/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
# 2024-05-09 11:50:37 by RouterOS 7.14.2
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
/usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
/usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
"^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=Ham1sh01
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=2000 servers=\
1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
"Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Forward established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
"special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newgroup Traffic ipsec" \
connection-state=new dst-port=563 in-interface="Local Bridge" \
new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Force any UDP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
"Force any TCP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add from-pool=IPv6_dockers interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
/ipv6 firewall nat
add action=dst-nat chain=dstnat comment=Pihole disabled=yes dst-address=\
fe80::4aa9:8aff:fe57:4601/128 dst-port=888 in-interface="Local Bridge" \
in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
to-ports=80
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
"Local Bridge" log=yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 \
to-address=fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
"Local Bridge" protocol=tcp src-address=!fd6c:b6e2:f488::2/128 \
to-address=fd6c:b6e2:f488::2/128
/ipv6 nd
add interface="Local Bridge" managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
:ping fd6c:b6e2:f488::2 count=4
/ipv6 route print
/container print
/container shell number=0
ip addr
ip -f inet6 route
route print -6
ip -f inet6 route
3 276 fd6c:b6e2:f488::/64 On-link
3 276 fd6c:b6e2:f488:0:6c08:18e:56a7:3cc2/128 On-link
route delete fd6c:b6e2:f488::/64
route delete fd6c:b6e2:f488:0:6c08:18e:56a7:3cc2/128
nslookup example.com fd6c:b6e2:f488::2
OK. Thanks so much for helping me sort this out.
If I do nslookup example.com fd6c:b6e2:f488::2 it returns an IP address, so I guess that proves that the pihole DNS works. However, this doesn't work if I try any other IPv6 address as the DNS resolver - this is not the behaviour I was expecting given the IPv6 NAT rules I've set.
In IPv4, I NAT any lookup to port 53 to redirect to the pihole, so it doesn't matter which DNS server you try to use it will replace it with the IP address for the pihole; however DHCP advertises the router's address and Pihole uses the router as its upstream DNS. That way, I can quickly turn on/off the pihole DNS service by disabling the NAT rules for port 53.
If I try to do this with the IPv6 address, using the Local-Bridge IP address as the advertised/NATed DNS service (is this the router's IP address???) and the upstream DNS server from pihole then nslookup using the Local-bridge IPv6 address (i.e., not pihole address) doesn't work. This is the last piece of my puzzle - do you know what's not working? The NAT rules should surely redirect ANY DNS lookup that isn't directly to the pihole.
In the config I posted the rules may have been disabled but they're enabled now.
Still struggling a bit to understand IPv6 - not had that light bulb moment yet.
/ipv6 firewall nat
add action=masquerade chain=srcnat dst-address=xxxx::yyyy/128 dst-port=53 protocol=tcp
add action=masquerade chain=srcnat dst-address=xxxx::yyyy/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp \
src-address=!xxxx::yyyy/128 to-address=xxxx::yyyy/128
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp \
src-address=!xxxx::yyyy/128 to-address=xxxx::yyyy/128
Rather bizarrely, I now seem to have no IPv6 public address! The DHCP v6 client says it's bound and has acquired and IPv6 address, but any public tests (https://test-ipv6.com/, https://ipv6-test.com/, https://ipv6test.google.com/, etc.) claims I don't have an IPv6 address.
The whole IPv6 stack is perplexing!!
