Wireguard DNS Not Working as Expected

I have a working wireguard instance and a pihole that drops a lot of advertising traffic running on the same router. All of the traffic is forced through the pihole via NAT rules. If I connect to my network with no VPN and run an adblock test (d3ward.github.io) about 64% of ads are blocked. If I connect to wireguard on my router and run the same test only 21% is blocked.

I cannot see how the Wireguard connection can avoid the pihole since all DNS traffic is forced (via a NAT port 53 rule) to go through there. I advertise my router as the DNS server and use the NAT rule to send it to the pihole (which is on a different IP range) so that I can switch it on and off easily.

Is there something in the wireguard protocol, as implemented in routeros, that would avoid that NAT rule? That’s the only reason I can think of that it doesn’t work.

Maybe you are intercepting DNS on certain interface list and wireguard is not part of that interface list?

Could be that. The firewall rules allow the wireguard IP address range to interact with my LAN range, and the DNS address is on the LAN range. Wireguard is configured to use the LAN’s DNS server address (the router address), which is redirected via NAT to the pihole. Works for everything else on the LAN so not sure why it doesn’t for the Wireguard.

Any ideas why?

In such a situation I tend to activate logging on my firewall (rules) to find out which is hit. Have you already checked the log?

I dont think its possible when using a third party wireguard VPN server to avoid using the third party provided DNS server.
However with the sparse details provided who knows.
Should really provide config.

Description is incomplete.
What wireguard is this
a. going to third party Wireguard Server ??
b. Hosting wireguard on your router so having admin or others come in on wireguard?
c. other?

If, a, is the whole subnet supposed to use WG for internet for example??

It’s not a third party server - it’s the ROS one.

Config below.

# 2024-06-03 21:53:25 by RouterOS 7.15
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
    max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
    user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
    fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
    transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
    /usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
set usb1 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb1 partition-number=1 \
    partition-offset=512 partition-size="128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
    "^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
    NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
    yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=Ham1sh01
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
    path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
    name=peer5 public-key="lh1V7h9b4YnavEDrDhokyZGUMfTnQPUgZkE6zabQEj4="
add allowed-address=192.168.10.4/32 comment="4 Dell XPS13 Darren" interface=\
    wireguard1 name=peer7 public-key=\
    "oiLZmsihJlwsifktViJCPNKK7U7hGjpiKM7SLw1HZDc="
add allowed-address=192.168.10.5/32 comment="5 iPad" interface=wireguard1 \
    name=peer8 public-key="8Uli5XIMdF4+sfIyEcqXymsXP+MaJonZB+THmw1atWI="
add allowed-address=192.168.216.3/32 comment="Home (iPhone 13 Pro)" \
    interface=back-to-home-vpn name=peer10 public-key=\
    "GdzLmPaMtOcfDUaBbpiQlTBGYZVFiF09ZxwXbTmB1Es="
add allowed-address=192.168.10.3/32 comment="3 Dell XPS 15" interface=\
    wireguard1 name=peer11 public-key=\
    "mZL1PW7Qn9592EbN/bq18L8e3yoddzgfn9qUxE54ODc="
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
    6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
    "special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
    tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
    tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
    interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
    ::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
    src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
    yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
    protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
    out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole dst-address=\
    fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
    managed-address-configuration=yes
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1

Im confused doesnt PPPOE ISP give you a dynamic PUBLIC IP address ??
The reason I ask is you have back to home in your comment for the wireguard interface and thats for the case when you dont have a public IP.
Maybe just used the wording not realizing its confusing, if not true???

Also note your using layer7 which is basically not valid anymore.

The back to home “feature” (I say that because ahem Mikrotik back to home doesn’t work, at least for me) I tried but it is redundant. It uses Wireguard, which is why there is an additional entry for it, but it doesn’t work, so I don’t use it. Perhaps it doesn’t work because of that public/static IP question. I have a static IP address.

Layer 7 is a redundant thing I tried to play around with, but it’s just redundant kruft in my config.

WireGuard works, it’s just the DNS question I’m trying to solve.

I get this in the log, which doesn’t look suspicious to me, but nothing about DNS traffic - perhaps I need to enable something in the logging to trace this?

masq srcnat: in:wireguard1 out: Vodafone, connection-state:new proto TCP (SYN), 192.168.10.2:60173->104.16.160.168:443, len 64

I’m still having problems with this. Does anyone have any ideas why pinhole isn’t blocking ads for WireGuard?

add action=dst-nat chain=dstnat comment=
“Force any UDP DNS queries that aren’t to pihole to go to pihole”
dst-address=!172.17.0.2 dst-port=53 in-interface=“Local Bridge” protocol=
udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=
“Force any TCP DNS queries that aren’t to pihole to go to pihole”
dst-address=!172.17.0.2 dst-port=53 in-interface=“Local Bridge” protocol=
tcp src-address=!172.17.0.2 to-addresses=172.17.0.2

Well … your intercepting/NAT rules expect the UDP/TCP/53 packets to be arriving from the “Local Bridge” ???
That is probably not your wireguard-interface … hence this rules does not hit for WG-traffic ?

