Community discussions

 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

How do I allow DNS traffic from one VLAN to another?

Sat Jul 06, 2019 5:22 am

Hello,

I have configured my HAP AC2 to have multiple VLANs. One VLAN is for my home network computers, another for TVs and Roku and the third one is for guests. As it is configured right now, computer in one VLAN cannot access one in the other VLAN. This was the intended setup, until now. I now want to setup a PiHole DNS in my home network and want to allow limited DNS-only traffic from other VLANs. Can't seem to figure out how to do it.

I'd also like to seek advice if there's a better way to position the PiHole in my home network so that I don't have to punch holes in the firewall for cross VLAN traffic.

I've pasted my router config below.

Thanks
ZeeKay
Last edited by ZeeKay on Sun Jul 07, 2019 4:52 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do I allow DNS traffic from one VLAN to another?  [SOLVED]

Sat Jul 06, 2019 1:51 pm

Just place a firewall filter rule action=accept chain=forward comment="VLAN DNS Access Only" connection-state=new in-interface-list=VLAN protocol=udp dst-port=53 dst-address=ip.of.the.pihole just before the action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN one. To permit TCP DNS queries, just place another copy of that rule to the same place in the chain and change protocol to tcp.

If you'd want to permit access to the pihole to all VLAN subnets without punching a hole in the firewall, you'd have to connect the pihole to the 'Tik using a trunk and put up one interface on the pihole in each VLAN. But in that case, you'd have to be more careful about security at the pihole itself.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: How do I allow DNS traffic from one VLAN to another?

Sat Jul 06, 2019 11:08 pm

Another option: VRF. have isolated routing for each vlan, and insert dns server record as allowed target.
https://wiki.mikrotik.com/wiki/Manual:V ... Forwarding
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: How do I allow DNS traffic from one VLAN to another?

Sun Jul 07, 2019 4:28 am

Just place a firewall filter rule action=accept chain=forward comment="VLAN DNS Access Only" connection-state=new in-interface-list=VLAN protocol=udp dst-port=53 dst-address=ip.of.the.pihole just before the action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN one. To permit TCP DNS queries, just place another copy of that rule to the same place in the chain and change protocol to tcp.

If you'd want to permit access to the pihole to all VLAN subnets without punching a hole in the firewall, you'd have to connect the pihole to the 'Tik using a trunk and put up one interface on the pihole in each VLAN. But in that case, you'd have to be more careful about security at the pihole itself.
Thanks a lot!
This solved my issue
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Feb 25, 2015 8:15 pm

Re: How do I allow DNS traffic from one VLAN to another?

Sun Jul 07, 2019 1:03 pm

My setup with pi-hole is:

replace 192.168.100.4 with your pi-hole IP and 176.103.130.130,176.103.130.131 DNS servers with yours

On IP\DNS, setup the DNS server as the Pi-Hole private IP. Only one entry.
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.100.4
On pi-hole, setup the real DNS servers. I use 176.103.130.130 & 176.103.130.131
On IP\NAT, intercept all DNS traffic on port 53 (UDP+TCP) except the private IP of pi-hole.
/ip firewall nat
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
    dst-port=53 protocol=udp src-address=!192.168.100.4 \
    to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
    dst-port=53 protocol=tcp src-address=!192.168.100.4 \
    to-ports=53
This way no clients have to know about the pi-hole, they don't need to be able reach it or to have it configured as the DNS server via DHCP.
The router will intercept DNS traffic on all interfaces, query the pi-hole, then reply to the client. A benchmark showed no speed penalty in using this setup versus using the pi-hole directly.

Extra tip
In case the pi-hole ever goes offline for some reason, setup a netwatch script in Tools\Netwatch to bypass it.
/tool netwatch
add down-script=":log warning \"Pi-Hole offline. Changing DNS\"\r\
    \n/system script run BeepDown\r\
    \n/ip dns set servers=176.103.130.130,176.103.130.131;" host=\
    192.168.100.4 interval=5s up-script=":log warning \"Pi-Hole back online. C\
    hanging DNS\"\r\
    \n/system script run BeepUp\r\
    \n/ip dns set servers=192.168.100.4;"

later edit: Delete /system script run BeepDown and /system script run BeepUp from the netwatch script, or create the scripts with some sound in them to get audio notifications when the pi-hole goes offline.
Exemple /system script run BeepDown
/beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=370 length=600ms;

and /system script run BeepUp
/beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=580 length=300ms;
:delay 300ms;
:beep frequency=870 length=600ms;
Last edited by inteq on Mon Jul 08, 2019 11:25 am, edited 3 times in total.
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How do I allow DNS traffic from one VLAN to another?

