Community discussions

MikroTik App
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Sun Dec 18, 2022 9:34 pm

Hi,

Would anyone be so kind as to help me with basic DoH setup using CleanBrowsing DNS?
I'd like to use the following DNS servers (IPv4 only) listed on https://cleanbrowsing.org/filters/ site:

Image

Here is what I tried so far:

First, I've make sure that no Dynamic Servers are in use. I've unchecked "Use Peer DNS" option from the PPPoE interface.
Image

Next, I have added static DNS entries:
/ip dns static
add address=185.228.168.10 name=adult-filter-dns.cleanbrowsing.org
add address=185.228.169.11 name=adult-filter-dns.cleanbrowsing.org

After that, I have added the following NAT rules:
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
Image

Finally, I have added the doh.cleanbrowsing.org/doh/adult-filter/
line into the Use DoH Server field:
Image

Now, the problem is I do not know what to do next.
  • Not sure if it's OK to completely skip DoH Certificate. PEM (cert) has validity until Wed, 15 Feb 2023 - I'm afraid that the DNS will stop working when the certificate will expire, but I don't know if it works like that?
  • No idea how to configure the DHCP Server now for LAN clients. Normally I have the above 2 DNS servers set as "DNS Servers" for the DHCP Network. Should I select "No DNS" option instead?
    Image

After selecting "No DNS" for DHCP Network, I'm getting the following errors and DNS is not working at all for LAN clients:
Image
Last edited by Świętopełek on Mon Dec 19, 2022 2:37 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 8:33 am

Your router doesn't know the IP address of this server, you must add a IP -> DNS -> Static entry for it.

it looks like it could be these two IP adderesses:

doh.cleanbrowsing.org. 3600 IN A 185.228.168.168
doh.cleanbrowsing.org. 3600 IN A 185.228.168.10

Then it should work.

P.S: this step is also mentioned in our DoH video https://www.youtube.com/watch?v=w4erB0VzyIE
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 12:16 pm

Hi Normis!

Thank you for the reply. Please note that I have already added static DNS entries, as I clearly stated in the post above :-)
Are the entries that I have posted incorrect?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 12:17 pm

But the error is clearly that the DNS name can't be resolved. it means you added DNS static entries for the wrong DNS address

your static entry is for adult-filter-dns.cleanbrowsing.org
but your DoH config is for doh.cleanbrowsing.org
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 12:38 pm

Ahh I understand now! :-)
I have added static DNS entry for doh.cleanbrowsing.org and the error is gone now. Thank you!

Should I leave the DNS entries in DHCP Server for DHCP Network? If I select "No DNS" option, the DNS is not working for LAN clients:
Image
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)  [SOLVED]

Mon Dec 19, 2022 12:54 pm

This config is also wrong. Did you watch the video?
If you are using the router as the DoH client, you should not send the clients to the unencrypted DNS server, it makes no sense.

Remove the DNS servers entries from the DHCP Network settings, replace it with the router IP 192.168.0.1 (probably). The LAN devices should use the router as their DNS server, and the router will then query the DoH server.
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:07 pm

Yes, I did watch the video! It was from this video that I learned about DoH :-)
But I think the video does not mention how to setup DHCP Network...

I think it is working now:
Image

and here from the client:
Image

It should be OK now?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:10 pm

Well if from the client device you are now able to use the internet, it should be working.
Now go visit pornhub and see if blocking is also working :D
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:21 pm

I think filtering works great, but I'm not sure how to verify if everything indeed goes through the DNS-Over-HTTPS.
If I setup a custom DNS on the client side, for example 8.8.8.8 I still can access shady content like for example torrent sites. Is it normal?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:23 pm

No you can't, this is where the NAT rule comes into play.
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-post=53

this one will catch any other DNS request and send it to your router.

Also, to be extra safe, you can block UDP port 53 from leaving your router, so no regular DNS request can be sent from router to web:

/ip firewall filter add chain=output action=drop protocol=udp dst-post=53
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:27 pm

@Świętopełek
I think filtering works great, but I'm not sure how to verify if everything indeed goes through the DNS-Over-HTTPS.
If I setup a custom DNS on the client side, for example 8.8.8.8 I still can access shady content like for example torrent sites. Is it normal?
Let's make one thing clear right away: Beyond ideologies, objectively whatever you do you will never prevent a person from doing what he wants with himself.

A DNS filter will never prevent you from downloading a movie from any type of torrent,
nor will it prevent browsers from using their DoH that completely bypass yours, etc, etc, etc...

