Community discussions

MikroTik App
 
sk0003
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Sep 17, 2023 6:52 pm

Peer DNS on ether1-wan when wireguard tunnel goes down with a script?

Tue Nov 26, 2024 9:42 pm

Hello,

Does anyone know if it’s possible to set up a script to turn on Peer DNS on ether1-wan for example whenever a wireguard tunnel goes down? Then it would disable it when the tunnel is back up.

I connect to my remote router via DDNS and it acts as my DNS while I disable Peer DNS locally to avoid DNS leaks. The downside is if the tunnel goes down for some odd reason, it will not come back up and the whole LAN is down until I manually enable Peer DNS and then I disable it again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Peer DNS on ether1-wan when wireguard tunnel goes down with a script?

Tue Nov 26, 2024 11:47 pm

So to be clear you want to use the far router for DNS when the wireguard tunnel is up
and to allow local WAN access and local DNS when the tunnel is down.

Is this for a single subnet, all subnets, some users???

Will need to see full config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)

General concept will be
- use either recursive routing or netwatch to let the router know when wireguard is down.
- allow remote dns because we want the ability when wireguard is down to use local DNS.
- use either script to disable dstnat rules that force users to wireguard for DNS, when wireguard is down or netwatch rules
- maybe mangling maybe routing rules
SOME COMBINATION of the above.
Last edited by anav on Wed Nov 27, 2024 1:04 am, edited 1 time in total.
 
sk0003
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Sep 17, 2023 6:52 pm

Re: Peer DNS on ether1-wan when wireguard tunnel goes down with a script?

Tue Nov 26, 2024 11:57 pm

So to be clear you want to use the far router for DNS when the wireguard tunnel is up
and to allow local WAN access and local DNS when the tunnel is down.

Is this for a single subnet, all subnets, some users???
That is correct. I have two subnets.. one is for an IPIP tunnel over IKE2 and one is for the Wireguard tunnel. So it would be for all. I just need the local DNS up for the tunnel to connect.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21818
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Peer DNS on ether1-wan when wireguard tunnel goes down with a script?

Wed Nov 27, 2024 1:05 am

Not clear it sounds like only one subnet is going through wireguard??
Do you have control over the other end??

need config!!
 
sk0003
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Sep 17, 2023 6:52 pm

Re: Peer DNS on ether1-wan when wireguard tunnel goes down with a script?

Wed Nov 27, 2024 6:12 pm

Not clear it sounds like only one subnet is going through wireguard??
Do you have control over the other end??

need config!!
One subnet is going over wireguard, 192.168.99.0/24 and it's the main one I am using for my home network.

I do have control over the other end, it's an rb4011.

