Hi all,
I wanted to ask for a sanity check..
The last weeks i have been reading a lot here on the forum, so much good info, but got lost from time to time.
I am getting stuck a bit with replacing a rb2011 with ros6 and a rb5009 with ros7
A long time has passed from when i made the setup on the rb2011 and i seem to have forgotten almost all. Getting old has its downsides
The problem i have here is the combination between redirecting to a pi-hole in a container together with having 2 wans.
Without the mangle rules for the second line, the redirect of e.g. 8.8.8.8 to the pi works well.
But when i add the mangle, only those who use the mtik ip for dns get redirected to the pi.
I placed some extra mangle rules but i feel like thats not the way to do it…
So the question is, can someone here check my progress to see if i am on the right track ?
Or if you would do things totally different ?
Thanks a lot
ps, is there a way to export without the pesky / ?
# 2024-10-14 22:40:51 by RouterOS 7.16.1
# software id = 8H6C-FJ5Z
#
# model = RB5009UG+S+
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge-dementios
add name=bridge-containers
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
/interface veth
add address=10.100.100.2/24 gateway=10.100.100.1 gateway6="" name=veth1 comment=pihole
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool-dementios ranges=10.100.200.10-10.100.200.254
/ip dhcp-server
add address-pool=pool-dementios interface=bridge-dementios name=dementios-Dhcp
/routing table
add comment=viaISP1 disabled=no fib name=viaISP1
add comment=viaISP2 disabled=no fib name=viaISP2
/interface bridge port
add bridge=bridge-dementios comment=defconf interface=ether3
add bridge=bridge-dementios comment=defconf interface=ether4
add bridge=bridge-dementios comment=defconf interface=ether5
add bridge=bridge-dementios comment=defconf interface=ether6
add bridge=bridge-dementios comment=defconf interface=ether7
add bridge=bridge-dementios comment=defconf interface=ether8
add bridge=bridge-dementios comment=defconf interface=sfp-sfpplus1
add bridge=bridge-containers interface=veth1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge-dementios list=LAN
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=bridge-containers list=LAN
/ip address
add address=10.100.200.1/24 interface=bridge-dementios network=10.100.200.0
add address=10.100.100.1/24 interface=bridge-containers network=10.100.100.0
/ip dhcp-client
add interface=ether1-WAN1 use-peer-dns=no use-peer-ntp=no
add interface=ether2-WAN2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.100.200.0/24 comment=dementios-Dhcp dns-server=10.100.200.1 gateway=10.100.200.1 netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-queries=200 max-concurrent-tcp-sessions=40 servers=1.1.1.1,8.8.8.8,8.4.4.4
/ip firewall address-list
add address=10.100.200.252 list=pihole-users
add address=10.100.200.253 list=pihole-users
add address=10.100.200.0/24 list=lan
/ip firewall filter
add action=accept chain=input comment= "defconf: accept established,related,untracked" connection-state= established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state= invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment= "defconf: accept established,related, untracked" connection-state= established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment= "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="pi-hole redirect of external dns does not work without this. Or need to turn off connection mark for isp2" dst-address=10.100.100.2 dst-port=80 protocol=tcp
add action=accept chain=prerouting comment="pi-hole redirect of external dns does not work without this. Or need to turn off connection mark for isp2" dst-port=53 protocol=tcp
add action=accept chain=prerouting comment="pi-hole redirect of external dns does not work without this. Or need to turn off connection mark for isp2" dst-port=53 protocol=udp
add action=accept chain=prerouting comment=wan1 dst-address=192.168.1.0/24 in-interface=bridge-dementios
add action=accept chain=prerouting comment=wan2 dst-address=192.168.2.0/24 in-interface=bridge-dementios
add action=mark-connection chain=prerouting comment=wan1 connection-state=new in-interface=ether1-WAN1 new-connection-mark=ISP1-Conn passthrough=no
add action=mark-connection chain=prerouting comment=wan2 connection-state=new in-interface=ether2-WAN2 new-connection-mark=ISP2-Conn passthrough=no
add action=mark-connection chain=prerouting comment=wan1 connection-mark=no-mark dst-address=!10.100.200.0/24 in-interface=bridge-dementios new-connection-mark=ISP1-Conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=wan2 connection-mark=no-mark dst-address=!10.100.200.0/24 in-interface=bridge-dementios new-connection-mark=ISP2-Conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=wan1 connection-mark=ISP1-Conn in-interface=bridge-dementios new-routing-mark=viaISP1 passthrough=no
add action=mark-routing chain=prerouting comment=wan2 connection-mark=ISP2-Conn in-interface=bridge-dementios new-routing-mark=viaISP2 passthrough=no
add action=mark-routing chain=output comment=wan1 connection-mark=ISP1-Conn new-routing-mark=viaISP1 passthrough=no
add action=mark-routing chain=output comment=wan2 connection-mark=ISP2-Conn new-routing-mark=viaISP2 passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment=pihole-redirect dst-port=53 in-interface-list=!WAN protocol=udp src-address=!10.100.100.2 src-address-list=pihole-users to-addresses=10.100.100.2 to-ports=53
add action=dst-nat chain=dstnat comment=pihole-redirect dst-port=53 in-interface-list=!WAN protocol=tcp src-address=!10.100.100.2 src-address-list=pihole-users to-addresses=10.100.100.2 to-ports=53
add action=masquerade chain=srcnat comment=nat-ISP1 out-interface=ether1-WAN1 src-address=10.100.200.0/24
add action=masquerade chain=srcnat comment=nat-ISP2 out-interface=ether2-WAN2 src-address=10.100.200.0/24
add action=masquerade chain=srcnat comment="NAT REST" out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=viaISP1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src="" routing-table=viaISP2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=viaISP2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src="" routing-table=viaISP1 scope=30 suppress-hw-offload=no target-scope=10