The DoH is designed to liberate the connection from the ideology of the provider.
(and help the Big Co. for get better the browsing data of the end users, and prevent the use of ad-blocking, etc.)

If you don't have full control of the device used, and you are not with the person using it at that moment, you cannot prevent anything at all, and you remain helpless.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:31 pm

Rextended, if you see what kind of server he uses, most likly 99% it is for home environment to stop children from getting viruses or seeing porn banners.
So hold your ideology speech
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:39 pm

@normis
¯\_(ツ)_/¯
Ok...

@Świętopełek
I'm not sure how to verify if everything indeed goes through the DNS-Over-HTTPS.
Unfortunately, as more and more browsers have it integrated, you can't prevent the browser from using DoH as well, which completely bypasses your settings.
Also some smartphone and tablet use embedded DNS (like 8.8.8.8 etc.) and ignore completely the DHCP server.
For prevent redirect or blocking, next gen of smartphone and tablet use own DoH...

I still can access shady content like for example torrent sites
A DNS filter will never prevent you from downloading a movie, image, etc. from any type of torrent (often torrents do not use DNS at all),
and do not prevent any other method, like spam email, and others.
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 1:52 pm

Yes the reasons are completely irrelevant. Please do not derail my topic! :D
And yes, this is just home environment.

@rextended: Thank you for the comment, I understand that it is not possible to prevent users from using workaround options, but it is not my intention.
My intention is to have a simple DoH setup on my home router, and I'm still struggling with that. My real concern is NOT "why it is not blocking" but rather "why this option is not working".

I have those 2 options from the very beginning:
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

As noted above, I think it is not working - with custom 8.8.8.8 setup on the client shady content is available.
Should I now add the line below on top of that?
 /ip firewall filter add chain=output action=drop protocol=udp dst-port=53
Last edited by Świętopełek on Mon Dec 19, 2022 2:36 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:24 pm

as also @Normis wrote,
you need to be sure that all DNS request must go to the RouterBOARD.

If for some reason some device bypass the router, setting manually the DNS 8.8.8.8 on IPv4 config, this mean than something is not how it appear.

You must provide a detailed network diagram, with real interlnals IP, anonymized external IP, and the, censored from private data, configuration export of the device.

dst-nat happen before forward on filter,
for drop other DNS request not directly directed to 192.168.0.1, and not intercepted, you must use forward chain. (this still do not block internal browser DoH)
/ip firewall filter
add chain=forward action=drop dst-address=!192.168.0.1 protocol=tcp dst-port=53
add chain=forward action=drop dst-address=!192.168.0.1 protocol=udp dst-port=53
Last edited by rextended on Mon Dec 19, 2022 2:35 pm, edited 2 times in total.
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:34 pm

Hmm this is so difficult to understand :(

I have a very simple setup, most of the settings are just defaults:

https://i.imgur.com/l3W5H3L.png
https://i.imgur.com/Ow34ngL.png
https://i.imgur.com/FifbI0K.png
https://i.imgur.com/NCwy7pj.png
https://i.imgur.com/JSHfs4m.png
https://i.imgur.com/X4iKSCA.png

So what should I use from the 5 lines below? All of them, or only first 2?
/ip firewall filter add chain=forward action=drop dst-address=!192.168.0.1 protocol=tcp dst-port=53
/ip firewall filter add chain=forward action=drop dst-address=!192.168.0.1 protocol=udp dst-port=53

/ip firewall filter add chain=output action=drop protocol=udp dst-port=53

/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
Last edited by Świętopełek on Mon Dec 19, 2022 2:36 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:35 pm

but you wrote them by hand, isn't it an export???

dst-POST command does not exist...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:38 pm

You can omit the "output", but when you do test, you must first reboot devices for clean internal caches....
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:39 pm

Sorry just a typo, I've updated my post.
Not an export, but very same setting (on router executed without typo of course)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:42 pm

the difference between writing something by hand versus doing an export,
it's the same between the idea of how something is configured and how it is actually configured.
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:44 pm

So what these options will do? Is there no risk that it will create some sort of conflict within the network?

