass disabled=yes

And then schedule this script to run however often you like:

:if ([/ip firewall nat get [find where comment=pihole_bypass] disabled]=yes) do={:do {resolve google.com server=192.168.188.2} on-error={/ip firewall nat enable [find where comment=pihole_bypass]}} else={:do {resolve google.com server=192.168.188.2; /ip firewall nat disable [find where comment=pihole_bypass]}}

shafiqrahman · May 9, 2021, 2:11am

Thank you for the reply. I have too many containers in my raspberry with their own static IP using macvlan, So, excluded the different subnet. So, I had this dhcp-server network setup with the nat rule you provided:

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.5 gateway=192.168.88.1
add address=192.168.88.5/32 dns-server=192.168.88.1 gateway=192.168.88.1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.88.5 dst-port=53 protocol=tcp to-address=192.168.88.1 comment=pihole_bypass disabled=yes
add action=dst-nat chain=dstnat dst-address=192.168.88.5 dst-port=53 protocol=udp to-address=192.168.88.1 comment=pihole_bypass disabled=yes

And then schedule the script as follow:

:if ([/ip firewall nat get [find where comment=pihole_bypass] disabled]=yes) do={:do {resolve google.com server=192.168.88.5} on-error={/ip firewall nat enable [find where comment=pihole_bypass]}} else={:do {resolve google.com server=192.168.88.5; /ip firewall nat disable [find where comment=pihole_bypass]}}

But, the issue is that the script is running but not enabling the nat rules. Also, from my previous tries on redirecting through nat rules doesn’t yield any results. though nat rules catch some traffics and send them to pihole. Pihole can resolve them by its own dns, but cant forward those queries when the dns on pihole is set to the router.
So, I enabled the nat rules manually and turned off my pihole, but those rules showing 0B traffic. Then I added the

/ip route
add dst-address=192.168.88.5 gateway=bridge

But, without any luck.
Currently , the only solution I was able to partially make work is:

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.5 gateway=192.168.88.1
add address=192.168.88.5/32 dns-server=192.168.88.1 gateway=192.168.88.1

Scheduler script:

:local currentDNS "192.168.88.5"
:local gateway "192.168.88.1"
:local piholeDNS "192.168.88.5"
:local testDomain "www.google.com"

:if ([/ip dhcp-server network get [find dns-server=$piholeDNS]]) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip dhcp-server network remove [find comment="defconf"]
        /ip dhcp-server network add address=192.168.88.0/24  comment=defconf  gateway=$gateway netmask=24
    }
} else={
     :do {
        :resolve $testDomain server $piholeDNS 
         /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf gateway=$gateway netmask=24 
            } on-error={}
}

The issue with this script is that it stops working after [ code] } else={[/code] . Breakdown of the code:
Line 1 :

:local currentDNS "192.168.88.5"

I really love to have some rules like

 [/ip dns get servers]

and tried

[/ip dhcp-server network address=192.168.88.0/24 comment=defconf get dns-servers]

but didn’t get any results. Closest I found is that

:local currentDHCPDNS [/ip dhcp-server network print count-only where dns-server=$piholeDNS]

. But couldn’t make that work with
Line 6:

:if ($currentDNS = $piholeDNS) do={

, so I ended up with

Line 6:

::if (/ip dhcp-server network get [find dns-server=$piholeDNS]) do={

Line 9 :

 /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf dns-none=yes gateway=$gateway netmask=24

This code executed correctly. But had some difficulties understanding what it does and also reverse command at line 16

 /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf dns-none=no gateway=$gateway netmask=24

after

} else={

doesn’t work and seems buggy.

The Dns address should be in the first field. not the second line.
So, I added

Line 10:

 /ip dhcp-server network remove [find comment="defconf"]

Line 11:

/ip dhcp-server network add address=192.168.88.0/24  comment=defconf  gateway=$gateway netmask=24

Where, line 10 removes the address and line 11 adds a line without the DNS server.
Line 13:

} else={

After, this nothing works.
Line 16:

/ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf gateway=$gateway netmask=24

Does not adds the dns value in the field.

Any elegant working solution will be very much appreciated and helpful.

shafiqrahman · May 9, 2021, 5:50pm

I have somehow managed to complete the script. There is only a single issue that is “dhcp changed by” entries in logs. There are two variants, though they are both the same and do the same things.
Script 1

:local gateway "192.168.88.1"
:local currentDNS [/ip dhcp-server network get [find comment=defconf] dns-server]
:local piholeDNS "192.168.88.5"
:local backupDNS ""
:local testDomain "www.google.com"

:if ($currentDNS = $piholeDNS) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$backupDNS comment=defconf gateway=$gateway netmask=24;
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf gateway=$gateway netmask=24;
    } on-error={}
}

Script 2

:local gateway "192.168.88.1"
:local currentDNS [/ip dhcp-server network get [find comment=defconf] dns-server]
:local piholeDNS "192.168.88.5"
:local backupDNS ""
:local testDomain "www.google.com"

:if ($currentDNS = $piholeDNS) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip dhcp-server network set [find comment=defconf] dns-server=$backupDNS;
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip dhcp-server network set [find comment=defconf] dns-server=$piholeDNS;
    } on-error={}
}

2frogs · May 9, 2021, 5:51pm

The reason the NAT rules do not work when in the same subnet, is because the clients communicate directly with one another. For the router to do the NAT, that traffic has to passthrough it’s CPU. This does not happen even when clients are connected to the router, but on bridged interfaces. If this was your only router, with no other switches or aps, you could use bridge filtering at a big performance loss.

You could just set the router to be the DNS-Server and NAT it to the PiHole, but you loose the tracking of the individual clients as the PiHole will only see the router.

Here is a working example of the script you worked on:

:local IPsubnet "192.168.88.0/24"
:local currentDNS
:local piholeDNS "192.168.88.5"
:local alternateDNS "192.168.88.1"
:local testDomain "www.google.com"

:set $currentDNS [/ip dhcp-server network get [find address=$IPsubnet] dns-server]

:if ($currentDNS=$piholeDNS) do={
    :do {
        :resolve $testDomain server=$piholeDNS
            } on-error={
                /ip dhcp-server network set [find address=$IPsubnet] dns-server=$alternateDNS
                }
} else={
    :do {
        :resolve $testDomain server=$piholeDNS
        /ip dhcp-server network set [find address=$IPsubnet] dns-server=$piholeDNS
            } on-error={
            }
}

But you do realize you have to wait for each client to renew their DHCP Lease for this to update the clients.

shafiqrahman · May 10, 2021, 1:49am

Thank you for clarifying, this router is the only one I have and it seems like creating a new subnet for raspberry is the better choice. Which will take me a day or two to report back. Though, the script I made worked as intended but at the end its breaks the DoH. But, will you please do the honor of reposting the awesome script that you just posted on this thread http://forum.mikrotik.com/t/script-fallback-script-for-dns-traffic-redirection-using-dhcp-server-without-nat-rules/148983/1

And, What is the preferred way for different subnet? I mean new bridge with a new dhcp on a specific port? If so, then

/ip route
add dst-address=192.168.188.2 gateway=bridge

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.188.2 gateway=192.168.88.1
add address=192.168.188.2/32 dns-server=192.168.88.1 gateway=192.168.88.1

Then will this gateway in /ip route and dhcp server changes?

Will report back as soon as I moved the rpi to a new subnet.

smileymattj · May 10, 2021, 4:39am

I think I understand better why the flow looks like there is a loop. You want the MikroTik to use DoH right? You could add DoH to pihole. But yea out the box newer versions of MikroTik support it directly. I think pihole is still in development for DoH. So it’s a littler easier to use MikroTik for DoH with less setup than pihole as of now.

/ip firewall nat add
chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 to-address=192.168.88.5

For this add in-interface to your LAN (prevents WAN in, more secure). And add src-address ! 192.168.88.5 (Prevent pihole from redirecting to itself).

Also in MikroTik, you don’t have to restate to-ports unless the port number changed. Same with address. So address changed, you need that. But port is still 53 so you can cut down on verbiage making it easier to read by not including that a second time. Personal preference, doesn’t matter either way. I’m minimalist.

Duplicate this rule as a TCP. DNS uses UDP and TCP 53.

Might have to use mangle to capture it pre-routing. But try NAT first.

Another thought, you can add a loopback IP address on a blank bridge interface using a different subnet. Set the clients DNS to that IP, and that should make the traffic go through NAT. Not best. But might be easier to understand.

Next make a script to test pihole. Fail= disable these two rules. Success = enable these two rules. I can help with the script or mangle if you need.

shafiqrahman · May 10, 2021, 6:37am

Nat rule didn’t work, probably the best route is to use a different subnet. Pihole kinda buggy by it self and I am using it in a docker, which makes it even buggier. Also, most official developer doesn’t release an arm version of containers. Most containers for arm mostly developed by developers with their own interests in mind. And too often breaks with an update. Very little that I understood about DNS privacy is that unless you have a fully working dns authoritative server(Bind9 or Unbound) that periodically pulls from the name server using DoT or DoH you are not secured. As far as I know internet name servers use TLS. And there’s the browsing traffic that ISP’s can see. So, for me, DoH will do the job for the time being.

2frogs · May 10, 2021, 12:55pm

/ip firewall nat
add chain=dstnat dst-address=192.168.88.1 src-address=!192.168.88.5 in-interface=bridge dst-port=53 protocol=tcp action=dst-nat to-address=192.168.88.5
add chain=dstnat dst-address=192.168.88.1 src-address=!192.168.88.1 in-interface=bridge dst-port=53 protocol=udp action=dst-nat to-address=192.168.88.5
add chain=srcnat dst-address=192.168.88.5 src-address=192.168.88.0/24 action=masquerade

You need to adjust the in-interface to your LAN. Or use in-interface-list=LAN or src-address-list=LAN in its place. You could also use src-address-list=!pihole_nat_bypass in place of the src-address.

The src-nat is needed to keep the PiHole from responding to the clients directly.

shafiqrahman · May 11, 2021, 2:48am

/Ip firewall filter
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

This rules most probably causing the NAT rules falling. How do I create different subnet? Should it be new bridge>DHCP>Subnet?
For this gateway

/ip route
add dst-address=192.168.188.2 gateway=bridge

did you mean "bridge= bridge name of the new subnet’ ?

shafiqrahman · May 11, 2021, 12:36pm

Update:

/interface bridge port remove [find interface="ether5"]

/interface list member 
add interface=ether5 list=LAN

/ip address 
add address=192.168.188.1/24 comment=pinet interface=ether5 network=192.168.188.0

/ip pool
add name=pinet ranges=192.168.188.20-192.168.188.40

/ip dhcp-server
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP

/ip dhcp-server network
add address=192.168.188.0/24 comment=pinet gateway=192.168.88.1 netmask=24

/ip firewall address-list
add address=192.168.188.20-192.168.188.40 list=allowed_to_router

Successfully added a new subnet. But, seems like the new subnet not accessible from the other subnet and don’t have internet. Will update again when the pihole is up and running.

shafiqrahman · May 13, 2021, 2:40am

After creating the new subnet, DHCP server leases shows the device. But, the device doesn’t have any internet, neither I can ping that device from another subnet. I am posting my config file, any help will be highly appreciated.

# may/13/2021 08:15:52 by RouterOS 6.48.2
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=xxxxx user=xxxxxxx
/interface wireless

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.245 client-id=1:bc:5f:f4:8a:a0:2 mac-address=\
    xxxxxx server=defconf
add address=192.168.88.246 client-id=1:10:dd:b1:b0:32:3d mac-address=\
    xxxxxx server=defconf
add address=192.168.88.247 client-id=1:0:26:bb:68:22:82 mac-address=\
    xxxxxx server=defconf
add address=192.168.88.4 client-id=1:dc:a6:32:44:f:f8 mac-address=\
    xxxxxx server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.188.20-192.168.188.40 list=allowed_to_router

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall mangle

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add check-gateway=ping distance=1 gateway=104.16.248.249 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=104.16.249.249 routing-mark=to_ISP1
add distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 scope=10
add distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system scheduler
add interval=1d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=2w1d name="Package upgrade" on-event=\
    "system package update install" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/23/2020 start-time=04:00:00
add interval=2w1d name="Routerboard Upgrade" on-event=":global Var1\r\
    \n:global Var2\r\
    \n:set Var1 \"\$[/system package get system version]\"\r\
    \n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\
    \n:if (\$Var1>\$Var2) do={/system routerboard upgrade;\r\
    \n/system reboot;\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/23/2020 start-time=04:10:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Wiredly, though winbox shows dhcp lease of the rpi on new subnet 192.168.188.40 the configuration export didn’t.

2frogs · May 13, 2021, 4:56am

/ip firewall filter
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    bridge out-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"

These 2 firewall rules are causing both issues. I suggest using this one and it will also replace the one for DSTNAT, above them, as well.

/ip firewall filter
add action=drop chain=forward comment="Drop in from WAN not DSTNAT" connection-nat-state=!dstnat in-interface-list=WAN

The fewer the rules, the better the performance.

shafiqrahman · May 13, 2021, 2:35pm

Changed the firewall as per your suggestion:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Drop in from WAN not DSTNAT" \
    connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp

Still, subnet is not pingable , neither new subnet device shows in the dhcp-server lease export. Though, can be seen in the winbox.

shafiqrahman · May 20, 2021, 1:12am

@2frogs Post #5 solves the issue, but the fallback script doesn’t work.

2frogs · May 20, 2021, 10:33pm

It works in my testing. Can you post full export?

shafiqrahman · May 21, 2021, 5:45am

Issue solved thank you @2frogs.
If someone needed:
Mikrotik new subnet

/interface bridge port remove [find interface="ether5"]
/interface list member add interface=ether5 list=LAN
/ip address 
add address=192.168.188.1/24 comment=pinet interface=ether5 network=192.168.188.0
/ip pool
add name=pinet ranges=192.168.188.20-192.168.188.40
/ip dhcp-server
add address-pool=pinet disabled=no interface=ether5 name=pinetDHCP
/ip dhcp-server network
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip firewall address-list
add address=192.168.188.20-192.168.188.40 list=allowed_to_router

Nat rules credit goes to @2frogs

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.188.28 dst-port=53 protocol=tcp to-address=192.168.88.1 comment=pihole_bypass disabled=yes
add action=dst-nat chain=dstnat dst-address=192.168.188.28 dst-port=53 protocol=udp to-address=192.168.88.1 comment=pihole_bypass disabled=yes

This portions credit goes to @anav

/ip firewall filter
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24

Credits goes to @rextended

/ip upnp interfaces
add interface=ether5 type=internal

Script credit @hollerauer http://forum.mikrotik.com/t/script-automatically-change-dns-if-pi-hole-is-no-longer-working/140040/1

:local piholeDown [/ip firewall nat print count-only where comment~"pihole_bypass" && disabled]
:local piholeDNS "192.168.188.25"
:local testDomain "www.google.com"

:if ($piholeDown > 0 ) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip firewall nat enable [find comment=pihole_bypass];
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip firewall nat disable [find comment=pihole_bypass];
    } on-error={}
}

In case Mikrotik fails to establish DoH after reboot, credit @DarkNate

/ip dns
set allow-remote-requests=yes query-server-timeout=100ms query-total-timeout=5s
add servers=1.1.1.1,1.0.0.1
set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=104.16.248.249 gateway=pppoe-out1 scope=10
add dst-address=104.16.249.249 gateway=pppoe-out1 scope=10
add distance=1 gateway=104.16.248.249 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=104.16.249.249 routing-mark=to_ISP1 check-gateway=ping

Useful link:http://forum.mikrotik.com/t/how-do-i-connect-two-subnet-in-a-single-router/149158/21