pi hole after mikrotik router - get remote IP?

David1234 · July 12, 2021, 11:27am

hello ,
I have setup Pi-Hole (10.0.0.150) after Mikroitk router (10.0.0.253) with public IP 95.12.34.111
I have setup dst-nat from the outside to port 53 (udp\tcp) to the PI-hole
it’s working
when I setup another router\ computer with this DNS - I can see it go throw the PI-hole
and also in the PI-hole I see he get the request from the remote router.

my “problem” is the I only see the IP of the mikrotik router connected to the PI-hole , so it’s seem that every reqeust comming from 10.0.0.253
what do I need to change in order to see the remote address , the one that sending the DNS request ?
?

Thanks ,

xvo · July 12, 2021, 11:47am

Probably you have an another improperly configured src-nat/maquerade rule as well.
For example for hairpin nat.

David1234 · July 12, 2021, 12:28pm

on what side?
the remote side?

there I have wifi router that give dhcp on WiFi interface
and the only rule I have is

/ip firewall nat
add action=masquerade chain=srcnat comment="WiFi network" \
    src-address=172.20.164.0/24

but on the Pi-hole dashboard I can only see the mikrotik router connected to it as the client IP

and on the pi-hole connected mikrotik I have this :

ip firewall filter
add action=add-src-to-address-list address-list="" address-list-timeout=none-dynamic chain=forward dst-port=53 protocol=tcp
add action=add-src-to-address-list address-list=test address-list-timeout=none-dynamic chain=forward dst-port=53 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=80 in-interface=Remote protocol=tcp to-addresses=10.0.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=Remote protocol=tcp to-addresses=10.0.0.150 to-ports=22
add action=dst-nat chain=dstnat dst-port=53 in-interface=Remote protocol=tcp to-addresses=10.0.0.150 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=Remote protocol=udp to-addresses=10.0.0.150 to-ports=53

xvo · July 12, 2021, 1:14pm

Ok.
Now I get it.

And there is absolutely no way for pi-hole to see local addresses of the devices behind mikrotik#2 if it performs src-nat for such connections.

Establish a tunnel between two mikrotik routers (with no nat performed on both sides) and let dns requests go through this tunnel.
That would be a good idea anyway.

David1234 · July 15, 2021, 8:14am

I didn’t tink about it - I will try it .

Thank you

David1234 · July 25, 2021, 2:31pm

I have change my setting to this:

when a clinet connect to the WiFi he get address from mikrotik 172.16.99.0/24 (pool 1-50) , The WiFi is 172.16.99.254
and have internet connection without any problem.
I have connected the PI-hole and setup DNS server in Mikrotik to 10.0.0.150
everything is working , no ads on website.

but on PI-Hole logs I can only see 10.0.0.253 as the only one the request DNS service from me
is there anything I can do in order to see the WiFi DHCP I’m giving? 172.16.99.0/24?

all I have ian the firewall is

/ip firewall nat
add action=masquerade chain=srcnat

msatter · July 25, 2021, 5:24pm

That is correct because it seems the WiFi clients are NATTED and their source address become the address of the router.

If you want your client IP then the WiFI should be in the same sub-net 10.10.10.0/24 to skip the NAT.

And put in the DHCP server settings the DNS address of the pi-hole.

David1234 · July 26, 2021, 6:30am

I don’t want the WiFi to be as the same as the reset of the network
I have other servers \ computer \ devices on the netwrok I don’t them to have access to .

but when I think about it
can I do the following :
change the Ether1 IP to 10.0.0.253/29
change WiFi IP to 10.0.0.50/28 (and setup the pool to 50-60)
route 0.0.0.0/0 to fortigate 10.0.0.254 (as now)
disable the NAT
make firewall rule that block all WiFi address to 10.0.0.200-10.0.0.220 (this is where I don’t want to WiFi to have access to )

can this do the jpb?

what do you think?

mkx · July 26, 2021, 7:00am

No, that wouldn’t do, because neither 10.0.0.150 (pihole) nor 10.0.0.254 (router) are members of subnet 10.0.0.50/28 (which covers IP addresses between 10.0.0.48 and 10.0.0.63), hence WiFi clients wouldn’t be able to reach pihole or internet directly. Which means you’d still have to run NAT on mikrotik, defying the whole exercise.

What you could do is to place everything (including WiFi clients) in 10.0.0.0/24 subnet, bridge ether1 and wlan1 on mikrotik, use whatever DHCP server you have in your LAN (fortigate?) with appropriate pool (add static leases for known LAN clients) … and enable use-ip-firewall=yes property of bridge. Just in case explicitly set hw=no on wlan bridge port (traffic to/from wlan can’t be HW offloaded anyway, there’s no switch chip involved). Then construct appropriate firewall rules to block traffic originating from WiFi IP address list to anything but fortigate. Don’t forget to place appropriate rules also in chain=input to defend mikrotik from those evil WiFi clients.