Community discussions

MikroTik App
  4. RouterOS
  5. General

Using pihole behind the Mikrotik DNS server

Post Reply
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Using pihole behind the Mikrotik DNS server

Sat Mar 04, 2023 5:57 pm

I was thinking of using a Pihole behind my Mikrotik DNS server? The potential reason for this is to take advantage of the speed of the mikrotik DNS (~6ms) vs Pihole on a small RaspeberryPi (~40ms).

The topology would look like this:

Client >> MK DNS >> Pihole >> Google (or another DNS)

I have tried the config here but I can't actually ping the Pihole (.10) from the Mikrotik (.1) and the internet gets cut off if I use the config.
Code: Select all
/ip dns set allow-remote-requests=yes servers=192.168.64.10 comment="to the PiHole"
/ip dhcp-server network add address=192.168.64.0/24 comment="Main network" dns-server=192.168.64.1 gateway=192.168.64.1 netmask=24 ntp-server=192.168.64.1
Has anyone successfully used a Pihole behind a Mikrotik DNS server? If so, please could they share their config for it.

Thanks

Charles
Top
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 345
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Using pihole behind the Mikrotik DNS server

Sat Mar 04, 2023 8:28 pm

Use redirect rules for both/tcp and udp/ 53 ports in filter nat section except pihole ip , if you think someone can setup other dns address of clients!
I prefer to use adguard - on a container in routerboard if possible!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19371
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Using pihole behind the Mikrotik DNS server

Sat Mar 04, 2023 8:31 pm

Yes check out PARA E. here, sub para 8 ............. viewtopic.php?t=182373
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Using pihole behind the Mikrotik DNS server

Sun Mar 05, 2023 1:21 pm

First things first.... I need to fix why I can't ping the pihole (192.168.64.10) from the router (192.168.64.1)

I followed anav's suggestion and put in the srtnat and dstnat rules in (see below) but still cannot ping from router to pihole ("ping 192.168.64.10" from the router). I get a timeout.

DHCP Network is:
comment=Main network address=192.168.64.0/24 gateway=192.168.64.1 netmask=24 dns-server=192.168.64.10 wins-server= ntp-server=192.168.64.1 caps-manager= dhcp-option=

Firewall rules are below. I can't see where I'm going wrong (as ever!!). Any help would be gratefully received!

Charles
Code: Select all
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS&NTP queries-UDP" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=input dst-address=127.0.0.0/8 log=yes src-address=127.0.0.0/8
/ip firewall filter add action=accept chain=input comment="Wireguard" dst-port=13233 protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=fulltimeGreylist address-list-timeout=none-static chain=input in-interface-list=WAN src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=4h chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=2h chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=reject chain=input comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=input comment="defconf: drop all else"
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Stop cameras going out" log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=accept chain=forward comment="defconf: allow internet traffic" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Access from trusted IPs to LAN" out-interface-list=LAN src-address-list=AllowToRouter
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=reject chain=forward comment="defconf: reject all from LAN that have got this far" in-interface-list=LAN log=yes log-prefix="Last reject:" reject-with=icmp-admin-prohibited
/ip firewall filter add action=drop chain=forward comment="defconf: drop everything else"
/ip firewall nat add action=dst-nat chain=dstnat in-interface-list=LAN protocol=tcp src-address=!192.168.64.10 src-port=53 to-addresses=192.168.64.10
/ip firewall nat add action=dst-nat chain=dstnat in-interface-list=LAN protocol=udp src-address=!192.168.64.10 src-port=53 to-addresses=192.168.64.10
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.64.0/24 dst-port=53 protocol=udp src-address=192.168.64.0/24
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.64.0/24 dst-port=53 protocol=tcp src-address=192.168.64.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting log-prefix="Drop Raw" src-address-list=myblacklist
/ip firewall raw add action=drop chain=prerouting dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop PreOut Raw"
/ip firewall raw add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop Output Raw"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19371
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Using pihole behind the Mikrotik DNS server

Sun Mar 05, 2023 2:10 pm

Full config please not just firewall rules.
Top
 
howdey57
Member Candidate
Member Candidate
Topic Author
Posts: 127
Joined: Wed Dec 31, 2014 2:36 pm

Re: Using pihole behind the Mikrotik DNS server

Mon Mar 06, 2023 9:14 am

I made the nat changes suggested but i still can't ping from router to pihole. I think those changes are for a different purpose from my op.

However if i restart the pihole, i CAN ping for about 20 seconds before the ping starts to timeout. I presume that is a firewall rule on the pihole taking effect. That firewall rule seems to block ping from the pihole's gateway.

I'll put my plan of a chain of DNS, as per my op, on hold until another day, but thanks for looking!

Charles
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot] and 164 guests
  4. RouterOS
  5. General