I'm struggling with routing DNS queries through my PiHole though which is on a static IP of 192.168.1.2 (I use 192.168.1.0/24 for my network). I put the PiHole IP into the DNS section under the DHCP server and untick "use peer DNS" on the interface. At this point, the connection falls over with a constant repeat of connecting....terminating - unable to obtain IP address....etc
The router gets stuck in this loop and will not recover from it. The only way I have found is to 'reset configuration' and start all over again. If I reset then restore a known working backup, the connection issue comes back so it will only work again if I manually rebuild the config/rules again. Slightly frustrating!
My guess is that the interface is getting stuck in some sort of unobtainable loop. The PiHole works fine if I manually configure the DNS on a device (eg mobile phone)
My guess is that it must be a firewall config issue. I've followed the Mikrotik guidance to pretty well lock down my firewall so I'm guessing I might need to either pass through port 53 or add the PiHole IP to one of my firewall rules.
Can anyone help narrow the issue down?
Thanks.
Code: Select all
# sep/06/2020 19:34:44 by RouterOS 6.47.3
# software id = MW9G-YJBZ
#
# model = RB760iGS
# serial number = ############ (*removed*)
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=192.168.2.2-192.168.2.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN