For some time now I successfully running a Wireguard setup, where all traffic from a specific IP in my local Network runs through the Wireguard Tunnel (see /routing rule in config below).
Via DHCP I set the DNS address to my local Raspberry Pi (192.168.88.112), which does the DNS resolving trough my normal "Internet", that is not through the wireguard tunnel.
How can I NAT all my DNS traffic (udp/53) to a different DNS IP (e.g. 10.64.0.1) if the request originated from the IP where the traffic runs through Wireguard.
Thanks!
Cheers
Code: Select all
# 2024-05-26 19:51:38 by RouterOS 7.14.3
# software id = QNXK-2KHL
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=08:55:31:F7:33:BE auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface wireguard
add listen-port=51820 mtu=1420 name=MulladVPN
add listen-port=31581 mtu=1420 name="PrivateVPN"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=W-LAN_PASS supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wifi2 security-profile=W-LAN_PASS ssid=RoyalObservatory wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eeCe disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wifi5 security-profile=W-LAN_PASS ssid=CrossbonesGarden wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=8h name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add disabled=no fib name=MulladVPN-Table
add disabled=no fib name=FVPN-Table
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=*1 name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=*2 name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=*3 name-format=prefix-identity name-prefix=5ghz-an
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=MullvadVPN endpoint-address=185.xxx.xxx.xxx endpoint-port=51820 interface=MulladVPN persistent-keepalive=1m public-key="xxx"
add allowed-address=0.0.0.0/0 comment="FWireguard" disabled=yes endpoint-address=xxx.xxx.xxx.xxx endpoint-port=xxx interface="PrivateVPN" persistent-keepalive=1m preshared-key="xxx" public-key="xxx"
/interface wireless cap
set bridge=bridge interfaces=wifi5,wifi2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.6.0.5 interface=*A network=10.6.0.0
add address=10.100.0.40 interface=*C network=10.100.0.0
add address=10.100.1.2 interface=*B network=10.100.0.0
add address=10.67.88.145 interface=MulladVPN network=10.67.88.145
add address=10.200.245.2/24 interface="PrivateVPN" network=10.200.245.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.112 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.88.112
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=MulladVPN out-interface=MulladVPN src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface="PrivateVPN" src-address=192.168.88.0/24
/ip route
add disabled=no dst-address="" gateway=10.6.0.1 routing-table=*4002 suppress-hw-offload=no
add disabled=no dst-address="" gateway=10.5.0.1 routing-table=*4002 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=MulladVPN routing-table=MulladVPN-Table suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="PrivateVPN" pref-src="" routing-table=FVPN-Table suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
/ip smb shares
set [ find default=yes ] directory=/pub
/ip socks
set auth-method=password version=5
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.111 table=MulladVPN-Table