Negative, to ports is implied to be the same as dstports if not entered. To-Ports is this really used when doing port translation.
What is important is such sweeping rules in-interface-list=LAN is to ensure you exclude the pI LAN address or any other subnets not being subjegated to PI.
/ip nat
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=!Excluded
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp src-address-list=!Excluded
/ip firewall address list
add address=IP-Pi-device list=Excluded
add address=lanSUBNET list=Excluded.
These devices require access to normal DNS services. Dont want PI device to be in a loop LOL.
Greetings Anav,
Thanks for the quick reply. I have a Pi-Hole server as well, not using it though. Found it caused more issues than what it's worth (things not working due to ad-blocker detected) over the last few years, so decided to remove it. I've been following you quite a bit on this forum. Take what you, SOB & rextended post as gold lol. I enabled logging on the force DNS rules. Logging reveals 8.8.8.8:53 is being used but that's not what's allowed in my lists or in DNS servers. I'm not sure if it's working properly. Can you take a quick look? Below is my config (apologies if you want me to create a new post).
From the log: dstnat: in:Lan Bridge out:(unknown 0), connection-state:new src-mac d8:0f:99:42:bd:73, proto UDP, 192.168.201.77:57703->8.8.8.8:53, len 62
ROS 7.13 using the Apprentice FW located here:
viewtopic.php?t=180838
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2,185.228.168.9
/ip firewall address-list
add address=my.LAN.block comment="Admin - Devices" list=\
admin
add address=my.LAN.block comment="Admin - Wireguard" list=admin
add address=my.LAN.block comment=SyncServer list=SyncServer
add address=my.LAN.block comment="Current Network" list=\
expected-address-from-LAN
add address=224.0.0.0/4 comment=Multicast list=expected-address-from-LAN
add address=255.255.255.255 comment=Local list=expected-address-from-LAN
add address=my.LAN.block comment="Wireguard Network" list=\
expected-address-from-LAN
add address=1.1.1.1 comment="Allowed DNS Servers - Cloudflare" list=\
allowed_DNS
add address=1.0.0.1 list=allowed_DNS
add address=1.1.1.2 list=allowed_DNS
add address=1.0.0.2 list=allowed_DNS
add address=1.1.1.3 list=allowed_DNS
add address=1.0.0.3 list=allowed_DNS
add address=185.228.168.9 comment="Allowed DNS Servers - Cleanbrowsing" list=\
allowed_DNS
add address=10.0.0.0/8 comment="Denied Addresses" list=\
unexpected-src-address-hitting-ISP
add address=127.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=169.254.0.0/16 list=unexpected-src-address-hitting-ISP
add address=172.16.0.0/12 list=unexpected-src-address-hitting-ISP
add address=192.0.0.0/24 list=unexpected-src-address-hitting-ISP
add address=192.0.2.0/24 list=unexpected-src-address-hitting-ISP
add address=192.88.99.0/24 list=unexpected-src-address-hitting-ISP
add address=192.168.0.0/16 list=unexpected-src-address-hitting-ISP
add address=198.18.0.0/15 list=unexpected-src-address-hitting-ISP
add address=198.51.100.0/24 list=unexpected-src-address-hitting-ISP
add address=203.0.113.0/24 list=unexpected-src-address-hitting-ISP
add address=233.252.0.0/24 list=unexpected-src-address-hitting-ISP
add address=240.0.0.0/5 list=unexpected-src-address-hitting-ISP
add address=248.0.0.0/6 list=unexpected-src-address-hitting-ISP
add address=252.0.0.0/7 list=unexpected-src-address-hitting-ISP
add address=254.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=MY-WAN-IP list=unexpected-src-address-hitting-ISP
add address=MY-WAN-IP list=expected-dst-address-to-my-ISP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" \
dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN \
src-address-list=admin
add action=accept chain=input comment="allow LAN DNS queries-TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN DNS/NTP queries-UDP" \
dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=23231 log=\
yes protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"SyncServer - LetsEncrypt Cert Renew (enable during renewal only)" \
disabled=yes dst-address-list=expected-dst-address-to-my-ISP \
dst-address-type=local dst-port=80 log=yes protocol=tcp to-addresses=\
server.IP to-ports=80
add action=src-nat chain=srcnat comment=\
"LAN masquerade & also hide LAN addresses" out-interface-list=WAN \
src-address-list=expected-address-from-LAN to-addresses=MY-WAN-IP
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=\
expected-address-from-LAN out-interface-list=LAN protocol=tcp \
src-address-list=expected-address-from-LAN
add action=redirect chain=dstnat comment=\
"Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment=\
"Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 \
in-interface-list=LAN log=yes protocol=udp
add action=dst-nat chain=dstnat comment="SyncServer - HTTPS" \
dst-address-list=expected-dst-address-to-my-ISP dst-port=port log=yes \
protocol=tcp to-addresses=Server.IP to-ports=port
add action=dst-nat chain=dstnat comment="SyncServer - OpenVPN" \
dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local \
dst-port=port log=yes protocol=tcp to-addresses=Server.IP \
to-ports=port
/ip firewall raw
add action=drop chain=prerouting comment="ISP - AT&T Fiber - ether1 - drop all\
\_internet traffic (enable for testing only)" disabled=yes in-interface=\
ether1
add action=drop chain=prerouting comment=\
"drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
"drop non-legit dst-addresses hitting WAN side" dst-address-list=\
!expected-dst-address-to-my-ISP in-interface-list=WAN
add action=drop chain=prerouting comment=\
"drop non-legit traffic coming from LAN" in-interface-list=LAN \
src-address-list=!expected-address-from-LAN
add action=accept chain=prerouting comment="allowed DNS" src-address-list=\
allowed_DNS
add action=accept chain=output dst-address-list=allowed_DNS
add action=add-src-to-address-list address-list=\
expected-dst-address-to-my-ISP address-list-timeout=none-static chain=\
output comment="get ISP dhcp-client IP address & add to expected-dst-addre\
ss-to-my-ISP list" out-interface-list=WAN src-address-type=local
add action=add-src-to-address-list address-list=\
unexpected-src-address-hitting-ISP address-list-timeout=none-static \
chain=output comment="get ISP dhcp-client IP address & add to unexpected-s\
rc-address-hitting-ISP list" out-interface-list=WAN src-address-type=\
local