RB750Gr3
Home setup
Attached is my configuration as it is today.
My goal is to force, or “redirect”, all DNS requests from my LAN and from my Wireguard clients to go to my Pi-Hole on 10.0.0.69
If it is possible I would like to create a rule that checks if the Pi-Hole is up and running every 30 to 60 seconds, and if it is not, change the DNS server to 8.8.8.8.
And if the Pi-Hole gets up again, set the DNS server back to 10.0.0.69
I have tried different things, but I now understand that I don’t have the required knowledge to create the correct firewall and/or NAT rules to achieve this.
You need to set a srcnat rule and two dstnat rules (both port 53 for tcp and udp).
Plenty of topics on the same matter here.
As for the check rule I created an entry in the Scheduler:
10.0.0.69 your Pihole IP
interval: 00:00:30
# set variables
:local primaryDNS "10.0.0.69";
:local fallbackDNS "8.8.8.8";
:local currentDNS;
:set $currentDNS [/ip dns get servers];
#:log warning "What I got is: $currentDNS"
#:log warning "What I want to see is: $primaryDNS"
:do {
:put [resolve google.com server=$primaryDNS];
if ($currentDNS!=$primaryDNS) do={
:log warning "DNS Failover: Switching to primaryDNS";
/ip dns set servers $primaryDNS
} else={}
} on-error={ :set $currentDNS [/ip dns get servers];
if ($currentDNS!=$fallbackDNS) do={
:log error "DNS Failover: Switching to FallbackDNS";
/ip dns set servers $fallbackDNS;
} else={:log info "Using Failover DNS, Primary Unavailable"}
}
#try to reach google through the primaryDNS
#if it works and we are on a different DNS, set the DNS server to the primaryDNS
#if it works and we are already on the primaryDNS, do nothing
#if we can't reach google and we aren't already on our FallbackDNS, switch to fallback
#if we can't reach google through primaryDNS and we are on the fallback, log that primaryDNS is unavailable
Hi broderick
Yes, I’ve seen many topics on the matter, but when asking in those threads, users respond with “don’t hijack threads”, so, therefore I’m trying to ask the question in this new thread.
And I don’t have the necessary knowledge to sort this out by myself…
If you know how to formulate such rules, I would very much appreciate you help in the matter.
As far as I know, DNS redirect needs also a src NAT for it to work properly, otherwise clients which make dns queries would drop any responses sent by the pi-hole server if it is in the same LAN, since they wouldn’t recognize the IPs they made the DNS queries to. Maybe it is the “MOD” rule I see in the second image you posted above. Is 192.168.1.2 your pihole IP?
Well, You are correct and I have one rule number=2 is my src-nat rule. However, OP config files and topic suggest the pi-hole runs at the same subnet as the LAN. There is a WG IP range that needs to be forwarded too, although the WG config was not clear to me so I did not include that.
I don’t have any pi-hole at my home setup. I use an ad-guard container in my x86 ROS VDS. Which provides VPNs like WG and IKEv2. There is a WG tunnel between my home route and this VDS. Most of my internet and any DNS queries are routed through this tunnel.
When the NAT was enabled my devices lost internet connectivity.
Any ideas on what went wrong here?
Thinking of a NAT rule that @broderick is talking about in answer #7
Regarding address lists; I am also a fan of using lists, so if there are any new lists that could help out, please don’t hold out on me
You have to exclude pihole from being redirected … if not, pihole queries get redirected back to itself. You can make exception either in mangle rules or in NAT rule.
At this moment, I’m NOT using the mangle rules for pre-routing or “New connection mark”.
It seems as if these NAT-rules also catch my wg1 interface, and forces DNS queries to local 10.0.0.69 (pi-hole), which is a good thing!
Or is it??
10.0.10.10 is a wg client outside my LAN.
Hi
And THANK YOU for taking your time to reply to my thread.
The thing is that the answer you provided does not tell me HOW to do that.
And that is one of the the reasons I’m asking for help.
This way for “answering” questions is fairly common in “Linux communities” and to be frank it’s one of the biggest hurdles to overcome for a newbie that want to learn stuff. It’s just arrogant. It’s telling new users “I know the answer, you don’t, now you have to find it out also”.
The the educational aim of an answer like that is to force the user asking the question, to do the research and find the answer him self. Yes, I understand that. But in most cases, amateur users like me lack the background knowledge in the requested subject (just as I twice in this thread have stated).
I have several small kids, a full time job, and this (networking, computers, pi-hole etc) is a hobby.
I most humbly ask of anyone that want to help me out; please do so.
If you feel a need to tell me that you know the answer but don’t want to help me with this thread/question, just don’t reply.
It’s that simple.
TLDR; new user asking other user to answer question and not tease.
I’m sorry if my answer didn’t help you to solve the problem.
As you’re mentioning linux community and the way of answering questions: it is indeed common to “help learn how to catch fish” instead of “giving fish” and personally I’m a big fan of it. I feel that by mentioning the possible cause for malfunction instead of writing a recipe to fix the rules (which you might or might not understand) I helped you both understand the networking better and somehow helped you to find the recipe yourself (which again made you know ROS better). If neither of them is your objective, then perhaps (die hard) linux and ROS are not for you? Besides, most people helping around are hobbyists … just like you or me.
So this is what I’ve tested now;
