NAT local DNS request to different address for specific interface

ursaca · Sun May 26, 2024 9:17 pm

Hi,

For some time now I successfully running a Wireguard setup, where all traffic from a specific IP in my local Network runs through the Wireguard Tunnel (see /routing rule in config below).
Via DHCP I set the DNS address to my local Raspberry Pi (192.168.88.112), which does the DNS resolving trough my normal "Internet", that is not through the wireguard tunnel.

How can I NAT all my DNS traffic (udp/53) to a different DNS IP (e.g. 10.64.0.1) if the request originated from the IP where the traffic runs through Wireguard.

Thanks!

Cheers

# 2024-05-26 19:51:38 by RouterOS 7.14.3
# software id = QNXK-2KHL
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=08:55:31:F7:33:BE auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface wireguard
add listen-port=51820 mtu=1420 name=MulladVPN
add listen-port=31581 mtu=1420 name="PrivateVPN"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=W-LAN_PASS supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wifi2 security-profile=W-LAN_PASS ssid=RoyalObservatory wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eeCe disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wifi5 security-profile=W-LAN_PASS ssid=CrossbonesGarden wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=8h name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add disabled=no fib name=MulladVPN-Table
add disabled=no fib name=FVPN-Table
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=*1 name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=*2 name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=*3 name-format=prefix-identity name-prefix=5ghz-an
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=MullvadVPN endpoint-address=185.xxx.xxx.xxx endpoint-port=51820 interface=MulladVPN persistent-keepalive=1m public-key="xxx"
add allowed-address=0.0.0.0/0 comment="FWireguard" disabled=yes endpoint-address=xxx.xxx.xxx.xxx endpoint-port=xxx interface="PrivateVPN" persistent-keepalive=1m preshared-key="xxx" public-key="xxx"
/interface wireless cap
set bridge=bridge interfaces=wifi5,wifi2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.6.0.5 interface=*A network=10.6.0.0
add address=10.100.0.40 interface=*C network=10.100.0.0
add address=10.100.1.2 interface=*B network=10.100.0.0
add address=10.67.88.145 interface=MulladVPN network=10.67.88.145
add address=10.200.245.2/24 interface="PrivateVPN" network=10.200.245.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.112 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.88.112
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MulladVPN out-interface=MulladVPN src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface="PrivateVPN" src-address=192.168.88.0/24
/ip route
add disabled=no dst-address="" gateway=10.6.0.1 routing-table=*4002 suppress-hw-offload=no
add disabled=no dst-address="" gateway=10.5.0.1 routing-table=*4002 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=MulladVPN routing-table=MulladVPN-Table suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="PrivateVPN" pref-src="" routing-table=FVPN-Table suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
/ip smb shares
set [ find default=yes ] directory=/pub
/ip socks
set auth-method=password version=5
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.111 table=MulladVPN-Table

anav · Sun May 26, 2024 9:40 pm

Can you be more specific.

If your user is going out the internet via wireguard, the DNS on the local router doesnt come into play.
So not sure of your intentions??

ursaca · Sun May 26, 2024 9:44 pm

Hi anav,

yes indeed it does. It always resolves the DNS using my local RaspberryPi (192.168.88.112). If I change the DNS manually on my Client Machine, then it will use the 10.64.0.1 DNS. But I want that to happen automatically via NAT (I dont want to change the DHCP Server).

Thanks!

jaclaz · Sun May 26, 2024 11:06 pm

Anything that begins with asterisk Is not a good sign, they are usually leftover references to items that have been deleted or modified in such a way that the configuration cannot find them anymore.
Maybe they are in your case only "unused and irrelevant" but they should be removed or fixed to make the configuration as clean as possible.

anav · Mon May 27, 2024 1:19 am

Hi anav,

yes indeed it does. It always resolves the DNS using my local RaspberryPi (192.168.88.112). If I change the DNS manually on my Client Machine, then it will use the 10.64.0.1 DNS. But I want that to happen automatically via NAT (I dont want to change the DHCP Server).

Thanks!

(1) How, a request by the local user is going out the wireguard tunnel, then that is not possible.

