Community discussions

MikroTik App
 
Bolo
just joined
Topic Author
Posts: 8
Joined: Tue Jan 17, 2023 10:31 pm

Pihole and printer NAT and firewall problems

Sat Apr 22, 2023 7:10 pm

Hi there,
Recently I switched from the router provided by my ISP to a Mikrotik routerboard and I'm very happy with it.
However, I would like to do some change to my home network but I'm facing a few issues.
I have two subnets:
192.178.10.0/24 (my studio, including a pihole server, NAS and a network attached printer) and 192.178.50.0/24 (dedicated to IOT appliances, smart TV and so on and including a wifi mesh).
I setup the pihole address as primary DNS server in the IP section and it looks like everything is working fine so far.
However, I'd like to isolate the two subnets so that wifi connected devices on subnet 192.178.50.0 can't access the studio subnet. I can do that, pretty easy via firewall but then...devices on 192.178.50.0 can't reach the pihole server on 192.178.10.0. I added the exception for the pihole server (192.178.10.94) but it's not working. Maybe it is the wrong place?
Here is the set of forward rules>
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
[flash=]add action=drop chain=forward disabled=yes dst-address=!192.178.10.89 \
    src-address=192.178.50.0/24[/flash]
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
Secondly, also the printer is not accessible anymore from IOT lan. I can live with that but I'd like to add an exception in order the mobile phones to access printer.
Finally, I've tried to set destination nat rules to force any device to use pihole (so that, hopefully, youtube app on mobile phones or smart tv is not displaying advertising), but this is causing everything no to work on subnet 192.178.50.0/24. I used the rules following this short tutorial: https://www.youtube.com/watch?v=EdzDCkFaskc.

I'm now studing the documentation and some network management, but any help and hint would be very appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Pihole and printer NAT and firewall problems

Sat Apr 22, 2023 9:57 pm

Full config
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Pihole and printer NAT and firewall problems

Sat Apr 22, 2023 10:58 pm

First of all, why are you using 192.178.x.y addresses for your local LAN? That is not private IP space - and in fact I was just able to ping something on the public address that is your PiHole.

And then as anav asked, please pot your complete config.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
Bolo
just joined
Topic Author
Posts: 8
Joined: Tue Jan 17, 2023 10:31 pm

Re: Pihole and printer NAT and firewall problems

Sun Apr 23, 2023 1:17 am

First of all, why are you using 192.178.x.y addresses for your local LAN? That is not private IP space - and in fact I was just able to ping something on the public address that is your PiHole.
Fair enough...My mistake. Changed to private IP space.
 
Bolo
just joined
Topic Author
Posts: 8
Joined: Tue Jan 17, 2023 10:31 pm

Re: Pihole and printer NAT and firewall problems

Sun Apr 23, 2023 1:17 am

Tomorrow I'll export the config after a few tries.! Thanks

Who is online

Users browsing this forum: rplant and 31 guests