Config:
# 2024-10-28 17:42:50 by RouterOS 7.16.1
# software id = Redacted
#
# model = RB5009UG+S+
# serial number = (SerNum)
/interface bridge
add disabled=yes name=br-EOIP
add disabled=yes name=br-OVPN
add name=br-VPN
add name=br_PBR port-cost-mode=short
add admin-mac=(MacAddress) auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-WG-LAN
set [ find default-name=ether4 ] name=ether4-VOIP
set [ find default-name=ether5 ] name="ether5-IPTV STB"
set [ find default-name=ether6 ] name=ether6-IPTV2
set [ find default-name=ether8 ] comment=WAN2
/interface l2tp-client
add connect-to=(VPN IP) disabled=no name=l2tp-out1 use-ipsec=\
    yes user=l2tp
/interface eoip
add disabled=yes mac-address=(MacAddress) name=eoip-tunnel1 \
    remote-address=192.168.50.1 tunnel-id=1
/interface wireguard
add disabled=yes listen-port=13232 mtu=1420 name=Name
add listen-port=13231 mtu=1412 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-DOMA-1f2e3a6c rrm=yes \
    wnm=yes
/interface wifi configuration
add country="North Macedonia" disabled=no mode=ap name=cfg1 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp \
    .ft=yes .ft-over-ds=yes ssid=DOMA steering=steering1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
add name=dhcp_pool2 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=br_PBR lease-time=10m name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add bridge=br-OVPN change-tcp-mss=yes name=OVPN use-ipv6=default
set *FFFFFFFE bridge=br-VPN use-encryption=default use-ipv6=default
/interface ovpn-client
add certificate=cert_export_client.crt_0 cipher=aes256-cbc connect-to=\
    (VpnIP) disabled=yes mac-address=(MacAddress) mode=\
    ethernet name=ovpn-out1 profile=OVPN user=ovpnclient
/queue simple
add max-limit=3M/30M name="Asus Router" target=192.168.99.155/32
/queue type
add kind=fq-codel name=fq_qodel-default
add cake-autorate-ingress=yes kind=cake name=cake
/queue tree
add bucket-size=0.01 disabled=yes max-limit=90M name=DOWN parent=br_PBR \
    queue=default
add disabled=yes name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 \
    queue=default
add disabled=yes name="2. MAXTV" packet-mark=MaxTV parent=br-VPN priority=2 \
    queue=default
add disabled=yes name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=\
    default
add disabled=yes name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=\
    default
add disabled=yes name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=\
    default
add disabled=yes name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 \
    queue=default
add disabled=yes name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 \
    queue=default
add disabled=yes name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN \
    priority=6 queue=default
add disabled=yes name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 \
    queue=default
add disabled=yes name="9. OTHER" packet-mark=OTHER parent=DOWN queue=default
add bucket-size=0.01 disabled=yes max-limit=15M name=UP parent=br_PBR queue=\
    default
add disabled=yes name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=\
    default
add disabled=yes name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=\
    default
add disabled=yes name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=\
    default
add disabled=yes name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=\
    default
add disabled=yes name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=\
    default
add disabled=yes name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=\
    default
add disabled=yes name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=\
    6 queue=default
add disabled=yes name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=\
    default
add disabled=yes name="9. OTHER_" packet-mark=OTHER parent=UP queue=default
add disabled=yes max-limit=15M name=cake-queue-upload parent=wg1 queue=cake
add disabled=yes name=cake-queue-download parent=wg1 queue=cake
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=wg
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\
    zt1 name=zerotier1 network=(NetworkID)
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-LAN \
    internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=\
    ether3-WG-LAN internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether4-VOIP \
    internal-path-cost=10 path-cost=10
add bridge=br-VPN comment=defconf ingress-filtering=no interface=\
    "ether5-IPTV STB" internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes ingress-filtering=no interface=ether1-WAN \
    internal-path-cost=10 path-cost=10
add bridge=br-OVPN disabled=yes interface=eoip-tunnel1
add bridge=br-VPN interface=ether6-IPTV2
add bridge=br-EOIP interface=eoip-tunnel1
/ip firewall connection tracking
set udp-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wg1 list=LAN
add comment=defconf interface=br_PBR list=LAN
add comment=defconf interface=ether8 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes package-path=/ require-peer-certificate=no upgrade-policy=\
    none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1
