Community discussions

MikroTik App
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

DNS Server on multiple VLANs

Mon May 15, 2023 9:06 pm

Hi everyone,

so it's time to plan on replacing what Mikrotik DNS does with Adguard Home as DNS Server. I was considering creating a new VLAN (let's say VLAN 220) have Adguard home container sit there and either:
- add a trunk interface and use IPs .2 and .3 on each subnet for Adguard DNS Server or
- redirect all DNS queries ideally from .2 and .3 in each VLAN to VLAN 220 .2 and .3 Adguard servers.

which concept is considered the better approach?

How would I go about it with either approach? Here's my config
/interface bridge
add frame-types=admit-only-vlan-tagged name=BR1 vlan-filtering=yes
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge secondary-frequency=auto ssid=MikroTik-4B246C \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-B39B25 wireless-protocol=802.11
/interface vlan
add interface=BR1 name=Arlo_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=188
add interface=BR1 name=Alexa_VLAN vlan-id=20
add interface=BR1 name=Sehr_VLAN vlan-id=60
add interface=BR1 name=Gscht_VLAN vlan-id=120
add interface=BR1 name=Hue_VLAN vlan-id=40
add interface=BR1 name=IoTRest_VLAN vlan-id=50
add interface=BR1 name=Homie_VLAN vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
add name=HASS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Alexa_POOL ranges=192.168.20.10-192.168.20.250
add name=Arlo_POOL ranges=192.168.30.10-192.168.30.250
add name=Hue_POOL ranges=192.168.40.10-192.168.40.250
add name=IoTRest_POOL ranges=192.168.50.10-192.168.50.250
add name=Sehr_POOL ranges=192.168.60.10-192.168.60.250
add name=Gscht_POOL ranges=192.168.120.10-192.168.120.250
add name=BASE_POOL ranges=192.168.188.10-192.168.188.250
add name=Homie_POOL ranges=192.168.200.10-192.168.188.200
/ip dhcp-server
add add-arp=yes address-pool=Alexa_POOL interface=Alexa_VLAN name=\
    Alexa_DHCP
add add-arp=yes address-pool=Arlo_POOL interface=Arlo_VLAN name=Arlo_DHCP
add add-arp=yes address-pool=Hue_POOL interface=Hue_VLAN name=Hue_DHCP
add add-arp=yes address-pool=IoTRest_POOL interface=IoTRest_VLAN name=\
    IoTRest_DHCP
add add-arp=yes address-pool=Sehr_POOL interface=Sehr_VLAN name=\
    Sehr_DHCP
add add-arp=yes address-pool=Gscht_POOL interface=Gscht_VLAN name=Gscht_DHCP
add add-arp=yes address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
add add-arp=yes address-pool=Homie_POOL interface=Homie_VLAN name=Homie_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=188
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=60
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 \
    pvid=188
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=50
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=60
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=120
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=188
add bridge=BR1 tagged=BR1,sfp-sfpplus1 vlan-ids=200
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=Alexa_VLAN list=VLAN
add interface=Arlo_VLAN list=VLAN
add interface=Hue_VLAN list=VLAN
add interface=IoTRest_VLAN list=VLAN
add interface=Sehr_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=Homie_VLAN list=HASS
/ip address
add address=192.168.20.1/24 interface=Alexa_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=Arlo_VLAN network=192.168.30.0
add address=192.168.40.1/24 interface=Hue_VLAN network=192.168.40.0
add address=192.168.50.1/24 interface=IoTRest_VLAN network=192.168.50.0
add address=192.168.60.1/24 interface=Sehr_VLAN network=192.168.60.0
add address=192.168.120.1/24 interface=Gscht_VLAN network=192.168.120.0
add address=192.168.188.1/24 interface=BASE_VLAN network=192.168.188.0
add address=192.168.200.1/24 interface=Homie_VLAN network=192.168.200.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.60.1
add address=192.168.120.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.120.1
add address=192.168.188.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.188.1
add address=192.168.200.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input in-interface=bridge
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-state=new in-interface-list=BASE \
    out-interface-list=VLAN
add action=accept chain=forward connection-state=new in-interface=\
    Alexa_VLAN out-interface=Arlo_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface-list=WAN
add action=accept chain=forward in-interface=Alexa_VLAN out-interface=\
    Hue_VLAN
add action=accept chain=forward in-interface=IoTRest_VLAN out-interface=\
    Hue_VLAN
add action=accept chain=forward in-interface=IoTRest_VLAN out-interface=\
    Sehr_VLAN
add action=accept chain=forward in-interface=Hue_VLAN out-interface=BASE_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=Hue_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    Sehr_VLAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    IoTRest_VLAN
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip firewall service-port
set rtsp disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=r00ter
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS Server on multiple VLANs

Mon May 15, 2023 10:30 pm

para 8 applies. ---> viewtopic.php?t=179343
 
DSprecic
just joined
Topic Author
Posts: 20
Joined: Tue Jan 10, 2023 10:37 pm

Re: DNS Server on multiple VLANs

Mon May 15, 2023 10:58 pm

okay, I will look into this. Thanks!

Having had a quick scroll through it I have a question regarding that already:

let's say I have above given subnets and VLANs

I would have this:

/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.50.2,192.168.50.3

if I understand all of this correctly I would need to change this part

add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp

to something either based on my in-interface-list=VLAN or based on each VLAN, right?

like
add chain=input action=accept in-interface=IoTRest_VLAN dst-port=53 protocol=tcp dst-address=192.168.50.2,192.168.50.3

as far as that part goes I still understand things (I think).

Do I need to do anything else to limit DNS requests to above dst-address? I do want to avoid on most subnets that manually set DNS servers would actually work without being redirected through Adguard
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS Server on multiple VLANs

Tue May 16, 2023 5:25 pm

First snippet, the dns server should only be the adguard IP address yes ( ONE IP ADDRESS not two)

Second snippet,

a. wrong missing the destination address of the adguard
b. need two rules udp and tcp,
c. in-interface-list=whatever fits your setup (yes identify all the vlans that need access to adguard).

Note: for (c) Dont sweat it if your LAN list includes some vlans that you dont want going there, this just gives permission it doesnt route users there. We do that elsewhere.

Third snippet,
Why do you keep insisting on adding two IP addresses ????
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS Server on multiple VLANs

Tue May 16, 2023 5:27 pm

Draw a network diagram as it seems a bit confused at the moment.
You dont need to put the adguard on another vlan if you dont want to, personal choice,
Personally its not a bad idea........

Who is online

Users browsing this forum: dioeyandika, dmconde, GoogleOther [Bot] and 44 guests