Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

pi hole after mikrotik router - get remote IP?

Mon Jul 12, 2021 2:27 pm

hello ,
I have setup Pi-Hole (10.0.0.150) after Mikroitk router (10.0.0.253) with public IP 95.12.34.111
I have setup dst-nat from the outside to port 53 (udp\tcp) to the PI-hole
it's working
when I setup another router\ computer with this DNS - I can see it go throw the PI-hole
and also in the PI-hole I see he get the request from the remote router.

my "problem" is the I only see the IP of the mikrotik router connected to the PI-hole , so it's seem that every reqeust comming from 10.0.0.253
what do I need to change in order to see the remote address , the one that sending the DNS request ?
?

Thanks ,
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: pi hole after mikrotik router - get remote IP?

Mon Jul 12, 2021 2:47 pm

Probably you have an another improperly configured src-nat/maquerade rule as well.
For example for hairpin nat.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: pi hole after mikrotik router - get remote IP?

Mon Jul 12, 2021 3:28 pm

on what side?
the remote side?

there I have wifi router that give dhcp on WiFi interface
and the only rule I have is
/ip firewall nat
add action=masquerade chain=srcnat comment="WiFi network" \
    src-address=172.20.164.0/24
but on the Pi-hole dashboard I can only see the mikrotik router connected to it as the client IP

and on the pi-hole connected mikrotik I have this :
ip firewall filter
add action=add-src-to-address-list address-list="" address-list-timeout=none-dynamic chain=forward dst-port=53 protocol=tcp
add action=add-src-to-address-list address-list=test address-list-timeout=none-dynamic chain=forward dst-port=53 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=80 in-interface=Remote protocol=tcp to-addresses=10.0.0.150 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=Remote protocol=tcp to-addresses=10.0.0.150 to-ports=22
add action=dst-nat chain=dstnat dst-port=53 in-interface=Remote protocol=tcp to-addresses=10.0.0.150 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=Remote protocol=udp to-addresses=10.0.0.150 to-ports=53
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: pi hole after mikrotik router - get remote IP?

Mon Jul 12, 2021 4:14 pm

Ok.
Now I get it.

And there is absolutely no way for pi-hole to see local addresses of the devices behind mikrotik#2 if it performs src-nat for such connections.

Establish a tunnel between two mikrotik routers (with no nat performed on both sides) and let dns requests go through this tunnel.
That would be a good idea anyway.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: pi hole after mikrotik router - get remote IP?

Thu Jul 15, 2021 11:14 am

I didn't tink about it - I will try it .

Thank you
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: pi hole after mikrotik router - get remote IP?

Sun Jul 25, 2021 5:31 pm

I have change my setting to this:
PI-Hole.png

when a clinet connect to the WiFi he get address from mikrotik 172.16.99.0/24 (pool 1-50) , The WiFi is 172.16.99.254
and have internet connection without any problem.
I have connected the PI-hole and setup DNS server in Mikrotik to 10.0.0.150
everything is working , no ads on website.

but on PI-Hole logs I can only see 10.0.0.253 as the only one the request DNS service from me
is there anything I can do in order to see the WiFi DHCP I'm giving? 172.16.99.0/24?


all I have ian the firewall is
/ip firewall nat
add action=masquerade chain=srcnat 
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: pi hole after mikrotik router - get remote IP?

Sun Jul 25, 2021 8:24 pm

That is correct because it seems the WiFi clients are NATTED and their source address become the address of the router.

If you want your client IP then the WiFI should be in the same sub-net 10.10.10.0/24 to skip the NAT.

And put in the DHCP server settings the DNS address of the pi-hole.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: pi hole after mikrotik router - get remote IP?

Mon Jul 26, 2021 9:30 am

I don't want the WiFi to be as the same as the reset of the network
I have other servers \ computer \ devices on the netwrok I don't them to have access to .

but when I think about it
can I do the following :
change the Ether1 IP to 10.0.0.253/29
change WiFi IP to 10.0.0.50/28 (and setup the pool to 50-60)
route 0.0.0.0/0 to fortigate 10.0.0.254 (as now)
disable the NAT
make firewall rule that block all WiFi address to 10.0.0.200-10.0.0.220 (this is where I don't want to WiFi to have access to )

can this do the jpb?

what do you think?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: pi hole after mikrotik router - get remote IP?

Mon Jul 26, 2021 10:00 am

change the Ether1 IP to 10.0.0.253/29
change WiFi IP to 10.0.0.50/28 (and setup the pool to 50-60)
route 0.0.0.0/0 to fortigate 10.0.0.254 (as now)

No, that wouldn't do, because neither 10.0.0.150 (pihole) nor 10.0.0.254 (router) are members of subnet 10.0.0.50/28 (which covers IP addresses between 10.0.0.48 and 10.0.0.63), hence WiFi clients wouldn't be able to reach pihole or internet directly. Which means you'd still have to run NAT on mikrotik, defying the whole exercise.

What you could do is to place everything (including WiFi clients) in 10.0.0.0/24 subnet, bridge ether1 and wlan1 on mikrotik, use whatever DHCP server you have in your LAN (fortigate?) with appropriate pool (add static leases for known LAN clients) ... and enable use-ip-firewall=yes property of bridge. Just in case explicitly set hw=no on wlan bridge port (traffic to/from wlan can't be HW offloaded anyway, there's no switch chip involved). Then construct appropriate firewall rules to block traffic originating from WiFi IP address list to anything but fortigate. Don't forget to place appropriate rules also in chain=input to defend mikrotik from those evil WiFi clients.

Who is online

Users browsing this forum: GoogleOther [Bot], holvoetn, johnson73, sted, TeWe and 85 guests