Problem with Rspi Pihole firewall rules

RouterOS Beginner Basics
1

I bought a RB5009 and was able to configure but i am struggling with the firewall for 2 Pihole DNS.

I would like some help with correcting the firewall rules.
My system works and I can test de DNS which works but I see no counting under the NAt firewall rules for de piholes.

Config:
interface bridge
add admin-mac= arp=proxy-arp auto-mac=no name=
LOCAL-LAN/Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=“LAN1(SYN)” poe-out=off
set [ find default-name=ether2 ] name=“LAN2(BG1)” poe-out=off
set [ find default-name=ether3 ] name=“LAN3(BG2)” poe-out=off
set [ find default-name=ether4 ] name=“LAN4(Boven)” poe-out=off
set [ find default-name=ether5 ] name=“LAN5(PI/unifi)”
set [ find default-name=ether6 ] name=“LAN6(pi29)”
set [ find default-name=ether7 ] name=“LAN7(pi27)”
set [ find default-name=ether8 ] name=“LAN8(LP/V)”
set [ find default-name=sfp-sfpplus1 ] arp=proxy-arp l2mtu=1598 mtu=1512
name=“SFP(+)/WAN/poort”
/interface vlan
add arp=proxy-arp interface=“SFP(+)/WAN/poort” mtu=1508 name=VLAN6/PPPoE
vlan-id=6
add interface=LOCAL-LAN/Bridge name=VLAN_10/Gasten vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN6/PPPoE max-mru=1500
max-mtu=1500 name=PPPoE-out/WAN
/interface list
add name=“WAN(internet)”
add name=“LAN(bridge)”
add name=“Wlan(Gast)”
add name=MGMT
/ip pool
add name=IPreeks-lan ranges=192.168.1.3-192.168.1.84
add name=“Ipreek-gast wifi” ranges=192.168.4.3-192.168.4.54
/ip dhcp-server
add address-pool=IPreeks-lan interface=LOCAL-LAN/Bridge lease-time=1d name=
Dhcp/Lan_bridge
add address-pool=“Ipreek-gast wifi” interface=VLAN_10/Gasten lease-time=1d
name=Dhcp/Gast-wifi
/certificate settings
set builtin-trust-anchors=not-trusted
/interface bridge port
add bridge=LOCAL-LAN/Bridge interface=“LAN1(SYN)”
add bridge=LOCAL-LAN/Bridge interface=“LAN2(BG1)”
add bridge=LOCAL-LAN/Bridge interface=“LAN3(BG2)”
add bridge=LOCAL-LAN/Bridge interface=“LAN4(Boven)”
add bridge=LOCAL-LAN/Bridge interface=“LAN5(PI/unifi)”
add bridge=LOCAL-LAN/Bridge interface=“LAN8(LP/V)”
add bridge=LOCAL-LAN/Bridge interface=“LAN7(pi27)”
add bridge=LOCAL-LAN/Bridge interface=“LAN6(pi29)”
/ip neighbor discovery-settings
set discover-interface-list=!none lldp-mac-phy-config=yes
lldp-max-frame-size=yes lldp-vlan-info=yes
/interface bridge vlan
add bridge=LOCAL-LAN/Bridge tagged=“LOCAL-LAN/Bridge,LAN1(SYN),LAN2(BG1),LAN3(
BG2),LAN4(Boven),LAN5(PI/unifi)” vlan-ids=10
/interface list member
add interface=PPPoE-out/WAN list=“WAN(internet)”
add interface=LOCAL-LAN/Bridge list=“LAN(bridge)”
add interface=VLAN_10/Gasten list=“Wlan(Gast)”
/ip address
add address=192.168.1.1/24 interface=LOCAL-LAN/Bridge network=192.168.1.0
add address=192.168.4.1/24 interface=VLAN_10/Gasten network=192.168.4.0
/ip dhcp-client
add default-route-tables=main interface=“SFP(+)/WAN/poort”
/
add address=192.168.1.0/24 domain=“Lan.home(bridge)” gateway=192.168.1.1
netmask=24
add address=192.168.4.0/24 domain=“Gast.home(gasten)” gateway=192.168.4.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.27,192.168.1.29
/ip firewall address-list
add address=192.168.1.27 list=pihole
add address=192.168.1.29 list=pihole
add address=192.168.1.0/24 list=“LAN(br)”
add address=192.168.4.0/24 list=“LAN(br)”

add address=192.168.1.0/24 list=Trusted
add address=192.168.4.0/24 list=Trusted
/ip firewall filter
add action=accept chain=input comment=“allow Trusted ip-adres”
src-address-list=Trusted
add action=accept chain=input comment=“accept established,related,untracked”
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=“” in-interface-list=
“!LAN(bridge)”
add action=fasttrack-connection chain=forward comment=
“accept established,related, untracked” connection-state=established
hw-offload=yes
add action=accept chain=forward comment=
“accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=forward comment=“accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy”
ipsec-policy=out,ipsec
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=drop chain=forward comment=“drop all from WAN not DSTNATed”
connection-nat-state=!dstnat in-interface-list=“WAN(internet)”
/ip firewall mangle
add action=mark-connection chain=prerouting comment=
“Mark connections for hairpin NAT - LAN IP” dst-address-list=“LAN(br)”
new-connection-mark=“Hairpin NAT” src-address-list=“LAN(br)”
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=
“WAN(internet)”
add action=masquerade chain=srcnat comment=“Hairpin NAT” connection-mark=
“Hairpin NAT”
add action=dst-nat chain=dstnat dst-address-list=“LAN(br)” dst-port=53
protocol=udp src-address=!192.168.1.27 src-address-list=“LAN(br)”
to-addresses=192.168.1.27
add action=dst-nat chain=dstnat dst-address-list=“LAN(br)” dst-port=53
protocol=udp src-address=!192.168.1.29 src-address-list=“LAN(br)”
to-addresses=192.168.1.29
add action=dst-nat chain=dstnat dst-address-list=“LAN(br)” dst-port=53
protocol=tcp src-address=!192.168.1.27 src-address-list=“LAN(br)”
src-port=“” to-addresses=192.168.1.27
add action=dst-nat chain=dstnat dst-address-list=“LAN(br)” dst-port=53
protocol=tcp src-address=!192.168.1.29 src-address-list=“LAN(br)”
to-addresses=192.168.1.29

2

Can’t see the attachement.

Sure you want the 2 PiHoles publically available?

3

Sorry I’m a newbie

4

I loaded the configuration I had in de file

5

Why not add something like this Check for yourself if it is correct!):

/ip firewall filter
add action=accept chain=forward in-interface-list=TRUSTED out-interface-list=pihole

Make sure it is befor any drop on the forward chain.

6

I was wrong, I made a pihole interface an trusted underneed the interface list and used it.

7

I tried also these:
add action=accept chain=forward comment=“pihole forward” dst-address-list=
!pihole src-address-list=“LAN(br)”

add action=accept chain=forward dst-port=53 protocol=tcp src-address-list=
“LAN(br)”
add action=accept chain=forward dst-port=53 protocol=tcp src-address-list=
“LAN(br)”
I thinks that is a bit the same?
The nat rule are still without hits or counts like they are not part of the process.

8

Bedankt voor het helpen! Het wordt zeer gewaardeerd.

9

Solution found:
Foward:
add action=accept chain=forward dst-address-list=!pihole src-address-list=
Trusted
add action=accept chain=forward dst-port=53 protocol=udp src-address-list=
"LAN
add action=accept chain=forward dst-port=53 protocol=tcp src-address-list=\
« lan

NAT/MAsq

add action=masquerade chain=srcnat out-interface-list=“LAN(bridge)” protocol=
udp src-address-list=“LAN(br)”
add action=masquerade chain=srcnat out-interface-list=“LAN(bridge)” protocol=
tcp src-address-list=“LAN(br)”
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=“LAN(bridge)”
protocol=udp src-address=!192.168.1.27 to-addresses=192.168.1.27
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=“LAN(bridge)”
protocol=udp src-address=!192.168.1.29 to-addresses=192.168.1.29
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=“LAN(bridge)”
protocol=tcp src-address=!192.168.1.27 src-port=“” to-addresses=
192.168.1.27
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=“LAN(bridge)”
protocol=tcp src-address=!192.168.1.29 to-addresses=192.168.1.29