Community discussions

 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 7:03 pm

Hello to all,
I am new to Mikrotik and RouterOS as I only using Ubiquity hardware (ER-X model).
Came across a RB750Gr3 and wanted to sit down and look at the thing and how it works.
So I started with reading a lot and watching videos on how to set the thing up and running.
But I would not be posting here if I did not run in to issues now would I ?

The Setup.... ALL DONE BY WINBOX and NOT the Terminal
Reset Configuration --> No Default Configuration
Did not use the Quick Set function as I have read and heard this may at times set configurations settings in the background that may/could cause issues with once own setup.

What I have done so far is the following

1 ) Interfaces --> Interface tab
  • Rename the interfaces so that they make more logical scene to me.
2 ) Interfaces --> Interface List tab (Lists)
  • Create WAN and LAN
  • Assign Interfaces to Lists
  • LAN -> bridge, eth4, eth5
  • WAN-> eth1
3 ) Bridge --> Bridge tab
  • Created a bridge
4 ) Bridge --> Ports
  • Assign eth2 and eth3 to the created bridge. With the understanding that eth2 and eth3 will be seen as ONE eth from now one.
5 ) IP--> Address List
  • Created my three Addresses and assign them to an Interface
  • Address -- Network -- Interface
  • 192.168.1.254/24 -- 192.168.1.0 -- bridge
  • 192.168.10.1/24 -- 192.168.10.0 -- eth4 Pi
  • 192.168.0.254/24 -- 192.168.0.0 -- eth5 Admin
6 ) IP --> DHCP Client
  • Added eth1 as for testing this router will get its internet from DHCP from my main router.
7 ) IP--> DHCP Server -- DHCP Tab
  • Created only one called dhcp
8 ) IP--> DHCP Server -- Networks Tab
  • Created three networks
  • 192.168.0.0/24 -- 192.168.0.1
  • 192.168.1.0/24 -- 192.168.1.254
  • 192.168.10.0/24 -- 192.168.10.1
9 ) IP --> DNS
  • Added 192.168.10.2 and 1.1.1.1
10 ) IP --> Pool
  • Created dhcp with a IP range

Here is where I am getting stuck THE FIREWALL rules.
Seeing I started from scratch there are no rules to speak off.
Taking a WORKING configuration from one of my ERX routers I tried to convert them to work with the Mikrotik but to no avail.

Basically the rules should be as follow
  • ALLOW UDP and TCP traffic on port 53 to get to the PI on eth4.
  • DROP ALL traffic to the PI on eth4
  • ALLOW UDP and TCP traffic on port 53 to get to the Network gateway on bridge.
  • DROP ALL traffic to the bridge. So doing blocking the Network from accessing the Router Configuration being it via WinBox or Browser
Masquerade Rules
  • Any DNS UDP and TCP requests on port 53 should be directed to the PI on eth4
DNAT Rules
  • Any rogue DNS UDP and TCP requests on port 53 should be directed to the PI on eth4

The results are as follows,
Client connects to the router being it eth2 or eth3, gets an IP in the correct range and Gateway.
Try and access a website, can see the counter of the UDP packets increase and I can see in the logs that the DNS requests are hitting the PI but the websites are not being displayed.
Giving the client a static IP and DNS nothing happens

Attached is a screenshot of my Rules.
I tried to upload a Config file but not sure how.....

Any help would be appreciated in resolving this.

--
Regards,
Hav0c
You do not have the required permissions to view the files attached to this post.
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 8:03 pm

to verify dns functionality and limit the scope try testing with "ping" (udp dns) & "nslookup" (tcp dns). both do minimal functions.

if ping <some dns name> uses an ip -> udp dns works
if nslookup <some dns server> works -> tcp firewal / nat works
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 8:39 pm

Hello sebastia
ping google.com [216.58.223.142] --> Request timed out
ping 216.58.223.142 --> Request timed out

nslookup google.com
Server: UnKnown
Address: 192.168.10.2 (This is the Pi)
None -authoristative answer:
Name: Google.com
Address: IPv6 address and 216.58.223.142

nslookup 216.58.223.142
Server: UnKnown
Address: 192.168.10.2 (This is the Pi)
None -authoristative answer:
Name: jhb02s01..........
Address: IPv6 address and 216.58.223.142
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 8:49 pm

so your dns resolution works fine
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 9:04 pm

to verify dns functionality and limit the scope try testing with "ping" (udp dns) & "nslookup" (tcp dns). both do minimal functions.