/interface wireguard peers
add allowed-address="0.0.0.0/0,192.168.50.0/24,192.168.88.0/24,AllowedAddresses" endpoint-address=\
    (VpnIP) endpoint-port=13231 interface=wg1 name=peer8 \
    persistent-keepalive=25s public-key=\
    "PublicKey"
add allowed-address=192.168.60.0/24 disabled=yes endpoint-address=\
    (RedactedIP) endpoint-port=13232 interface=Name name=peer12 \
    persistent-keepalive=1s private-key=\
    "PublicKey" public-key=\
    "PrivateKey"
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=\
    192.168.98.0
add address=10.0.0.2/24 disabled=yes interface=ether1-WAN network=10.0.0.0
add address=192.168.50.2/24 interface=wg1 network=192.168.50.0
add address=192.168.99.1/24 interface=br_PBR network=192.168.99.0
add address=192.168.60.2/24 interface=Name network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-WAN use-peer-dns=no
add add-default-route=no interface=br-VPN
add add-default-route=no interface=ether8 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.7 client-id=(Mac) comment=\
    "Grandstream HT801" mac-address=(Mac) server=dhcp2
add address=192.168.99.183 client-id=(Mac) comment=\
    "Alienware PC" mac-address=(Mac) server=dhcp2
add address=192.168.99.151 client-id=(Mac) mac-address=\
    (Mac) server=dhcp2
add address=192.168.99.155 client-id=(Mac) comment=\
    "ASUS Router" mac-address=(Mac) server=dhcp2
add address=192.168.99.190 client-id=(Mac) comment=\
    "AVM Fritz Powerline 1260" mac-address=(Mac) server=dhcp2
add address=192.168.99.91 client-id=(Mac) comment=PS5 \
    mac-address=(Mac) server=dhcp2
add address=192.168.99.21 client-id=1(Mac) comment=\
    MAXTV-Android-Box mac-address=(Mac) server=dhcp2
add address=192.168.99.14 client-id=(Mac) comment=SONY-TV-77 \
    mac-address=(Mac) server=dhcp2
add address=192.168.99.169 mac-address=(Mac) server=dhcp2
add address=192.168.99.35 comment="Motorola Nettvplus" mac-address=\
    (Mac) server=dhcp2
add address=192.168.99.23 client-id=(Mac) mac-address=\
    (Mac) server=dhcp2
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=192.168.98.1 gateway=\
    192.168.98.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=192.168.50.1
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan type=A
add address=192.168.50.1 name=mk.wg type=A
/ip firewall address-list
add address=192.168.98.0/24 list=local
add address=192.168.50.0/24 list=Trusted
add address=(VpnIP) list=Trusted
add address=192.168.60.0/24 list=Trusted
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=output comment="TEST WAN1 Failover to WAN2" disabled=\
    yes dst-address=8.8.8.8
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
    tcp src-address-list=Trusted
add action=accept chain=input src-address-list=Trusted
# zerotier1 not ready
# zerotier1 not ready
add action=accept chain=forward in-interface=zerotier1
# zerotier1 not ready
# zerotier1 not ready
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept IGMP" in-interface=br-VPN \
    protocol=udp
add action=accept chain=forward comment="Forward IGMP" in-interface=br-VPN \
    protocol=udp
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input dst-port=500 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=\
    wg1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-routing chain=prerouting disabled=yes in-interface=br-VPN \
    log=yes new-routing-mark=wg passthrough=yes
add action=change-mss chain=forward comment="WG Required Rule (First One)" \
    disabled=yes new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=\
    syn
add action=change-mss chain=forward comment="WG Required Rule 1/2" new-mss=\
    1372 out-interface=wg1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=\
    1373-65535
add action=change-mss chain=forward comment="WG Required Rule 2/2" disabled=\
    yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Change MSS on L2TP bridge" \
    disabled=yes new-mss=clamp-to-pmtu out-interface=br-VPN passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=mark-connection chain=prerouting comment=MaxTV disabled=yes \
    in-interface=br-VPN new-connection-mark=MaxTV passthrough=yes
add action=mark-packet chain=prerouting connection-mark=MaxTV disabled=yes \
    new-packet-mark=MaxTV passthrough=no
add action=mark-connection chain=prerouting comment=DNS connection-state=new \
    disabled=yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS disabled=yes \
    new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new disabled=\
    yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS disabled=yes \
    new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP disabled=yes \
    new-connection-mark=VOIP passthrough=yes port=5060-5062,8560,10000-10050 \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP disabled=yes \
    new-packet-mark=VOIP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new \
    disabled=yes new-connection-mark=QUIC passthrough=yes port=80,443 \
    protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC disabled=yes \
    new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-state=new \