Here we block 100% of network traffic that is using 53 TCP/UDP port if the destination is not the router itself. Correct?
/ip firewall filter add chain=forward action=drop dst-address=!192.168.0.1 protocol=tcp dst-port=53
/ip firewall filter add chain=forward action=drop dst-address=!192.168.0.1 protocol=udp dst-port=53

And here? Why exactly it does?
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 2:46 pm

The 2nd are for intercept all "standard" DNS traffic (not DoH or DoT) to any IP, and redirected it to router itself.
(You can not redirect DoH traffic, and if you are able to redirect DoT, RouterOS can not handle it)
(DoH is not DoT)
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 4:27 pm

This is soo confusing...

If I understand correctly, the options below do the following:
When an incoming connection requests TCP/UDP port 53, the DST-NAT action will redirect it to router address.
That would mean I have just exposed 53 router DNS port to the Internet? I don't want that :(
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 4:34 pm

That's the reason why I asked for exact diagram and export, the pictures don't reveal everything.

You rules on NAT can be something like that:
/ip firewall nat
add chain=dstnat src-address=192.168.0.0/24 dst-address=!192.168.0.1 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.0.1
add chain=dstnat src-address=192.168.0.0/24 dst-address=!192.168.0.1 protocol=udp dst-port=53 action=dst-nat to-address=192.168.0.1
(implicit, no need to specify "to-port", is 53)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 4:41 pm

@Świętopełek: Dstnat is just one step. Even if you redirect everything to router, if requests came from internet, they already had your router's address as their destination, so nothing much changed there. What happens still depends on your firewall filter (chain=input).
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:00 pm

@rextended: I have just posted the entire config here: https://pastebin.com/XCxm62Rh

@sob: Yes I think you are correct. I have also tested port 53 externally and it is closed

I'm sorry for all those questions but I'm just really trying to understand how exactly everything works. I find it very interesting and also want to make sure that this configuration is sound.
What @rextended explained earlier, the DST-NAT action will take precedence before firewall rules. In that case, do we really need additional firewall rule for chain=forward?

I mean, if this works as supposed, and intercepts all port 53 external DNS query attemps from LAN...
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

...why would we need to drop also this chain=forward here? This is just redundant, no?
/ip firewall filter add chain=forward action=drop dst-address=!192.168.0.1 protocol=tcp dst-port=53
/ip firewall filter add chain=forward action=drop dst-address=!192.168.0.1 protocol=udp dst-port=53
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:02 pm

Is because this:
If for some reason some device bypass the router, setting manually the DNS 8.8.8.8 on IPv4 config, this mean than something is not how it appear.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:05 pm

Please stop using 3rd party site for images and code, the board can host all witout force us to accept other site end user policy.....

# dec/19/2022 15:46:23 by RouterOS 7.6
# software id = Y4CQ-VY5Y
#
# model = C52iG-5HaxD2HaxD
# serial number = NNNNNNNNNNN
/interface bridge
add admin-mac=NN:NN:NN:NN:NN:NN auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ONT
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Poland .mode=ap .ssid=MikroTik-C35A1A
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Poland .mode=ap .ssid=NNNNNNNNNN disabled=no
/interface vlan
add interface=ether1-ONT name=vlan35 vlan-id=35
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan35 name=\
    pppoe-Orange user=NNNNNNNNNNN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.35
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/port
set 0 name=serial0
/ppp profile
set *0 use-ipv6=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-ONT list=WAN
add interface=pppoe-Orange list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-ONT use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
    192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://doh.cleanbrowsing.org/doh/adult-filter/
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=185.228.168.10 name=doh.cleanbrowsing.org
add address=185.228.168.168 name=doh.cleanbrowsing.org
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=!192.168.0.1 dst-port=\
    53 protocol=tcp
add action=drop chain=forward dst-address=!192.168.0.1 dst-port=\
    53 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp client servers
add address=europe.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:11 pm

Now than I see your config, apparently you need only this:
viewtopic.php?p=973023#p973015
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:24 pm

No need to add:
src-address=!192.168.0.1
?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:31 pm

Not,
you need only the two rules on this post:
viewtopic.php?p=973023#p973015

If I misunderstand your question, you do not need to add src-address=!192.168.0.1 to the two rules
(because dst-nat already do not happen on output from 192.168.0.1).
 
User avatar
Świętopełek
newbie
Topic Author
Posts: 32
Joined: Sat Nov 26, 2022 12:33 am

Re: Please help with DoH setup (CleanBrowsing DNS-Over-HTTPS)

Mon Dec 19, 2022 5:39 pm

Awesome! :D
Thank you very much for all the help! Much appreciated!

Who is online

Users browsing this forum: abdullanetworking, carrionlee, holvoetn and 34 guests