(2) Also your wireguard address is in the wrong format should be
add address=10.67.88.145/24 interface=MulladVPN network=10.67.88.0

(3) Remove this default setting,
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(4) Source address is NOT required here. ( source nat is for the purpose of doing firewall rule work and you have no other LAN subnets )
add action=masquerade chain=srcnat comment=MulladVPN out-interface=MulladVPN src-address=192.168.88.0/24

(5) To go along with jaclaz stated your routes are screwed, no idea what these are for???

/ip route
add disabled=no dst-address="" gateway=10.6.0.1 routing-table=*4002 suppress-hw-offload=no
add disabled=no dst-address="" gateway=10.5.0.1 routing-table=*4002 suppress-hw-offload=no

(6) Remove this as a service its not a secure access method.
set www port=8080

(7) FINALLY,
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.111 table=MulladVPN-Table

So only one address goes through Wireguard.
Then its more accurate for me to say that IP address will NOT use your local DNS server for the one users traffic outbound. It cannot its forced out wireguard.

(8) I dont see a route for your WAN, does that mean you use default route in IP DHCP CLient ??

(9) to Automate this, suggest the following

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=10.64.0.1,192.168.88.112 gateway=192.168.88.1

The thinking is here, that the user will first try the 10.64.0.1 DNS and it will work for your one client because he is going out wireguard and its an expected DNS entry at that end.
Now for normal users after a few unsuccessful tries it should then attempt the second offering!!
But we wont rely on that we will force all users to 19.168.88.112 for DNS this way.

One thing missing is that the raspberrypi needs the ability to access the normal internet DNS, and assuming the DNS server IP is the same as the raspberrypi IP of 192.168.88.112
Therefore still need!
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=1.1.1.1

/ip firewall address-list
add address=192.168.88.112 list=Excluded
add address=192.168.88.111 list=Excluded

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MulladVPN out-interface=MulladVPN
add action=dst-nat chain=dstnat in-interface-list=LAN dst-port=53 protocol=udp src-address-list=!Excluded
add action=dst-nat chain=dstnat in-interface-list=LAN dst-port=53 protocol=tcp src-address-list=!Excluded

If you want to be super clear to the router for mullvad DNS perhaps this may also help by adding a route but not sure its necessary.
/ip route
add dst-address=10.64.0.1/32 gateway=MulladVPN routing-table=main

ursaca · Mon May 27, 2024 11:16 am

Hi anav,

thank your for your detailed answer. Please find my answers below.

(1) How, a request by the local user is going out the wireguard tunnel, then that is not possible.

Somehow it works. I always can reach local devices. So the routing through the Tunnel somehow exlcudes local devices. E.g. I can still SSH connect to my router. I can still reach my raspberry-pi which is my DNS Server etc.

(2) Also your wireguard address is in the wrong format should be
add address=10.67.88.145/24 interface=MulladVPN network=10.67.88.0

Thanks!

(3) Remove this default setting,
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Thanks!

(4) Source address is NOT required here. ( source nat is for the purpose of doing firewall rule work and you have no other LAN subnets )
add action=masquerade chain=srcnat comment=MulladVPN out-interface=MulladVPN src-address=192.168.88.0/24

Thanks!

(5) To go along with jaclaz stated your routes are screwed, no idea what these are for???

/ip route
add disabled=no dst-address="" gateway=10.6.0.1 routing-table=*4002 suppress-hw-offload=no
add disabled=no dst-address="" gateway=10.5.0.1 routing-table=*4002 suppress-hw-offload=no

I have no idea where this comes from. If I ssh into the router and do /ip/route print, I can't see those rules. Could be related to this problem: viewtopic.php?t=185950

(6) Remove this as a service its not a secure access method.
set www port=8080

But this would then deny me access to webfig, right?

(7) FINALLY,
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.111 table=MulladVPN-Table

So only one address goes through Wireguard.
Then its more accurate for me to say that IP address will NOT use your local DNS server for the one users traffic outbound. It cannot its forced out wireguard.

But it does use my local DNS. As stated in (1), local connections are allowed outside the tunnel, but I don't know the reason for that.

(8) I dont see a route for your WAN, does that mean you use default route in IP DHCP CLient ??

I don't know? I use the default conf for that I guess.

(9) to Automate this, suggest the following

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=10.64.0.1,192.168.88.112 gateway=192.168.88.1

The thinking is here, that the user will first try the 10.64.0.1 DNS and it will work for your one client because he is going out wireguard and its an expected DNS entry at that end.
Now for normal users after a few unsuccessful tries it should then attempt the second offering!!
But we wont rely on that we will force all users to 19.168.88.112 for DNS this way.

One thing missing is that the raspberrypi needs the ability to access the normal internet DNS, and assuming the DNS server IP is the same as the raspberrypi IP of 192.168.88.112
Therefore still need!
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=1.1.1.1

/ip firewall address-list
add address=192.168.88.112 list=Excluded
add address=192.168.88.111 list=Excluded

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MulladVPN out-interface=MulladVPN
add action=dst-nat chain=dstnat in-interface-list=LAN dst-port=53 protocol=udp src-address-list=!Excluded
add action=dst-nat chain=dstnat in-interface-list=LAN dst-port=53 protocol=tcp src-address-list=!Excluded

If you want to be super clear to the router for mullvad DNS perhaps this may also help by adding a route but not sure its necessary.
/ip route
add dst-address=10.64.0.1/32 gateway=MulladVPN routing-table=main

Thanks for that! But is there no better way to do that? I don't want to add 10.64.0.1 to DHCP DNS. Can't I just NAT all UDP/53 packets which originate from 192.168.88.111? This would be enough!

Thanks for your help!

Cheers

jaclaz · Mon May 27, 2024 12:06 pm

Very likely you had a routing table and those routes were linked to it.
Then you deleted the routing table and the routes "lost" the table name.
Very likely it is only some "cruft" and they don't do anything, still it is a good idea to clean the configuration.
You also have some other asterisks, if you open the .rsc file in notepad and search for "*" you will find them (in /caps-man provisioning and /ip address) .
How to delete these invalid entries has to be seen, the other ones should be removable easily, for the routes (since they do not appear in /ip route print) you may need something like the script posted on the thread you found.

anav · Mon May 27, 2024 6:17 pm

Yes, 8080 etc works for webconfig, I use winbox, but thats up to you.

ursaca · Tue May 28, 2024 10:30 am

Thanks for your answers.
Any chance if this is possible:

Thanks for that! But is there no better way to do that? I don't want to add 10.64.0.1 to DHCP DNS. Can't I just NAT all UDP/53 packets which originate from 192.168.88.111? This would be enough!

Thanks

Cheers

CGGXANNX · Wed May 29, 2024 12:56 pm

Thanks for your answers.
Any chance if this is possible:

Thanks for that! But is there no better way to do that? I don't want to add 10.64.0.1 to DHCP DNS. Can't I just NAT all UDP/53 packets which originate from 192.168.88.111? This would be enough!
Thanks

Cheers

No, if your DNS server is currently configured to be 192.168.88.112, and your subnet is 192.168.88.0/24, then when a device at 192.168.88.111 tries to access the DNS server at 192.168.88.112, it will only use ARP and layer 2 (MAC addresses), your router will not be involved at all. The router won't be able to redirect the communication between 192.168.88.111 and 192.168.88.112 (*).

Redirection (with dst-nat rules) would work if you either move your Raspberry Pi to another subnet (VLAN) or configure the router's IP address to be the DNS server address. Only then will the router (either as the gateway or as the DNS server) see the packets of the DNS queries.

(*) you can force bridge traffic to go through the firewall https://help.mikrotik.com/docs/display/ ... geSettings if you turn on the setting. Then it might work but the two devices must use your router directly as the switch, and it's probably not good for performance.

ursaca · Wed May 29, 2024 4:35 pm

Thanks a lot! That explains it

Cheers!

NAT local DNS request to different address for specific interface [SOLVED]

NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface

Re: NAT local DNS request to different address for specific interface [SOLVED]

Re: NAT local DNS request to different address for specific interface

Who is online