    disabled=yes new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP disabled=yes \
    new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new \
    disabled=yes new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP disabled=yes \
    new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new disabled=\
    yes new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP disabled=yes \
    new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=postrouting comment=ACK disabled=yes \
    new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=ACK \
    packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
    no-mark connection-state=new disabled=yes new-connection-mark=HTTP \
    passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
    connection-mark=HTTP connection-rate=2M-100M disabled=yes \
    new-connection-mark=HTTP_BIG passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG disabled=yes \
    new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP disabled=yes \
    new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=\
    new disabled=yes new-connection-mark=POP3 passthrough=yes port=\
    995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 disabled=yes \
    new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER disabled=yes \
    new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=lo
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=br_PBR
add action=masquerade chain=srcnat disabled=yes out-interface=wg1
/ip firewall raw
add action=drop chain=output disabled=yes dst-address=8.8.4.4 src-address=\
    192.168.120.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wg1 \
    routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src="" \
    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.5.5.241/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.188.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    192.5.5.241 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=32
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set enabled=yes
/mpls ldp
add disabled=no lsr-id=192.168.12.2 transport-addresses=192.168.12.2
/mpls ldp interface
add disabled=no interface="ether5-IPTV STB"
add disabled=no interface=lo
/ppp profile
add bridge=*E name=SITE-TO-SITE-L2VPN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets="(RedactedIPs)" disabled=yes \
    interface=wg1 upstream=yes
add disabled=yes interface="ether5-IPTV STB"
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.99.101/32 \
    table=main
add action=lookup comment="Alienware PC VPN Routing (Enable to bypass WG)" \
    disabled=yes src-address=192.168.99.183/32 table=main
add action=lookup comment="ASUS Router" disabled=no src-address=\
    192.168.99.155/32 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.99.0/24 \
    src-address=192.168.99.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.99.0/24 \
    table=wg
add action=lookup comment=\
    "AVM Fritz Powerline 1260 - Enable to bypass WG VPN" disabled=yes \
    src-address=192.168.99.190/32 table=main
add action=lookup comment="PS5 (Enable to bypass MK WG)" disabled=yes \
    src-address=192.168.99.91/32 table=main
add action=lookup comment="NettvPlus Motorola (Enable to bypass MK WG)" \
    disabled=yes src-address=192.168.99.35/32 table=main
add action=lookup comment="Macbook Pro" disabled=yes src-address=\
    192.168.99.23/32 table=main
/system clock
set time-zone-autodetect=no time-zone-name=Redacted
/system identity
set name=RB5009
/system note
set show-at-login=no
/system script
add dont-require-permissions=yes name=UP owner=(Name) policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch url=\"https://api.telegram.org/bot\text=WAN1 is UP\""
add dont-require-permissions=yes name=DOWN owner=(Name) policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    delay 20s;\r\
    \n/tool fetch url=\"https://api.telegram.org/text=WAN1 is DOWN\""
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/system/script/run DOWN;" host=192.5.5.241 \
    http-codes="" interval=1m packet-count=10 packet-interval=1s start-delay=\
    3s startup-delay=2m test-script="" thr-avg=200ms timeout=3s type=icmp \
    up-s

 
sk0003
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Sep 17, 2023 6:52 pm

Re: Peer DNS on ether1-wan when wireguard tunnel goes down with a script?  [SOLVED]

Sat Nov 30, 2024 12:27 am

Just want to report I solved this issue doing the following.

I turned on Peer DNS on my WAN interface, ETH1.

Then in IP/DNS, I removed any static DNS entries I had and unchecked Allow Remote Requests.

In IP/DHCP Server/Networks, under my network 192.168.99.0/24, I added a Static DNS entry of 192.168.50.1 which is my remote Wireguard server router. Now all clients connected to this network get DNS resolution from the remote router, hence no DNS leaks and if the tunnel were to go down, it will reconnect using the dynamic DNS servers it gets from WAN, ETH1.
Note: this only works if you disable Allow Remote Requests in IP/DNS as stated above.

Who is online

Users browsing this forum: CGGXANNX, hapi and 58 guests