Community discussions

 
speaksandeep
just joined
Topic Author
Posts: 22
Joined: Sat Jul 12, 2014 1:02 pm

Exclude particular Client from DNS redirect

Wed Apr 24, 2019 12:44 am

Hi, I am using ( https://wiki.mikrotik.com/wiki/Force_us ... DNS_server) for redirecting all Clients to forcefully use DNS 208.67.222.222 · 208.67.220.220
But I want to exclude one Client to use google dns 8.8.8.8
I have created src nat rule and filter rule (jump) ; placed at 1st position; but then also client is not able to use 8.8.8.8 AND all its dns request are redirecting to 208.67.222.222 · 208.67.220.220

Please guide
Regards,

Sandeep Baral
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Exclude particular Client from DNS redirect

Wed Apr 24, 2019 5:29 am

Take rules from that article and add either src-address=!<address> (if it's just one) or src-address-list=!<list name> (if it's more than one and you added them to address list <list name>).

And next time post exact rules, because it's not clear from your description what exactly you did.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Exclude particular Client from DNS redirect

Wed Apr 24, 2019 6:17 pm

That is a strange WIKI document and not sure if the person writing it had a wandering mind...........

From the WIKI
In /ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53

From Trainer Anav yuck yuck yuck............
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address-list=!VLAN_Interfaces
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address-list=!VLAN_Interfaces

What is the difference between these two????????????

and is what your suggesting........
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address=![sourceIPaddress_exception]
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address=![sourceIPaddress_exception]
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Exclude particular Client from DNS redirect

Wed Apr 24, 2019 6:32 pm

OP wants redirection to external server, so action=redirect won't work here (it's for redirecting to local service on router).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
speaksandeep
just joined
Topic Author
Posts: 22
Joined: Sat Jul 12, 2014 1:02 pm

Re: Exclude particular Client from DNS redirect  [SOLVED]

Wed Apr 24, 2019 11:03 pm

Hi Thanks for reply:

Please find the configuration for IP and Firewall.
The Client IP 10.38.7.19 need to exclude all filters/firewall and need to map to WAN ip - 10.38.0.76
and lan network 10.38.6.0/23 will src-nat to 10.38.0.10

I have created 2 entries in ip-nat field and 2 - entries in ip-filter field. The traffic from 10.38.7.19 should have more priority than others and DNS should not be redirected; whereas all other clients dns traffic need to redirect to Router dns ip - 10.38.7.1
Please check and correct me if any error is there.

/ip address
add address=10.38.0.10/22 comment="WAN link" interface=WAN1 network=10.38.0.0
add address=10.38.7.1/23 comment="Hotspot Port" interface=hp_bridge network=10.38.6.0
add address=127.0.0.1 comment="Radius Loopback" interface=Loopback network=127.0.0.1
add address=10.38.0.76/22 comment="Sandeep 7.19" interface=WAN1 network=10.38.0.0


/ip firewall nat
add action=src-nat chain=srcnat comment="Sandeep 7.19 sr-nat Out" log-prefix=out-sandy src-address=10.38.7.19 to-addresses=10.38.0.76
add action=dst-nat chain=dstnat comment="Sandeep 7.19 dst-nat Incoming" dst-address-list=10.38.0.76/32 in-interface=WAN1 to-addresses=10.38.7.19

add action=redirect chain=dstnat comment="DNS redirection for Sandeep" disabled=yes dst-port=53 log=yes log-prefix=dns-Redirect-udp-sandeep protocol=udp src-address=!10.38.7.19 to-ports=53
add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-port=53 log-prefix=dns-Redirect-udp-all protocol=udp src-address=!10.38.7.19 to-ports=53

add action=redirect chain=dstnat comment="DNS redirect by tcp" dst-port=53 log-prefix=dns-Redirect-tcp protocol=tcp to-ports=53
add action=src-nat chain=srcnat comment="Src-Nat for all users" log-prefix=masquera out-interface=WAN1 src-address=10.38.6.0/23 to-addresses=10.38.0.10
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.38.6.0/23

/ip firewall filter
add action=accept chain=forward log-prefix=sandeep-firewall src-address=10.38.7.19
add action=accept chain=forward dst-address=10.38.7.19
Regards,

Sandeep Baral
 
Sob
Forum Guru
Forum Guru
Posts: 4807
Joined: Mon Apr 20, 2009 9:11 pm

Re: Exclude particular Client from DNS redirect

Wed Apr 24, 2019 11:24 pm

You missed exception for tcp dns redirection, but otherwise it should do what you want.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 95 guests