MikroTik

Hi, I am using ( https://wiki.mikrotik.com/wiki/Force_us ... DNS_server) for redirecting all Clients to forcefully use DNS 208.67.222.222 · 208.67.220.220
But I want to exclude one Client to use google dns 8.8.8.8
I have created src nat rule and filter rule (jump) ; placed at 1st position; but then also client is not able to use 8.8.8.8 AND all its dns request are redirecting to 208.67.222.222 · 208.67.220.220

Please guide

Take rules from that article and add either src-address=!<address> (if it's just one) or src-address-list=!<list name> (if it's more than one and you added them to address list <list name>).

And next time post exact rules, because it's not clear from your description what exactly you did.

That is a strange WIKI document and not sure if the person writing it had a wandering mind...........

From the WIKI
In /ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53

From Trainer Anav yuck yuck yuck............
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address-list=!VLAN_Interfaces
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address-list=!VLAN_Interfaces

What is the difference between these two????????????

and is what your suggesting........
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address=![sourceIPaddress_exception]
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address=![sourceIPaddress_exception]

OP wants redirection to external server, so action=redirect won't work here (it's for redirecting to local service on router).

Hi Thanks for reply:

Please find the configuration for IP and Firewall.
The Client IP 10.38.7.19 need to exclude all filters/firewall and need to map to WAN ip - 10.38.0.76
and lan network 10.38.6.0/23 will src-nat to 10.38.0.10

I have created 2 entries in ip-nat field and 2 - entries in ip-filter field. The traffic from 10.38.7.19 should have more priority than others and DNS should not be redirected; whereas all other clients dns traffic need to redirect to Router dns ip - 10.38.7.1
Please check and correct me if any error is there.

/ip address
add address=10.38.0.10/22 comment="WAN link" interface=WAN1 network=10.38.0.0
add address=10.38.7.1/23 comment="Hotspot Port" interface=hp_bridge network=10.38.6.0
add address=127.0.0.1 comment="Radius Loopback" interface=Loopback network=127.0.0.1
add address=10.38.0.76/22 comment="Sandeep 7.19" interface=WAN1 network=10.38.0.0


/ip firewall nat
add action=src-nat chain=srcnat comment="Sandeep 7.19 sr-nat Out" log-prefix=out-sandy src-address=10.38.7.19 to-addresses=10.38.0.76
add action=dst-nat chain=dstnat comment="Sandeep 7.19 dst-nat Incoming" dst-address-list=10.38.0.76/32 in-interface=WAN1 to-addresses=10.38.7.19

add action=redirect chain=dstnat comment="DNS redirection for Sandeep" disabled=yes dst-port=53 log=yes log-prefix=dns-Redirect-udp-sandeep protocol=udp src-address=!10.38.7.19 to-ports=53
add action=redirect chain=dstnat comment="DNS redirection to local cache" dst-port=53 log-prefix=dns-Redirect-udp-all protocol=udp src-address=!10.38.7.19 to-ports=53

add action=redirect chain=dstnat comment="DNS redirect by tcp" dst-port=53 log-prefix=dns-Redirect-tcp protocol=tcp to-ports=53
add action=src-nat chain=srcnat comment="Src-Nat for all users" log-prefix=masquera out-interface=WAN1 src-address=10.38.6.0/23 to-addresses=10.38.0.10
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.38.6.0/23

/ip firewall filter
add action=accept chain=forward log-prefix=sandeep-firewall src-address=10.38.7.19
add action=accept chain=forward dst-address=10.38.7.19

You missed exception for tcp dns redirection, but otherwise it should do what you want.