Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

PiHole / alternate DNS config issue

Post Reply
 
batfink
just joined
Topic Author
Posts: 1
Joined: Sat Sep 05, 2020 5:38 pm

PiHole / alternate DNS config issue

Sun Sep 06, 2020 9:54 pm

I set up my Hex S this week to replace an old Asus home router. Really impressed so far and have got my head around the basics.

I'm struggling with routing DNS queries through my PiHole though which is on a static IP of 192.168.1.2 (I use 192.168.1.0/24 for my network). I put the PiHole IP into the DNS section under the DHCP server and untick "use peer DNS" on the interface. At this point, the connection falls over with a constant repeat of connecting....terminating - unable to obtain IP address....etc

The router gets stuck in this loop and will not recover from it. The only way I have found is to 'reset configuration' and start all over again. If I reset then restore a known working backup, the connection issue comes back so it will only work again if I manually rebuild the config/rules again. Slightly frustrating!

My guess is that the interface is getting stuck in some sort of unobtainable loop. The PiHole works fine if I manually configure the DNS on a device (eg mobile phone)

My guess is that it must be a firewall config issue. I've followed the Mikrotik guidance to pretty well lock down my firewall so I'm guessing I might need to either pass through port 53 or add the PiHole IP to one of my firewall rules.

Can anyone help narrow the issue down?

Thanks.
Code: Select all
# sep/06/2020 19:34:44 by RouterOS 6.47.3
# software id = MW9G-YJBZ
#
# model = RB760iGS
# serial number = ############ (*removed*)
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=192.168.2.2-192.168.2.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
Top
Post Reply

Who is online

Users browsing this forum: Gadulowaty, Google [Bot], jaclaz, qatar2022 and 114 guests
  4. RouterOS
  5. Beginner Basics