if ping <some dns name> uses an ip -> udp dns works
if nslookup <some dns server> works -> tcp firewal / nat works
So the tcp firewal/nat works as should.
The UDP part the problem then ?
So that means that a normal firewall rule is the issue ?
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 9:36 pm

there is no problem, it's resolving
ping google.com [216.58.223.142]
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 9:55 pm

There is a problem as none of the clients can access any website using URLs or IPs
Keeps shows DNS unresolved or Times out on all websites.
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 10:14 pm

you have a problem with connectivity NOT dns resolution

you get an IP for a dns in each kind of test
but ping (icmp) and tcp don't get through..
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 11:03 pm

.......
but ping (icmp) and tcp don't get through..
icmp I do not care about, So the TCP is that being blocked by one of my normal firewall rules then ?
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 11:41 pm

either that or ip stack is not correctly configured
list /export hide-sensitive
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Fri Sep 06, 2019 11:53 pm

Okay, i have no idea how to set or cheack the IP Stack :shock:
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="eth1 Internet"
set [ find default-name=ether2 ] name="eth2 Network"
set [ find default-name=ether3 ] name="eth3 Network"
set [ find default-name=ether4 ] name="eth4 Pi"
set [ find default-name=ether5 ] name="eth5 Admin"
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes interface="eth1 Internet" name=PPPoE-WAN use-peer-dns=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge hw=no interface="eth2 Network"
add bridge=bridge hw=no interface="eth3 Network"
/interface list member
add interface="eth1 Internet" list=WAN
add interface=bridge list=LAN
add interface="eth4 Pi" list=LAN
add interface="eth5 Admin" list=LAN
/ip address
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
add address=192.168.10.1/24 interface="eth4 Pi" network=192.168.10.0
add address=192.168.0.1/24 interface="eth5 Admin" network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="eth1 Internet" use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.254 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
/ip dns
set servers=192.168.10.2,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow established/related" connection-nat-state="" connection-state=established,related
add action=drop chain=input comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward comment="Allow established/related" connection-nat-state="" connection-state=established,related
add action=drop chain=forward comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=udp \
    src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=tcp \
    src-address=192.168.1.0/24
add action=drop chain=input comment="Drop all to PI Router" dst-address=192.168.10.1 in-interface=bridge src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all behind PI Router" dst-address=192.168.10.0/24 in-interface=bridge src-address=192.168.1.0/24
add action=drop chain=input comment="Drop Network to Network Router" dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
add action=accept chain=input comment="Allow Admin" connection-state=established,related,new dst-address=192.168.0.1 in-interface="eth5 Admin" src-address=192.168.0.0/24
/ip firewall nat
add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect UDP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp to-addresses=192.168.10.2 \
    to-ports=53
add action=dst-nat chain=dstnat comment="Redirect TCP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=tcp to-addresses=192.168.10.2 \
    to-ports=53
add action=masquerade chain=srcnat out-interface="eth1 Internet"
EDIT: Added code block.
Last edited by Hav0c on Sat Sep 07, 2019 11:32 am, edited 1 time in total.
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 12:15 am

why do you need this?
add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
any particular reason why there is no dns config in dhcp network settings?

remove these " connection-nat-state="" "

so culprit IS your firewall, there is no accept for anything else but DNS...
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 12:52 am

why do you need this?
add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
The reason for the Masquerade and DNAT rules are to force any and all DNS query to the Pi that is running PiHole, it's a content blocker based on DNS filter lists.

any particular reason why there is no dns config in dhcp network settings?
As far as I understand, setting the DNS under IP--> DNS Settings will auto assign the DNS to the Router and its clients connecting to the Router?
Does the dhcp network settings overide the IP--> DNS Settings then ?

remove these " connection-nat-state="" "
From what I can see is that connection-nat-state="" is only in "Allow established/related" and "Allow established/related". Remember I am only using WinBox so need to look into it how to remove it.