I will have a look.
Goal is to ensure road warriors or any user for that matter coming in via Wireguard and going out LOCAL 5009 internet gets stuffed through the pi hole DNS.

(1) Add wireguard to LAN interface
/interface list member
add interface=“Local Bridge” list=listBridge
add interface=Vodafone list=WAN
add interface=“Port 8 - WAN” list=WAN
add interface=dockers list=listBridge
add interface=wireguard1 list=LAN

(2) The firewall rules are messy but think you have everything covered…
I am a bit confused in that dockers is a bridge and you have a veth assigned to it with a different IP address than the LAN and
so far its not clear what IP address your PIhole has on the router ??? Okay I see it later!

The one thing that may be missing is in the FORWARD CHAIN, allowing wireguard to dockers!!! Just change this rule..
FROM:
add action=accept chain=forward comment=“Docker forward rule” in-interface=
“Local Bridge” out-interface=dockers

TO: (since we added the wireguard interface to the LAN above)
add action=accept chain=forward comment=“Docker forward rule” in-interface**-list=LAN** out-interface=dockers

(3) Okay forcing traffic to pihole seems also messy. Lets see if we can simplify.
What I dont understand is what is the purpose of the FIRST RULE ???
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1
dst-port=888 in-interface=“Local Bridge” in-interface-list=all protocol=
tcp to-addresses=172.17.0.2 to-ports=80

(4) The next two rules are common. One forces all dns traffic to the desired IP address except any IP addresses that the admin does not want to force there PLUS of course the pi hole address itself to avoid a loop to self LOL.
add action=dst-nat chain=dstnat comment=“force all users to DNS pihole”
in-interface**-list=LAN** dst-port=53 protocol=udp
src-address-list=!Excluded to-addresses=172.17.0.2

add action=dst-nat chain=dstnat comment=“force all users to DNS pihole”
in-interface**-list=LAN** dst-port=53 protocol=tcp
src-address-list=!Excluded to-addresses=172.17.0.2

WHERE
/ip firewall address-list
add address=172.17.0.2 list=Excluded
add address —> list=Excluded any other single IPs or subnets etc… FLEXIBLE APPROACH

Thank you for your reply. I was travelling last week, hence my noticing the traffic problem and also hence my slow reply.

In reply:

1. Is adding wireguard to the LAN a good/bad/neutral idea? There is normally a separation (in my case by IP range, amongst other things), but I don’t know enough about VPNs to understand the consequences or potential issues.

2. Any reason why you think they are messy? I’m a beginner at this so every day is a learning opportunity

3. The port 888 rule opens up the web config interface to the pi-hole instance.

4. So is the point here to a) change the in to an interface list rather than an interface and b) to remove the !destination address of the pihole?

Thanks.

Well, you have two options..
a. send wireguard traffic without using your PI functionality and the PI works for the rest of the LAN.
b. send PI traffic instead of to 1.1.1.1 or 8.8.8.8 to DNS server of provider and then all wireguard users will be ipso facto using your PI server HOWEVER, so will the rest of the lan traffic.
You could split it so wireguard uses PI and local traffic uses some DOH service through the mikrotik…

Is there no way to enable a route to the PiHole container/VETH and redirect DNS traffic there independently of the LAN access? I don’t see why the container can’t be made available to WireGuard in this kind of way…

There is no such option I am aware of.
All the wireguard traffic needs to go out the tunnel including DNS.

Just run two PI dns servers, one for wireguard and one for LAN.
The only difference is the WI_PI uses the third party DNS address to get DNS (vice 1.1.1.1 or something else on the LAN side).

Thank you. I can see the logic in that suggestion, but I wonder why my setup needs two piholes.

The way my setup works is I advertise DNS through DHCP as the router address, which is on my LAN range - 10.160.100.1 - and force it to the PiHole - 172.17.0.2, which isn’t on the LAN range. The pihole uses the router (10.160.100.1) as the upstream DNS server, which in turn uses 1.1.1.1.

I think what you’re suggesting is to allow the wireguard to connect to a different pihole server on a different IP range than Wireguard. However, since that’s what I do for the LAN why can’t I redirect the Wireguard traffic to 172.17.0.2 as well?

Both ways I am taking an IP address range and forcing it to use a DNS server on another. I don’t see why I need two piholes to do that - or am I missing something?

Can’t I just add another NAT rule, similar to the ones I have, that use the Wireguard as the in interface (as opposed to local bridge) to redirect the NAT traffic? Or, as per a previous suggestion, use an in interface list?

I am not 100% certain so feel free to try other suggestions, meanwhile I will think on this some more.