Transparently forcing to use Mikrotik's DNS Server, when MK acts as non-NAT router

Greetings,

I have tried following this guide (correcting IPs, of course):
https://wiki.mikrotik.com/wiki/Force_users_to_use_specified_DNS_server
But it doesn’t seem to work, and the reason, I suspect, is that MK acts as a router, without NAT.

Configuration:
ISP <= CableModem/Router (NAT + DHCP Server) <= Mikrotik (RB, forwarding DHCP requests) <= WIFI clients
(there are other devices on the network, connected directly to the CableModem, that should be able to open connections to WIFi clients, hence NAT on RB is not an option)

I need to force all WIFI clients to use Mikrotik’s DNS server (LAN devices are good as is).

Thank you in advance.

Anyone?

If you want your cable modem acts like NAT router and Tik is not, then just add these 2 rules, cause Tik not gonna NAT your source address of your LAN, it’s NAT dest address which not fail access to Internet with source NAT by cable modem.

Why does it have to be a NAT?
I don’t want Network Address Translation at all, just for MKT to capture DNS request packets passing it, and serve them from built-in DNS server.

/ip firewall nat
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat dst-port=53 protocol=tcp

No, as I said, there is no NAT, so these rules, while doing no harm, do not do anything.

That is not correct, it is also possible to make dstnat rules in a router that is not doing srcnat.
It should work.

OK, I’ll try it later today.

As per your setup - ISP <= CableModem/Router (NAT + DHCP Server) <= Mikrotik (RB, forwarding DHCP requests) <= WIFI clients

The Mikrotik “forward the DHCP request”, is that means the WIFI clients get the IP from the CableModem/Router?

If yes the Mikrotik is just acts like a switch and those two rules won’t work.

It can still work when you make sure there is no hardware offload (i.e. pure bridge and no switch) and on the bridge menu the “use IP firewall for bridge traffic” is enabled.