so culprit IS your firewall, there is no accept for anything else but DNS...
Interesting, was thinking the "Allow established/related" and "Allow established/related" allows all being DNS or not.
Can you perhaps provide an example of a rule ?
Life is but a song, we just can't google the words !
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 3:53 am

i totally understand your dst-nat but what i can't understand is src-nat that you have there. you want to nat any udp/tcp traffic that is sourced in your bridge(src-address) and destination is your bridge(out interface) and change it to your PI and any port change to 53

you can configure DHCP server like you want - if you want to assign DNS your router IP you can set there router IP, if you want to set there PI you can set there PI and if you want to set there any other DNS server you can do it without any issue.

it's too late here but last drop line in firewall filter section is not correct because you are blocking any traffic to the LAN default gateway (for example arp) there is nothing in input chain that is allowing that. if you want to block management traffic from your lan be more specific or filter it via user section or services section.
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 12:24 pm

i totally understand your dst-nat but what i can't understand is src-nat that you have there. you want to nat any udp/tcp traffic that is sourced in your bridge(src-address) and destination is your bridge(out interface) and change it to your PI and any port change to 53
To tell you the Truth, I cannot recall why I created that rule in the begining.... will need to investigate and come back to you
This is how the rule is set in my ERX (just a FYI if intrested)
edit service nat rule 5001
set description 'DNS Masquerade'
set outbound-interface eth2    <--- The Network interface
set log disable	
set protocol tcp_udp
set source group network-group 'LAN_NETWORKS'  <-- Group of Network IPs 
set destination address 192.168.10.2
set destination port 53
set type masquerade

you can configure DHCP server like you want - if you want to assign DNS your router IP you can set there router IP, if you want to set there PI you can set there PI and if you want to set there any other DNS server you can do it without any issue.
After reading sebastia question "any particular reason why there is no dns config in dhcp network settings?" again and your remark. I think it will be better adding it under dhcp network settings, even if it's just the Routers IPs.

it's too late here but last drop line in firewall filter section is not correct because you are blocking any traffic to the LAN default gateway (for example arp) there is nothing in input chain that is allowing that. if you want to block management traffic from your lan be more specific or filter it via user section or services section.
I will disable that last drop and do some more testing. Will provide some feedback.
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 12:30 pm

The reason for the Masquerade and DNAT rules are to force any and all DNS query to the Pi that is running PiHole, it's a content blocker based on DNS filter lists.
these are not needed as dns is on another network


As far as I understand, setting the DNS under IP--> DNS Settings will auto assign the DNS to the Router and its clients connecting to the Router?
Does the dhcp network settings overide the IP--> DNS Settings then ?
dns in dhcp allows to configure dns at clients, so you don't need to do that manually. it's independent from local (mikrotik) config


From what I can see is that connection-nat-state="" is only in "Allow established/related" and "Allow established/related". Remember I am only using WinBox so need to look into it how to remove it.
just "fold" that option and it should disappear


Interesting, was thinking the "Allow established/related" and "Allow established/related" allows all being DNS or not.
Can you perhaps provide an example of a rule ?
this allows exiting connection only, any new connection requests (connection-state=new) are not included: ex? just allow all from bridge -> wan before you "drop all"
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 1:30 pm

these are not needed as dns is on another network
You can force any DNS request to use your DNS by using dst-nat
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 1:34 pm

these are not needed as dns is on another network
You can force any DNS request to use your DNS by using dst-nat
you're out of context, read last few posts. hint: i've commented on the src-nat!
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 5:50 pm

these are not needed as dns is on another network
By "these.." I assume you are referring to the Masquerade (src-nat) and not the DNAT rules ?
If that is the case, I cannot recall the reason why I created that rules in my Original setups about 4 years ago. Documentation was never a strong point of mine.
The DNAT Rules I know why they are there, say a client tries and set a static DNS being it on the PC/Laptop even IOT device it will still use the Pi. That being said I do not got my DNAT and Masquerading rules mixed up again....

dns in dhcp allows to configure dns at clients, so you don't need to do that manually. it's independent from local (mikrotik) config
That does make life a lot easier, never looked at it that way. Thanks for that.

just "fold" that option and it should disappear
That did the trick.

this allows exiting connection only, any new connection requests (connection-state=new) are not included: ex? just allow all from bridge -> wan before you "drop all"
So the rule will look like this
add action=accept chain=forward in-interface= bridge out-interface="eht1 Internet" arc-address=192.168.1.0/24
If one Reset to Default Configuration, The Firewall rules created then will they be good examples ?
My understand of the Chain
IN --> That is traffic bound only for the Router alone
Farward --> Traffic from one Eth to another Eth
Out -- Going OUT of a Eth port
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Sat Sep 07, 2019 10:45 pm

add action=accept chain=forward in-interface= bridge out-interface="eht1 Internet"
is enough

for filter table
output = traffic from router itself
(other were correct)
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 1:26 pm

So I have done as instructed by adding that rule and some from the default firewall rules , result, some clients shows "DNS unresolved" or "took to long to respond"

ExpV1
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="eth1 Internet"
set [ find default-name=ether2 ] name="eth2 Network"
set [ find default-name=ether3 ] name="eth3 Network"
set [ find default-name=ether4 ] name="eth4 Pi"
set [ find default-name=ether5 ] name="eth5 Admin"
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes interface="eth1 Internet" name=PPPoE-WAN use-peer-dns=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge hw=no interface="eth2 Network"
add bridge=bridge hw=no interface="eth3 Network"
/interface list member
add interface="eth1 Internet" list=WAN
add interface=bridge list=LAN
add interface="eth4 Pi" list=LAN
add interface="eth5 Admin" list=LAN
/ip address
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
add address=192.168.10.1/24 interface="eth4 Pi" network=192.168.10.0
add address=192.168.0.1/24 interface="eth5 Admin" network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="eth1 Internet" use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.10.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=input comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=accept chain=forward comment="Allow established/related" connection-state=established,related,new
add action=drop chain=forward comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop all to PI Router" dst-address=192.168.10.1 in-interface=bridge src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all behind PI Router" dst-address=192.168.10.0/24 in-interface=bridge src-address=192.168.1.0/24
add action=accept chain=forward in-interface=bridge out-interface="eth1 Internet"
add action=drop chain=input comment="Drop Network to Network Router" dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
add action=accept chain=input comment="Allow Admin" connection-state=established,related,new dst-address=192.168.0.1 in-interface="eth5 Admin" src-address=192.168.0.0/24
/ip firewall nat
add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect UDP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect TCP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=tcp to-addresses=192.168.10.2 to-ports=53
add action=masquerade chain=srcnat out-interface="eth1 Internet"

The thing that makes me more confused is the fact that when I log into the Pi and look at the DNS request for forum.mikrotik.com it shows that the Pi gos out to 1.1.1.1 and 1.0.0.1 gets the IP for the request 159.148.147.205 and on the client side one of or both the two messages above.

When one set a
connection-state=established,related,new
that allows communication both ways so doing one does not need another rule for the "back" communication ?

EDIT: Added Code version.
Last edited by Hav0c on Mon Sep 09, 2019 12:49 am, edited 1 time in total.
Life is but a song, we just can't google the words !
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 1:51 pm

add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24

-> why don't you specify your pi-hole only here?
add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24

try this instead
/ip firewall filter
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=input comment="Drop invalid state" connection-state=invalid
add action=accept chain=input comment="Allow Admin" dst-address=192.168.0.1 in-interface="eth5 Admin" src-address=192.168.0.0/24
add action=drop chain=input comment="Drop all"

add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface="eth1 Internet"
add action=accept chain=forward in-interface="eth4 Pi" out-interface="eth1 Internet"
add action=accept chain=forward dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all behind PI Router" in-interface=bridge

/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect UDP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp to-addresses=192.168.10.2
add action=dst-nat chain=dstnat comment="Redirect TCP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=tcp to-addresses=192.168.10.2
add action=masquerade chain=srcnat out-interface="eth1 Internet"



Thse will then be removed
/ip firewall nat
add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 2:59 pm

add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24

-> why don't you specify your pi-hole only here?
add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24
the other DNS is a backup in case the Pi is offline.

Done what asked to do.
Same results, "DNS unresolved" or "took to long to respond".
I do not think it's the Pi though as it shows
Client 192.168.1.198 send request for accounts.google.com to Pi and Pi gos out to 1.1.1.1 comes back and states accounts.google.com is 172.217.170.13

Could it not maybe be that the Pi is not sending the DNS back to the clients ?
Life is but a song, we just can't google the words !
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 10:28 pm

ok so you want to have DNS via PI but you wrote that you can't ping public IP {ping 216.58.223.142 --> Request timed out } - if that has changed ignore following: disable rule that block network to network router
add action=drop chain=input comment="Drop Network to Network Router" dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
you don't have anything in input chain that allow network related services (like arp) to operate. not sure but from what i see you have issues with IP connectivity and then possibly also DNS.

firewall goes from the top to the bottom and when it hit any line it stop processing any other for connection so last firewall rule is there - as far i know - for nothing because mikrotik does not have deny any at the end of rules.

the thing about secondary DNS - how your mikrotik router would know if PI DNS is up and running - you have DST NAT to forward any request to PI DNS ... i'm not sure what exactly do you want - forward all DNS to PI or have backup if PI fails? you can't have both at least not with your simple dst-nat.

if you have bridge interface why don't you enable HW offload? - communication between both ports will possibly go quicker.
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 11:05 pm

ok so you want to have DNS via PI but you wrote that you can't ping public IP {ping 216.58.223.142 --> Request timed out } - if that has changed ignore following: disable rule that block network to network router
add action=drop chain=input comment="Drop Network to Network Router" dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
you don't have anything in input chain that allow network related services (like arp) to operate. not sure but from what i see you have issues with IP connectivity and then possibly also DNS.
The pinging of Public IPs is not a factor for me at this time. That is WAY on the back burner for now.
What I have done after my last post was create a couple of rules for testing where the main issue may be that stated
add action=accept chain=input src-address=192.168.1.0/24  dst-address=192.168.1.254  in-interface=bridge  protocol= icmp
add action=accept chain=forward src-address=192.168.1.0/24  dst-address=192.168.10.1  in-interface=bridge out-interface="eth4 Pi" protocol= icmp
add action=accept chain=forward protocol= icmp
add action=accept chain=in protocol= icmp
But none of their counters increased. So I removed them

What I did note was that this rule
add action=drop chain=input comment="Drop Network to Network Router" dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
does block a good amount of packets even if the only client is just on the desktop.....

firewall goes from the top to the bottom and when it hit any line it stop processing any other for connection so last firewall rule is there - as far i know - for nothing because mikrotik does not have deny any at the end of rules.
Does this not apply to most firewalls ?
Top to bottom and brake out when the rule applies.

the thing about secondary DNS - how your mikrotik router would know if PI DNS is up and running - you have DST NAT to forward any request to PI DNS ... i'm not sure what exactly do you want - forward all DNS to PI or have backup if PI fails? you can't have both at least not with your simple dst-nat.
Okay forget about the backup DNS. Will cross that bridge when I get there as well :D :)

if you have bridge interface why don't you enable HW offload? - communication between both ports will possibly go quicker.
To my knowledge HW offload adds bit more stress on the routers under load. As I do not know what loads this router will be under I rather play it save by disabling HW offload.
Life is but a song, we just can't google the words !
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 11:20 pm

ok so main problem here is connectivity at all - if you can't ping public IP address you can NOT reach nothing in the internet or at any other network. that rule is blocking your default gateway!
add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24
if you want to go out from one network to another you can't block gateway!

Does this not apply to most firewalls ?
Top to bottom and brake out when the rule applies.
yep it does but why do you have accept at the end of list if it's not followed by drop?

HW offload basically use switch chip to boost traffic that doesn't need to be routed but just switched. between interfaces.
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Sun Sep 08, 2019 11:45 pm

I have created the rules
add action=accept chain=forward in-interface=bridge out-interface="eth1 Internet"
add action=accept chain=forward in-interface="eth4 Pi" out-interface="eth1 Internet"
as instructed by sebastia before the block and nothing changed.
Deactivated and removed
add action=drop chain=input comment="Drop Network to Network Router" dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
still nothing.

If one remove ALL firewall rules, by default will that act like a block or allow ALL traffic ?
That one can start from scratch with the rules. It seems the variables are changing over and over but the core rules seems to be missed by me
Life is but a song, we just can't google the words !
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1434
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 12:08 am

If you have no firewall rules, all traffic will be accepted
MTCNA, MTCTCE, MTCRE & MTCINE
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 12:13 am

can you confirm that you can reach any public IP after you disabled rule that blocked gateway?

can you provide information if you have iterative or recursive DNS on PI?
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 12:15 am

can you confirm that you can reach any public IP after you disabled rule that blocked gateway?

can you provide information if you have iterative or recursive DNS on PI?
I will do the test and come back to you.

If you have no firewall rules, all traffic will be accepted

Seems like I am going back to the drawing board starting with allowing all then.
Life is but a song, we just can't google the words !
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 2:12 pm

Lost track of all the different configurations was made.
So going to start versioning the code :)

re-build the config for this post
add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24

try this instead
/ip firewall filter
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=input comment="Drop invalid state" connection-state=invalid
add action=accept chain=input comment="Allow Admin" dst-address=192.168.0.1 in-interface="eth5 Admin" src-address=192.168.0.0/24
add action=drop chain=input comment="Drop all"

add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface="eth1 Internet"
add action=accept chain=forward in-interface="eth4 Pi" out-interface="eth1 Internet"
add action=accept chain=forward dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all behind PI Router" in-interface=bridge

/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect UDP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp to-addresses=192.168.10.2
add action=dst-nat chain=dstnat comment="Redirect TCP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=tcp to-addresses=192.168.10.2
add action=masquerade chain=srcnat out-interface="eth1 Internet"

Thse will then be removed
/ip firewall nat
add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53

ExpV2
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="eth1 Internet"
set [ find default-name=ether2 ] name="eth2 Network"
set [ find default-name=ether3 ] name="eth3 Network"
set [ find default-name=ether4 ] name="eth4 Pi"
set [ find default-name=ether5 ] name="eth5 Admin"
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes interface="eth1 Internet" name=PPPoE-WAN use-peer-dns=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge hw=no interface="eth2 Network"
add bridge=bridge hw=no interface="eth3 Network"
/interface list member
add interface="eth1 Internet" list=WAN
add interface=bridge list=LAN
add interface="eth4 Pi" list=LAN
add interface="eth5 Admin" list=LAN
/ip address
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
add address=192.168.10.1/24 interface="eth4 Pi" network=192.168.10.0
add address=192.168.0.1/24 interface="eth5 Admin" network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="eth1 Internet" use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.10.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="Allow established/related" connection-state=established,related
add action=drop chain=input comment="Drop invalid state" connection-state=invalid
add action=accept chain=input comment="Allow Admin" connection-state=established,related,new dst-address=192.168.0.1 in-interface="eth5 Admin" src-address=192.168.0.0/24
add action=drop chain=input comment="Drop all"
add action=accept chain=forward comment="Allow established/related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid state" connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface="eth1 Internet"
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all behind PI Router" in-interface=bridge
/ip firewall nat
add action=dst-nat chain=dstnat comment="Redirect UDP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect TCP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=tcp to-addresses=192.168.10.2 to-ports=53
add action=masquerade chain=srcnat out-interface="eth1 Internet"

Results:
Ping google.com/ wokred
ping 8.8.8.8[216.58.223.142] Request timed out
ping mikrotik.com [159.148.147.196] Request timed out

nslookup mikrotik.com
server: Unknown
Address: 192.168.10.2
Non-authoritative answer:
Name: mikrotik.com
Address: 159.148.147.196

nslookup twitter.com
server: Unknown
Address: 192.168.10.2
Non-authoritative answer:
Name: twitter.com
Address: 104.244.42.1
104.244.42.129


