Hi,
I had to install pi-hole again on another linux machine. Since I want every DNS query requests coming from my LAN be redirected to my pihole, I had set these rules:
My LAN = 192.168.3.0/24
Pi-hole Ip= 192.168.3.97
Linux machine IP with pihole = 192.168.3.99

add action=dst-nat chain=dstnat dst-address=!192.168.3.97 dst-port=53 log=yes protocol=tcp src-address=!192.168.3.97 to-addresses=192.168.3.97
add action=dst-nat chain=dstnat dst-address=!192.168.3.97 dst-port=53 log=yes protocol=udp src-address=!192.168.3.97 to-addresses=192.168.3.97
add action=masquerade chain=srcnat dst-address=192.168.3.97 dst-port=53 log=yes protocol=udp src-address=192.168.3.0/24
add action=masquerade chain=srcnat dst-address=192.168.3.97 dst-port=53 log=yes protocol=tcp src-address=192.168.3.0/24

To test it I set a dns server ip in my pc’s network card properties, but I can’t browse the internet anymore nor run a simple nslookup from my device.
I followed this tutorial at the time:
https://itimagination.com/mikrotik-pihole-block-all-ads/

I haven’t understood what is wrong now.
Could you please help me?
Thanks

I believe that the NAT Rules are incorrect

Please Try Below:

#For DST NAT
/ip firewall nat
add chain=dstnat action=dstnat src-address=192.168.3.0/24 src-address-list=!nat-exempt-list protocol=tcp dst-port=53 to-address=192.168.3.97
add chain=dstnat action=dstnat src-address=192.168.3.0/24 src-address-list=!nat-exempt-list protocol=udp dst-port=53 to-address=192.168.3.97 

#For ADDRESS LIST
/ip firewall address-list
add address= 192.168.3.97 list=nat-exempt-list disabled=no
add address= 192.168.3.99 list=nat-exempt-list disabled=no

And Please make sure the DST NAT Rule is above the other dstnat rules in the chain.

But, do I still need to add my two masquerade rules after your new NAT rules? Thanks

Yes and no. You’re using dstnat to forward traffic from LAN back to same LAN, so you need hairpin NAT (https://wiki.mikrotik.com/wiki/Hairpin_NAT) and that’s what those rules are doing. But you can also replace them by universal one:

/ip firewall nat
add chain=srcnat src-address=192.168.3.0/24 dst-address=192.168.3.0/24 action=masquerade

@sob, @ nithinkumar2000

None of the rules above really affects traffic in some way. They don’t catch and redirect DNS query requests,
even when I change dns server ip directly in one of my devices. It is as if I hadn’t set them at all.
Thank you

Maybe it’s something else in your config influencing it, there are many ways how to misconfigure something. Also make sure that Pi-hole works correctly. Either use some tools to query it directly, or set it as only dns server on some client device. Disable all redirection for start and see if that works.

Can one not use REDIRECT in the dstnat ruleset??

What exactly do you mean? What would you do in such a situation?
Thanks

For port 53, udp, tcp.
redirect - replaces destination port of an IP packet to one specified by to-ports parameter and destination address to one of the router’s local addresses

I set my NAT rules again (those in my first post above) and do some test:

The NATdst rule seems to redirect the dns query requests coming from my pc:

in the log I see this:

192.168.3.99 is my netbook IP (you can glimpse its mac address too) with ubuntu installed on it. I installed pi-hole in ubuntu which has a different IP (192.168.3.97) I can’t see in the log

There must be something wrong here already.
Meanwhile I disabled Masquerade rule.

Then it can’t work.

Do I understand correctly that you don’t actually have separate server, but both addresses (.97 and .99) are on your netbook and you are also testing this from same netbook? It that’s the case, are you sure that Pi-hole not only listens on 192.168.3.97, but also uses it as source for own outgoing queries? Because if it doesn’t, it can’t work neither with your dstnat rules nor the other ones.

.97 and .99 are on my netbook. I had the same setup when I used Openmediawault as OS and pi-hole as one of its containers..and it worked flawlessly. I tried to replicate it on a different device (my netbook) and I have been struggling to make it work properly since then. I am testing it from a different machine (my pc - IP 192.168.3.100) on the same LAN.
Thanks

I think some network diagrams may help…
A full config is far more helpful than a few snippets.

