VLANs can't access local DNS Server

Jerry239 · August 8, 2023, 7:38am

Hi,

First post here so please feel free to correct me if I failed following the etiquette.
I’m new to the Mikrotik world and I’m still learning the concepts of VLAN, firewall mangling, routing, etc.

I have the following “Home Office” setup:
The Baha House Network.drawio.png
Two “Routers” from two different ISPs providing internet
ISP 1 is connected to eth7 (WAN1) of the MT RB5009
ISP 2 is connected to eth8 (WAN2) of the MT RB5009

Office switch and devices hardwired to the MT RB5009

TP-Link EAP650 Wireless Access Point
Provides 3 different Wifi’s (SSIDs):
SSID: Office (no VLAN tag)
SSID: Guests 1 (VLAN 20)
SSID: Guests 2 (VLAN 30)

“Office” is using the main routing table with a basic failover (I know that I need recursive routes for proper failover testing. Will come in the future)
“Office” is also able to access the DNS Server on the Mikrotik (172.16.0.1) and forward requests to remote DNS Server if needed (1.1.1.1, 8.8.8.
“Office” DHCP has a script running to add/remove DNS entries based on the lease. I removed the script from the config to keep it shorter

“Guests” have each an own DHCP Server and their own subnet (172.16.2.0/24 for VLAN20, 172.16.3.0/24 for VLAN30)
I’m using firewall mangle rules to to “force” wifi guests 1 to use ISP1 and wifi guests 2 to use ISP 2

My ISPs are both unreliable (can’t change that) so i’m constantly switching between them. For Office i just adjust the distance of the default routes in the route list. For the VLANs i adjust the routing mark of the mangle rule. Also if I need all the bandwidth of one provider, need to be able to change the two guest VLANs to use the other ISP.

Questions:
When I change the DNS-Server in the DHCP Configuration for VLAN 20 and 30 from 1.1.1.1,8.8.8.8 to 172.16.0.1 or 172.16.2.1 or 172.16.3.1 the Guest networks can’t resolve DNS anymore. they can’t reach the local DNS Server and requests don’t get forwarded to the external DNS Servers. What is missing?

If I try to remove the two default routes from the main routing table and add another mangle rule for the office subnet 172.16.0.0/23 to decide which ISP to use, then the office network can’t reach the local DNS anymore. Whats missing there?

Any help is appreciated
Jerry
config-clean-20230808.rsc (8.89 KB)

pe1chl · August 8, 2023, 9:03am

It is important to know that mark-routing has absolute precedence over any other routing rules in v7.
So you must only mark-routing to ISP when you really are going to send the packets to ISP.
You can use dst-address-type=!local or make an address list with all local network ranges and use dst-address-list=!list.

Jerry239 · August 8, 2023, 9:43am

@pe1chl thanks, that was indeed the missing piece of information

Edit: I should add that I had to add another rule to the firewall to get it to work:

chain=input action=accept in-interface=all-vlan