ExpV3
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="eth1 Internet"
set [ find default-name=ether2 ] name="eth2 Network"
set [ find default-name=ether3 ] name="eth3 Network"
set [ find default-name=ether4 ] name="eth4 Pi"
set [ find default-name=ether5 ] name="eth5 Admin"
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes interface="eth1 Internet" name=PPPoE-WAN use-peer-dns=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge hw=no interface="eth2 Network"
add bridge=bridge hw=no interface="eth3 Network"
/interface list member
add interface="eth1 Internet" list=WAN
add interface=bridge list=LAN
add interface="eth4 Pi" list=LAN
add interface="eth5 Admin" list=LAN
/ip address
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
add address=192.168.10.1/24 interface="eth4 Pi" network=192.168.10.0
add address=192.168.0.1/24 interface="eth5 Admin" network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="eth1 Internet" use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.10.2,192.168.1.254 gateway=192.168.1.254 netmask=24
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.10.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="Allow Admin" dst-address=192.168.0.1 in-interface="eth5 Admin" src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.10.2 dst-port=53 in-interface=bridge out-interface="eth4 Pi" protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop all behind PI Router" dst-address=192.168.10.0/24 in-interface=bridge src-address=192.168.1.0/24
add action=accept chain=input dst-address=192.168.1.254 dst-port=53 in-interface=bridge protocol=udp src-address=192.168.1.0/24
add action=accept chain=input dst-address=192.168.1.254 dst-port=53 in-interface=bridge protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment="Allow established/related" connection-state=established,related in-interface="eth1 Internet"
add action=drop chain=input comment="Drop invalid state" connection-state=invalid in-interface="eth1 Internet"
add action=accept chain=forward comment="Allow established/related" connection-state=established,related in-interface="eth1 Internet"
add action=drop chain=forward comment="Drop invalid state" connection-state=invalid in-interface="eth1 Internet"
add action=drop chain=input dst-address=192.168.1.254 in-interface=bridge src-address=192.168.1.0/24
/ip firewall nat
add action=src-nat chain=srcnat out-interface=bridge protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=src-nat chain=srcnat out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect UDP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp to-addresses=192.168.10.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect TCP DNS Network" dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=tcp to-addresses=192.168.10.2 to-ports=53
add action=masquerade chain=srcnat out-interface="eth1 Internet"

Results:
The rules was converted from a working ERX config
Ping mikrotik.com works site does not open
nslookup mikrotik.com
server: Unknown
Address: 192.168.10.2
Non-authoritative answer:
Name: mikrotik.com
Address: 159.148.147.196


Out of sure interest and based on this
If you have no firewall rules, all traffic will be accepted

ExpV4
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name="eth1 Internet"
set [ find default-name=ether2 ] name="eth2 Network"
set [ find default-name=ether3 ] name="eth3 Network"
set [ find default-name=ether4 ] name="eth4 Pi"
set [ find default-name=ether5 ] name="eth5 Admin"
/interface pppoe-client
add add-default-route=yes allow=pap dial-on-demand=yes interface=\
    "eth1 Internet" name=PPPoE-WAN use-peer-dns=yes
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge hw=no interface="eth2 Network"
add bridge=bridge hw=no interface="eth3 Network"
/interface list member
add interface="eth1 Internet" list=WAN
add interface=bridge list=LAN
add interface="eth4 Pi" list=LAN
add interface="eth5 Admin" list=LAN
/ip address
add address=192.168.1.254/24 interface=bridge network=192.168.1.0
add address=192.168.10.1/24 interface="eth4 Pi" network=192.168.10.0
add address=192.168.0.1/24 interface="eth5 Admin" network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="eth1 Internet" use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.0.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254  netmask=24
add address=192.168.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.10.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="eth1 Internet"

All websites shows "took to long to respond"
The Pis Logs show
Client 192.168.1.198 asked for twitter.com. Pi gos to internet and gets 104.244.42.1
nslookup mikrotik.com
DNS request timed out.
timeout was 2 seconds.
server: Unknown
Address: 192.168.10.2
DNS request timed out.
Life is but a song, we just can't google the words !
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 4:23 pm

V2 - i don't understand output that you provided why 8.8.8.8 has something in brackets [216.58.223.142]. 8.8.8.8 is IP and not hostname. additionally i have no idea how ping google.com was working but ping 8.8.8.8 did not. did you change configuration and right after try to reach from device?

V4 - can't see if pings were success.

can you provide ping and traceroute to 1.1.1.1 and 8.8.8.8 address for each version?
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 5:40 pm

V2 - i don't understand output that you provided why 8.8.8.8 has something in brackets [216.58.223.142]. 8.8.8.8 is IP and not hostname. additionally i have no idea how ping google.com was working but ping 8.8.8.8 did not. did you change configuration and right after try to reach from device?
Could have been a typo on my end.....

To perform the tests I did this with v2, v3 and v4
  • Upload the version, waited about 30sec or so
    • ipconfig /release
    • disable the NIC
    • ipconfig /flushdns
    • enable the NIC
    • ipconfig /renew


    V2
    Ping 1.1.1.1/1.0.0.1 --> Time out
    Ping 8.8.8.8 --> Works
    Ping google.com [216.58.223.142] --> Time out
    Ping mikrotik.com [159.148.147.196]  --> Works
    
    tracert google.com
    1) 192.168.1.254
    2) 192.168.1.10
    3) Time out
    4) 169.1.5.29
    5) Time out
    6) 169.1.5.52
    .
    .
    .
    no result after 20 hopes
    
    
    tracert mikrotik.com 
    1) 192.168.1.254
    2) 192.168.1.10
    3) Time out
    4) 169.1.5.29
    5) 169.1.21.170
    .
    .
    15) mikrotik.com [159.148.147.196]
    

    V3
    Ping 1.0.0.1/8.8.8.8 --> Works
    Ping 1.1.1.1 --> Time out
    Ping google.com --> Ping request could not find host
    Ping mikrotik.com --> Unable to resolve 
    
    tracert google.com -->  Unable to resolve
    tracert mikrotik.com  -->  Unable to resolve
    

    V4
    Ping 1.1.1.1/8.8.8.8 --> Works
    Ping 1.0.0.1 --> Time out
    Ping google.com [216.58.223.142] --> Works
    Ping mikrotik.com [159.148.147.196]  --> Time out
    
    tracert google.com [172.217.170.46]
    1-3) Time out
    4)   169.1.5.29
    10) 172.217.170.46
    
    tracert mikrotik.com [159.148.147.196]
    1-3) Time out
    4)   169.1.5.29
    11) 87.110.223.130
    .
    .
    .
    no result after 20 hopes
    
Life is but a song, we just can't google the words !
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 8:28 pm

can you provide what IP address have you received via DHCP (ip address print)? output from tracert is showing IP address 192.168.1.10 - if your router has same IP on 2 different subnets it can cause issues(bridge vs eth1).
please also provide us ip route print
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Mon Sep 09, 2019 8:58 pm

The IP received from DHCP Router (192.168.1.10) was 192.168.1.219
The DHCP client behind MT (192.168.1.254) was 192.168.1.199

Take note I have changed the IP ranges for the MT (192.168.88.254) and DHCP for clients 192.168.88.10 - 200, this did not resolve the issue.
The original setup ERX that I mentioned was also DHCPing from DHCP Router (192.168.1.10) and DHCP client behind ERX (192.168.1.254) was 192.168.1.20 and it worked 100%
Life is but a song, we just can't google the words !
 
busty
newbie
Posts: 25
Joined: Tue Nov 07, 2017 2:32 am

Re: RB750, Pi-Hole and cross interface communication

Tue Sep 10, 2019 8:20 am

which configuration are you referring to? if it's V4 please provide ip route print output
plus config again because v4 should work
 
mkx
Forum Guru
Forum Guru
Posts: 3177
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB750, Pi-Hole and cross interface communication

Tue Sep 10, 2019 9:13 am

One thing I obviously don't understand: you have configuration for PPPoE in place ... but it has "dial-on-demand=yes" set. So is it used for connecting to internet or not?

  • if yes, I suggest you to set dial-on-demand=no so that pppoe connection doesn't drop due to inactivity. At the same time you have to adjust your
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface="eth1 Internet"
    
    to reflect that PPPoE-WAN is actual WAN interface (it's not eth1 at all ... that one is simple physical interface carrying bits from actual WAN interface). Default way of doing it is to add "PPPoE-WAN" interface to interface list "WAN" and use out-interface-list=WAN in the above-quoted NAT rule instead of out-interface setting
  • if not, then set disabled=yes (or remove it entirely) so that it doesn't interfere
BR,
Metod
 
User avatar
Hav0c
just joined
Topic Author
Posts: 18
Joined: Fri Sep 06, 2019 5:54 pm

Re: RB750, Pi-Hole and cross interface communication

Wed Sep 11, 2019 9:09 pm

After a deep diving into the setup.
I have to say thanks to the following people

sebastia
For your simple and working Firewall rules. ExpV2 /ip firewall filter

busty
For making me rethink how I should change the IPs ranges and how it will work in the end.

and
mkx
For giving the hint about the PPPoE settings.

With the combination of all your inputs the issue was resolved.
Thanks.
Life is but a song, we just can't google the words !

Who is online

Users browsing this forum: MSN [Bot] and 28 guests