Community discussions

MikroTik App
 
gingerbeard
just joined
Topic Author
Posts: 2
Joined: Fri Jul 08, 2022 2:35 pm

RouterOS transparent forwarding to Pihole and back

Fri Jul 08, 2022 3:28 pm

Hello,

I'm currently running Chateau - RouterBOARD v7.0. One of router's interfaces is connected to the RPi, running Raspbian OS with Pihole and Unbound on board.
To dump all the DNS traffic have added dst-nat rules and masquerade to receive answers back. This setup is doing it's job, but there is small issue. I would like to
see which host generates which queries. With masquerade rules it is not possible (Router IP logically is the only traffic generator), without dst-nat and masquerade
devices would use their own DNS addresses avoiding Pihole blocklists.
The question is whether it is possible to set up DNS routing through Pihole without "nat-ing" host adresses. If no masquerade rules added, then RPi will drop packets
not knowing the destination to the host. Do I need to add static routes in Raspbian to the end nodes?

I will surely share infrastructure info, as well as applied RouterOS rules.
structure.png
pihole-conditional forwarding.png

RPi-IP(Eth0) = 10.0.10.100/24
MikrotikRouterOS-IP(Eth2) = 10.0.10.1/24
For other Subnets first host bit + network address can be assumed as MikrotikRouterOS address IP.

Code:
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no 
      log-prefix="" ipsec-policy=out,none 

 1    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=udp dst-address=!10.0.10.100 src-address-list=user-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=tcp dst-address=!10.0.10.100 src-address-list=user-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 3    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=udp dst-address=!10.0.10.100 src-address-list=guest-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 4    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=tcp dst-address=!10.0.10.100 src-address-list=guest-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 5    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=udp dst-address=!10.0.10.100 src-address-list=work-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 6    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=tcp dst-address=!10.0.10.100 src-address-list=work-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 7    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=udp dst-address=!10.0.10.100 src-address-list=smart-net-list 
      dst-port=53,5353 log=no log-prefix="" 

 8    chain=dstnat action=dst-nat to-addresses=10.0.10.100 to-ports=53 
      protocol=tcp dst-address=!10.0.10.100 src-address-list=smart-net-list 
      dst-port=53,5353 log=no log-prefix="" 

11    chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100 
      src-address-list=user-net-list dst-port=53,5353 log=no log-prefix="" 

12    chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100 
      src-address-list=user-net-list dst-port=53,5353 log=no log-prefix="" 

13    chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100 
      src-address-list=work-net-list dst-port=53,5353 log=no log-prefix="" 

14    chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100 
      src-address-list=work-net-list dst-port=53,5353 log=no log-prefix="" 

15    chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100 
      src-address-list=smart-net-list dst-port=53,5353 log=no log-prefix="" 

16    chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100 
      src-address-list=smart-net-list dst-port=53,5353 log=no log-prefix="" 

17    chain=srcnat action=masquerade protocol=udp dst-address=10.0.10.100 
      src-address-list=guest-net-list dst-port=53,5353 log=no log-prefix="" 

18    chain=srcnat action=masquerade protocol=tcp dst-address=10.0.10.100 
      src-address-list=guest-net-list dst-port=53,5353 log=no log-prefix="" 
Thanks in advance!
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RouterOS transparent forwarding to Pihole and back  [SOLVED]

Fri Jul 08, 2022 3:39 pm

You don't need src-nat rules to masquerade DNS requests for src-address-lists which don't include RPi's own IP address. Those src-nat rules are only necessary if DNS server (RPi) and client are in the same IP subnet to make sure RPi sends reply packets via router because router has to un-do the dst-nat. Traffic towards clients from other subnets will be sent via router anyway because RPi's routing table requires that kind of path.

If RPi is indeed the only device in "DNS cloud", then you can disable/remove all of those src-nat rules (and only keep the generic masquerade rule #0 for WAN-bound traffic).
If there are some DNS clients in same subnet as RPi, then you can still disable corresponding src-nat rules on router, but enable conditional routing only for that subnet (10.0.10.0/24).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS transparent forwarding to Pihole and back

Fri Jul 08, 2022 4:31 pm

Is there any reason to use raspberry pi for DNS these days?
I have one, but never got it to work properly......aka family said stop................ your effing up the internet. :-)
 
rjmessing
just joined
Posts: 9
Joined: Tue Jun 07, 2022 6:59 am

Re: RouterOS transparent forwarding to Pihole and back

Sun Jul 10, 2022 4:32 pm

Is there any reason to use raspberry pi for DNS these days?
I have one, but never got it to work properly......aka family said stop................ your effing up the internet. :-)
I use PiHole to reduce the number of annoying ads going to my devices. Its not perfect but I block nearly 20% of the ad traffic and have seen it as high as 40% blocked. I hate opening a page and seeing ads pasted all over the place. Really do wish all ads on internet could be banned from all apps and webpages.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS transparent forwarding to Pihole and back

Sun Jul 10, 2022 5:08 pm

Buy why is this the realm of pihole? Why cannot any of the other DNS do the same, be it cloudfare or quad9 or some other public service etc.........
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS transparent forwarding to Pihole and back

Sun Jul 10, 2022 5:17 pm

Just for giggles, found adguard!!

Default servers
If you want to block ads and trackers.
IPv4:
94.140.14.14
94.140.15.15
IPv6:
2a10:50c0::ad1:ff
2a10:50c0::ad2:ff
Non-filtering servers
If you don't want AdGuard DNS to block ads and trackers, or any other DNS requests.
IPv4:
94.140.14.140
94.140.14.141
IPv6:
2a10:50c0::1:ff
2a10:50c0::2:ff
Family protection servers
If you want to block adult content, enable safe search and safe mode options wherever possible, and also block ads and trackers.
IPv4:
94.140.14.15
94.140.15.16
IPv6:
2a10:50c0::bad1:ff
2a10:50c0::bad2:ff
 
gingerbeard
just joined
Topic Author
Posts: 2
Joined: Fri Jul 08, 2022 2:35 pm

Re: RouterOS transparent forwarding to Pihole and back

Sun Jul 31, 2022 7:42 pm

You don't need src-nat rules to masquerade DNS requests for src-address-lists which don't include RPi's own IP address. Those src-nat rules are only necessary if DNS server (RPi) and client are in the same IP subnet to make sure RPi sends reply packets via router because router has to un-do the dst-nat. Traffic towards clients from other subnets will be sent via router anyway because RPi's routing table requires that kind of path.

If RPi is indeed the only device in "DNS cloud", then you can disable/remove all of those src-nat rules (and only keep the generic masquerade rule #0 for WAN-bound traffic).
If there are some DNS clients in same subnet as RPi, then you can still disable corresponding src-nat rules on router, but enable conditional routing only for that subnet (10.0.10.0/24).
You are right, guess I have not had default 0.0.0.0 route through the router and RPi dropped packets when it came to the reply. Thanks a lot! Changed rules and now local network seems transparent.

Who is online

Users browsing this forum: itsbenlol and 35 guests