Page 1 of 1

HotSpot redirect DNS based on address-list

Posted: Thu Jun 07, 2012 7:14 am
by rebel2234
Hello,

I want to set up a hot spot that when people log in, by default they use OpenDns (because thats what the DHCP server hands out) but when "elevated" users login, their IP address is added to an address list (via "User profile") and the "elevated" users are instead redirected to a different DNS server.

So basically I have set up 2 user profiles "Normal" and "Elevated" they are identical except that the "Elevated" I have the Address List set to "NOT_Filtered_Addresses" and users who log in with this profile are indeed dynamically added to that list.

The problem is my firewall rules are not doing what I intend.
xxx.xxx.xxx.xxx = public ip of DNS out WAN (dont want to post ip of my dns on forums)

5   ;;; DNS Redirect UDP-53 for NON filtered clients in access list
     chain=dstnat action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=53 protocol=udp src-address list=NOT_Filtered_Addreses dst-port=53 

6   ;;; DNS Redirect TCP-53 for NON filtered clients in access list
     chain=dstnat action=dst-nat to-addresses=xxx.xxx.xxx.xxx to-ports=53 protocol=tcp src-address-list=NOT_Filtered_Addreses dst-port=53
I have treid placing these rules at the top of NAT, before the "Place hot spot rules here" and even changed the chain to hotspot/hs-auth/hs-unauth and moved them all over. My lack of knowledge in "exactally" how the hotspot works in Mikrotik is where I am lacking. I am sure there is a simple solution to this that I am overlooking. Any help would be appreciated. And Thank You in advance!

Re: HotSpot redirect DNS based on address-list

Posted: Sat Jun 09, 2012 10:08 am
by Devil
it doesn't matter that you set the dns option in your dhcp to use opendns, even if you set it to something invalid, it would still work. the reason for that is that hotspot, redirects all the dns requests to the routeros internal dns server (specially running at port 64872 for hotspot). so if your hotspot users are using opendns at this time, its not because you set it in dhcp per se, but because you set opendns ip addresses in your routeros dns server (/ip dns).

that being said, you are able to override this default behavior. this is how you do it:
/ip firewall nat add chain=pre-hotspot protocol=udp dst-port=53 src-address-list=NOT_Filtered_Addreses action=dst-nat to-addresses=xxx.xxx.xxx.xxx
/ip firewall nat add chain=pre-hotspot protocol=tcp dst-port=53 src-address-list=NOT_Filtered_Addreses action=dst-nat to-addresses=xxx.xxx.xxx.xxx
/ip firewall nat add chain=pre-hotspot action=return
you don't need to put these rules at the top of the nat rules. by default there is no pre-hotspot chain defined. so you could place those rules anywhere and they would work. just remember that the return rule, should be the last rule in that chain.

Re: HotSpot redirect DNS based on address-list

Posted: Mon Jun 11, 2012 7:41 pm
by rebel2234
This is not working, flushed dns on test machine. The rule is showing hits when i try to surf but am still getting open dns responses.

Re: HotSpot redirect DNS based on address-list

Posted: Mon Jun 11, 2012 8:21 pm
by Devil
I just tested them. they are working. maybe your web proxy cache is caching the pages, tricking you into thinking the dns is still resolving through opendns. the best way to see whether you're using opendns or not, is to try using nslookup with a non-existent domain. a normal dns server( like 8.8.8.8 ), would response with NXDOMAIN response, but by default, opendns resolves this into their proxy server ip. you might also wanna make sure there is no other dstnat interfering with these rules. also make sure your script is working and the address list is the same as you put in those rules.

Re: HotSpot redirect DNS based on address-list

Posted: Mon Jun 11, 2012 9:03 pm
by rebel2234
Ok, I am testing this with a default Hotspot setup (10.5.50.1) NAT to a public ip also have tried disabling the 1to1 NAT in hotspot. I have made a user profile and added "NOT_Filtered_Addreses" to Address List for that profile. Changed user that I am testing with to use that profile. I have added no other rules to the firewall other than what is added dynamically and the 3 rules you showed above (3 rules are at the bottom). In /ip dns i have the DNS servers of open dns entered there. DHCP for hotspot is default other than I changed it to hand out open dns ip's. I am not using any proxy other than the proxy that hotspot uses to capture clients.
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=208.67.220.220,208.67.222.222
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=no out-interface=ether1
add action=dst-nat chain=pre-hotspot disabled=no dst-port=53 protocol=udp 
    src-address-list=NOT_Filtered_Addreses to-addresses=XXX.XXX.XXX.XXX \
    to-ports=53
add action=dst-nat chain=pre-hotspot disabled=no dst-port=53 protocol=tcp 
    src-address-list=NOT_Filtered_Addreses to-addresses=XXX.XXX.XXX.XXX \
    to-ports=53
add action=return chain=pre-hotspot disabled=no
[admin@MikroTik] /ip firewall> address-list print
Flags: X - disabled, D - dynamic 
 #   LIST                                       ADDRESS                        
 0 D NOT_Filtered_Addreses                      10.5.50.254
Really appreciate all the help!

Re: HotSpot redirect DNS based on address-list

Posted: Mon Jun 11, 2012 10:16 pm
by rebel2234
OK got it, uncheck "transparent proxy" in user profile!

Thanks,

Karma added!

Re: HotSpot redirect DNS based on address-list

Posted: Tue Jun 12, 2012 9:32 am
by Devil
Ah, yes. transparent proxy might actually end up messing with your settings, as the router handles the http requests. and since you've added opendns ip's in /ip dns , the router resolves the hosts through opendns. good catch :)

Re: HotSpot redirect DNS based on address-list

Posted: Mon Feb 25, 2013 10:40 pm
by alexnanow
Hello everyone!

I'm using those commands to make a proper DNS redirect to my server, but I have two DNS servers on my network. I can't figure out how to duplicate those entries on my NAT table to use both DNS.

It doesn't work when I duplicate it. What can I do? I don't wanna to leave Mikrotik's DNS proxy working, because I wanna to view what client are making what query.

Thank You.