Ok

# jul/30/2020 22:32:36 by RouterOS 6.45.8
# software id =xxxxx
#
# model =xxxx
# serial number =xxx
/interface bridge
add admin-mac=C4:AD:xx:xxxx:xx auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name="wan wifi" supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name="wifi interna" supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name="WAN WiFi VOD" supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name="wifi 5Ghz" supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no installation=indoor keepalive-frames=disabled security-profile="WAN WiFi VOD" ssid=\
    Vodxxxxxx station-roaming=disabled wds-default-bridge=bridge wds-mode=dynamic wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] country=italy installation=indoor mode=ap-bridge security-profile="wifi 5Ghz" ssid=Tik5 wmm-support=enabled wps-mode=disabled
add keepalive-frames=disabled mac-address=C6:xx:xx:xx:xx:xx master-interface=wlan1 multicast-buffering=disabled name=wlan3 security-profile="wifi interna" ssid=\
    homemik wds-cost-range=0 wds-default-bridge=bridge wds-default-cost=0 wds-mode=dynamic wmm-support=enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
add name=ovpn-pool ranges=192.168.131.10-192.168.131.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge name=dhcp1
/ppp profile
add dns-server=192.168.131.1 local-address=192.168.131.1 name=ovpn remote-address=ovpn-pool use-encryption=yes
/queue simple
add name=PC target=192.168.3.100/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=mikrotik cipher=aes256 default-profile=ovpn enabled=yes port=1195
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=192.168.3.0
add address=192.168.1.11/24 interface=wlan1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=wlan1
/ip dhcp-server lease
add address=192.168.3.100 client-id=1:0:17:31:89:96:87 comment="My Desktop PC" mac-address=00:17:31:89:96:87 server=dhcp1
add address=192.168.3.98 client-id=1:c0:11:73:7e:dd:55 comment="IP webcam" mac-address=C0:11:73:7E:DD:55 server=dhcp1
add address=192.168.3.95 client-id=1:be:81:b0:1d:d2:b comment=pfSense-proxmox mac-address=BE:81:B0:1D:D2:0B server=dhcp1
add address=192.168.3.99 client-id=ff:24:72:1a:c8:0:2:0:0:ab:11:36:c7:39:92:d1:ec:8c:72 mac-address=1C:75:08:DD:6E:4F server=dhcp1
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf dns-server=192.168.3.97 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=192.168.3.97
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.3.95 comment=pfsense-proxmox name=pfsense.localdomain
/ip firewall address-list
add address=192.168.3.97 list=nat-exempt-list
add address=192.168.3.99 list=nat-exempt-list
/ip firewall filter
add action=accept chain=forward dst-address-list=WAN src-address-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input dst-port=80 in-interface-list=WAN protocol=tcp
add action=drop chain=input icmp-options=8:0-255 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" limit=1,5:packet protocol=icmp
add action=accept chain=input comment="From pfsense LAN" log=yes src-address=192.168.5.0/24
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="allow OpenVPN" dst-port=1195 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
# no interface
add action=accept chain=input comment="From OpenVPN interface" in-interface=*F00000 log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
# lte1 not ready
add action=masquerade chain=srcnat out-interface=*A
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.3.97 dst-port=53 log=yes protocol=tcp src-address=!192.168.3.97 to-addresses=192.168.3.97
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.3.97 dst-port=53 log=yes protocol=udp src-address=!192.168.3.97 to-addresses=192.168.3.97
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.3.97 dst-port=53 log=yes protocol=udp src-address=192.168.3.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.3.97 dst-port=53 log=yes protocol=tcp src-address=192.168.3.0/24
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.3.95
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.3.100/32,192.168.10.0/24
/ppp secret
add name=vpn_user profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=hometik
/system ntp client
set enabled=yes primary-ntp=193.204.114.105 secondary-ntp=193.204.114.233
/system routerboard mode-button
set enabled=yes on-event="/interface wireless set wlan2 disabled=(![get wlan2 disabled])"
/tool bandwidth-server
set authenticate=no
/tool graphing interface
add interface=ether1
/tool graphing queue
add allow-address=192.168.3.100/32
/tool graphing resource
add
/tool mac-server
[admin
@homet
ik] >

Thanks again

Poor guy, ISP is via wifi.
Do you get a public IP or just a private IP??