ping -6 google.com
# 2024-05-13 09:09:27 by RouterOS 7.14.3
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
/usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
/usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
"^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=Ham1sh01
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
public-key="lkjndfoghwihfojwhofuhwouebgojwrbgw="
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=2000 servers=\
1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
"Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Forward established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
"special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
connection-state=new dst-port=563 in-interface="Local Bridge" \
new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Force any UDP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
"Force any TCP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
/ipv6 firewall nat
add action=dst-nat chain=dstnat comment=Pihole disabled=yes dst-address=\
fe80::4aa9:8aff:fe57:4601/128 dst-port=888 in-interface="Local Bridge" \
in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
to-ports=80
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
"Local Bridge" log=yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 \
to-address=fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
disabled=yes dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface=\
"Local Bridge" protocol=tcp src-address=!fd6c:b6e2:f488::2/128 \
to-address=fd6c:b6e2:f488::2/128
/ipv6 nd
add dns=fd6c:b6e2:f488::2 interface="Local Bridge" \
managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
Test-NetConnection -ComputerName 2607:f8b0:4006:809::200e -Port 443
Test-NetConnection -ComputerName 2a00:1450:4009:81f::200e -Port 443
Test-NetConnection -ComputerName 2404:6800:4005:81c::200e -Port 443
Test-NetConnection -ComputerName google.com -Port 443
# 2024-05-16 20:57:10 by RouterOS 7.14.3
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Girl's Room"
set [ find default-name=ether3 ] name="Port 3 - Living Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - Bonded"
set [ find default-name=ether6 ] name="Port 6 - Bonded"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mtu=1508 name="Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface pppoe-client
add add-default-route=yes disabled=no interface="Port 8 - WAN" max-mru=1500 \
max-mtu=1500 name=Vodafone service-name="Vodafone PPPOE" use-peer-dns=yes \
user=dsl002066683@broadband.vodafone.co.uk
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 gateway=172.17.0.1 gateway6=\
fd6c:b6e2:f488:: name=veth1
/interface wireguard
add comment=back-to-home-vpn listen-port=12713 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name="Bonded NAS" slaves="Port 5 - Bonded,Port 6 - Bonded" \
transmit-hash-policy=layer-3-and-4
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
/usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole2 src=\
/usb1-part1/pihole2/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole2 src=/usb1-part1/pihole2/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"128 035 675 648" type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Selects for YouTube traffic" name="YouTube L7" regexp=\
"^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=uk2093.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=\
dnsmasq_pihole2,etc_pihole2 root-dir=/usb1-part1/pihole2 start-on-boot=\
yes
/container config
set registry-url=https://registry-1.docker.io tmpdir="usb1-part1/pull "
/container envs
add key=TZ name=pihole_envs value=Europe/London
add key=WEBPASSWORD name=pihole_envs value=
add key=DNSMASQ_USER name=pihole_envs value=root
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Girl's Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 9 - SFP+" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Bonded NAS" internal-path-cost=10 \
path-cost=10
add bridge="Local Bridge" interface="Port 3 - Living Room" \
internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface="Local Bridge" list=listBridge
add interface=Vodafone list=WAN
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
dockers network=172.17.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server lease
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.85 client-id=1:6c:3b:6b:7e:ad:ee mac-address=\
6C:3B:6B:7E:AD:EE server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
max-concurrent-tcp-sessions=2000 servers=\
1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=10.160.100.30 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
"accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
"Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
in-interface=wireguard1
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Forward established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
in-interface="Local Bridge" out-interface=Vodafone packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
wireguard1 out-interface=Vodafone
add action=accept chain=forward comment="Accept dst-nat" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
"special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
connection-state=new dst-port=563 in-interface="Local Bridge" \
new-connection-mark=ipsec passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
in-interface="Local Bridge" new-connection-mark=ipsec passthrough=yes \
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
in-interface=Vodafone log=yes log-prefix=PlexNAT protocol=tcp \
to-addresses=10.160.100.30 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
dst-port=888 in-interface="Local Bridge" in-interface-list=all protocol=\
tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Force any UDP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
udp src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
"Force any TCP DNS queries that aren't to pihole to go to pihole" \
dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\
tcp src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=Webfig disabled=no
set api disabled=yes
set winbox address=10.160.100.0/24
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add from-pool=IPv6_Pool interface="Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface=Vodafone pool-name=IPv6_Pool prefix-hint=\
::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
"Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!listBridge
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
disabled=yes out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole disabled=yes dst-address=\
fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Vodafone
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool romon
set enabled=yes
/tool traffic-monitor
add interface="Port 8 - WAN" name=tmon1
ipconfig /all
In my tests Android and Linux devices are correctly redirected to the DNS server that I set up on my LAN (you can add bogus domain like bo.gus.do.main with A record 1.2.3.4 to your pi-hole DNS and see if the record is resolved on the clients). But Windows normally prefer the IPv4 DNS server if both are specified, so maybe that's why you don't see the queries in the log. But Windows will use the IPv6 DNS server if you explicitly tell tools like nslookup to do it, or if you temporarily disable IPv4 on the machine.
I don't mean to hijack this thread but I have the exact same issue except my ISP provides a /64 prefix that I announce to the LAN via bridge0.
How can I assign a GUA IPv6 from this prefix to Pihole running on veth1 attached to the docker bridge? Can this be achieved without ULA?
In my situation, this would make things easy to manage as default routes are already setup and only firewall rules would be needed.
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=ula_prefix/64