Sun Jul 07, 2019 11:25 pm

Word of caution, using pi-hole and DNS is tricky business. I tried doing it and ended up removing it due to the amount of weird scenarios where family members internet worked sporadically.
Now I am a complete noob at RouterOS and there are so many ways to frig a setup that it should work just fine, just that my experience has not been a happy one.
I reverted to setting a DNS server for each VLAN and not going through the router or Pi-hole at all. Be it 8.8.8.8 or 1.1.1.1 etc............. I may try again in the future.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: How do I allow DNS traffic from one VLAN to another?

Mon Jul 08, 2019 2:59 am

Thanks for another way to set it up. I love the RouterOS because it allows me to accomplish what I want in different ways. Though I'm always curious which one is more elegant and once I forget about it, how easy is it for me to grab the concepts back and trace my setup (that happens a lot :) I've also created a network diagram of my setup so that I can remember what I did. I don't have a sys admin or networking background - though I did my RHCSA back in the day.
On IP\NAT, intercept all DNS traffic on port 53 (UDP+TCP) except the private IP of pi-hole.
/ip firewall nat
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" \
    dst-port=53 protocol=udp src-address=!192.168.100.4 \
    to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" \
    dst-port=53 protocol=tcp src-address=!192.168.100.4 \
    to-ports=53
This way no clients have to know about the pi-hole, they don't need to be able reach it or to have it configured as the DNS server via DHCP.
The router will intercept DNS traffic on all interfaces, query the pi-hole, then reply to the client. A benchmark showed no speed penalty in using this setup versus using the pi-hole directly.
I'm curious ... why would you implement DNS this way, vs just add PiHole to the IP > DNS?
What'll happen if I change DNS on my computer manually to point to CloudFlare DNS or something? Will your solution still hijack the DNS traffic and reroute it via PiHole?

Thanks
ZeeKay
 
ZeeKay
just joined
Topic Author
Posts: 14
Joined: Wed Feb 06, 2019 4:08 am

Re: How do I allow DNS traffic from one VLAN to another?

Mon Jul 08, 2019 3:05 am

Word of caution, using pi-hole and DNS is tricky business. I tried doing it and ended up removing it due to the amount of weird scenarios where family members internet worked sporadically.
Now I am a complete noob at RouterOS and there are so many ways to frig a setup that it should work just fine, just that my experience has not been a happy one.
I reverted to setting a DNS server for each VLAN and not going through the router or Pi-hole at all. Be it 8.8.8.8 or 1.1.1.1 etc............. I may try again in the future.
Dude you're the forum guru and you're saying you're a noob. If that's the case then I haven't even started yet.

PiHole can be tricky in the beginning but as you learn to use it better it becomes a very useful tool IMO. This is true for any new monitoring / filtering layer you put up on your network. So I won't ever roll it out with a bang without first running a pilot on few devices and then work out the kinks first. VPN, RDP and other work related scenarios can be tricky and I don't want to leave people stranded without making sure they work properly. I just started my pilot.

What specific issue got you spooked with PiHole?
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How do I allow DNS traffic from one VLAN to another?

Mon Jul 08, 2019 3:17 am

Haha Zeekay, I wish I could remove the nick addendum, it only reflects the number of posts not the quality of posts. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 102
Joined: Wed Feb 25, 2015 8:15 pm

Re: How do I allow DNS traffic from one VLAN to another?

Mon Jul 08, 2019 3:28 am

I'm curious ... why would you implement DNS this way, vs just add PiHole to the IP > DNS?
I am doing it this way because if I use the pi-hole as a DNS server directly and it ever goes offline, the whole DNS will be offline for the whole DHCP network.
The way I described my setup, if the pi-hole goes offline, the netwatch script will fix it in under 5 seconds and the downtime in DNS service will be minimal.

What'll happen if I change DNS on my computer manually to point to CloudFlare DNS or something? Will your solution still hijack the DNS traffic and reroute it via PiHole?

Thanks
ZeeKay
Yes.
You can even do:
nslookup.png
The client will try to connect to another DNS server and will think it is actually connected to it, as you can see from the above screenshot.
I have blacklisted example.com just for testing on pi-hole. As you see, it resolves to 0.0.0.0 "via" google DNS.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 9 guests