Dont think this is a problem but tis left over from default config and can be removed.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Not sure what purpose this serves…
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254

order of firewall rules is important and thus important for clarity not mix up input and forward chain, so your rules actually look like this, respecting order presented.
I have numbered them to reflect what should be order (at least from what I have seen).
The one in red you should get rid as you already drop external traffic in a later rule.
The one in green is not required as you drop all traffic later. If you still want to do port forwarding modify the existing rule to the clearer:
add action=accept chain=forward comment=
“Allow Port Forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN

/ip firewall filter

(2) add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
(1) add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input dst-port=80 in-interface-list=WAN protocol=tcp Note: covered by rule drop all not coming from LAN*******.
add action=drop chain=input icmp-options=8:0-255 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment=“defconf: accept ICMP” limit=1,5:packet protocol=icmp
add action=accept chain=input comment=“From pfsense LAN” log=yes src-address=192.168.5.0/24
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“allow OpenVPN” dst-port=1194 protocol=tcp
add action=accept chain=input comment=“allow OpenVPN” dst-port=1195 protocol=tcp
add action=accept chain=input comment=“From OpenVPN interface” in-interface=*F00000 log=yes
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN log=yes *******

add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
(2) add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
(4) add action=accept chain=forward dst-address-list=WAN src-address-list=LAN
(3) add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid log=yes
(1) add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related

no interface

(5) add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
(6) add action=drop chain=forward comment=“Drop all else” disabled=yes

As for DNS,
Why all these sourcnat confusionary approaches argggg.

if you want all your DNS to go to a specific IP could one not do the following with dstnat??

add action=redirect chain=dstnat comment=
“Force Users to Router for DNS - TCP” disabled=yes dst-port=53 protocol=
tcp [ (your choice) src-address-list= OR in-interface-list= ]
add action=redirect chain=dstnat comment=
“Force Users to Router for DNS - UDP” disabled=yes dst-port=53 protocol=
udp [ (your choice) src-address-list= OR in-interface-list= ]

This forces users to use router DNS settings.
In Router DNS settings put in the PI-hole DNS server as the fixed address to use…
Just have to allow DNS server IP to the internet I suppose on port 53??? so its not blocked by redirect rule??
It gets real fuzzy for me real fast… can you tell.

Few notes for ^^^:

• The one in green is not required IF you drop all traffic later, but that currently doesn’t happen because (6) is disabled.
• If you change it as suggested, you want to accept everything with connection-nat-state=dstnat, without any in-interface filter. That’s because you want it to allow also dstnatted connections to Pi-hole that would otherwise be blocked. But that’s with the new config, they are not blocked now, as long as last drop all rule is disabled.

My suggestion, before you start changing anything, go step by step and verify that you have basic stuff working:

• Make sure that Pi-hole works at all. From same machine do e.g. “dig mikrotik.com @192.168.3.97” and see if you get something.
• While doing so, check what source address Pi-hole uses. You can use tcpdump on same machine with filter “port 53” to see it.
• Make sure that Pi-hole is accessible from another machine, so same as first step, only from elsewhere.

Before I go ahead and do some test, I have another question:

Could any dnsmasq setting on the ubuntu machine with ip 192.168.3.99 be the cause of the problem somehow?
Thanks

I’m not familiar with dnsmasq, I know what it does, but that’s all. If you have it listening only on .99 and Pi-hole has .97 for itself, they should coexist without problems.

I did a few tests.
I reloaded an OpenMediaVault VM machine on my VMware workstation. It has an old version of pi-hole installed on it as a container.
I set the SAME RULES in my first post above in my Mikrotik device (just different IPs of course)…and it works now!!
That is strange.
As I said, there must be something wrong with either ubuntu server or dnsmasq installed on it..or both.
Any thought?
Thanks