I have read here in forums and seen that pihole-dns should also be added to dhcp-> networks. It is when I do that that the problem arises. My dns requests get no response. However, I can ping my pihole.
It works properly in the vlan where the pihole is located.
Code: Select all
# apr/26/2022 01:05:02 by RouterOS 6.49.6
# software id = FQCH-LUB0
#
# model = RB750Gr3
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:53:3A:02 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=admin-vlan vlan-id=104
add interface=bridge name=family-vlan vlan-id=103
add interface=bridge name=guest-vlan vlan-id=102
add interface=bridge name=iot-vlan vlan-id=101
add interface=bridge name=main-vlan vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=MGMT
/ip pool
add name=main-pool ranges=192.168.100.10-192.168.100.254
add name=iot-pool ranges=192.168.101.10-192.168.101.254
add name=guest-pool ranges=192.168.102.10-192.168.102.254
add name=family-pool ranges=192.168.103.10-192.168.103.254
add name=admin-pool ranges=192.168.104.10-192.168.104.254
/ip dhcp-server
add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp
add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp
add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp
add address-pool=family-pool disabled=no interface=family-vlan name=family-dhcp
add address-pool=admin-pool disabled=no interface=admin-vlan lease-time=23h name=admin-dhcp
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=101
add bridge=bridge comment=defconf interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=bridge comment=iot-vlan tagged=bridge,ether5 untagged=ether4 vlan-ids=101
add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102
add bridge=bridge comment=family-vlan tagged=bridge,ether5 vlan-ids=103
add bridge=bridge comment=admin-vlan tagged=bridge,ether5 vlan-ids=104
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=main-vlan list=LAN
add interface=iot-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=main-vlan list=VLAN
add interface=iot-vlan list=VLAN
add interface=guest-vlan list=VLAN
add interface=main-vlan list=MGMT
add interface=family-vlan list=LAN
add interface=family-vlan list=VLAN
add interface=admin-vlan list=LAN
add interface=admin-vlan list=VLAN
/ip address
add address=192.168.100.1/24 interface=main-vlan network=192.168.100.0
add address=192.168.101.1/24 interface=iot-vlan network=192.168.101.0
add address=192.168.102.1/24 interface=guest-vlan network=192.168.102.0
add address=192.168.103.1/24 interface=family-vlan network=192.168.103.0
add address=192.168.104.1/24 interface=admin-vlan network=192.168.104.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.100.0/24 comment=main-dhcp-network gateway=192.168.100.1
add address=192.168.101.0/24 comment=iot-dhcp-network gateway=192.168.101.1
add address=192.168.102.0/24 comment=guest-dhcp-network gateway=192.168.102.1
add address=192.168.103.0/24 comment=family-dhcp-network gateway=192.168.103.1
add address=192.168.104.0/24 comment=admin-vlan-dhcp-network dns-server=192.168.100.200 gateway=192.168.104.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.200
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=admin-vlan out-interface=main-vlan
add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all other traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" disabled=yes dst-port=53 protocol=udp src-address=!192.168.100.200 to-ports=53
add action=redirect chain=dstnat comment="Intercept DNS queries TCP" disabled=yes dst-port=53 protocol=tcp src-address=!192.168.100.200 to-ports=53
/ip ssh
set strong-crypto=yes
/system clock
/system identity
set name=RouterOS
/tool graphing interface
add allow-address=192.168.100.0/24 interface=ether1
add allow-address=192.168.100.0/24 interface=main-vlan
add allow-address=192.168.100.0/24 interface=iot-vlan
add allow-address=192.168.100.0/24 interface=guest-vlan
/tool graphing resource
add allow-address=192.168.100.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN