I've used a similar rule a few weeks ago when I installed AdGuard here and had to transition from using the router as the local DNS server to said AdGuard server. Works like a charm.
thanks for video. please tell me, do you have plan b ? for example ,if pihole down , hosts can't resolve. how i can do fault tolerance? maybe netwatch or some script? how i can do it correctly?
You are missing one component to ensure success. Clue........ the server and users are on the same subnet.................... hairpin! Require a source nat rule, add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24. Further in dhcp -server network I would not change the dns server to the pihole ( for the server subnet ), as that is also sending requests to oneself, but a good plan for all other subnets if any. Your destination nat rules will ensure users requests go to PiHOLE and the exception used prevents pihole from tripping over itself again.
In first method, what if I give 2 DNS server address, say, 192.168.88.3 , 192.168.88.1, will the LAN device (dhcp client) use both randomly , or always use the 88.3 frist and if fails, fall back to 88.1 ?
I've done that. I'm running pihole in a container in the router itself. As far I can see the clients use the 192.168.88.3 as default and the 192.168.88.1 only if pihole is down. The problem is that when pihole comes online the clients continue to use 192.168.88.1, I'll figure how to fix this one day... 😂
Good idea, but missing two really important details... 1) What happens if the devices have hardcode DoT or DoH DNS settings... how do you control this? 2) What happens when your "pi-hole" dns is down for maintenance or failure?
1) you can't control that, except block known DoH servers by IP 2) since your router controls which DNS server your LAN is using, you can make a failover setup. if pihole down, use router as DNS server
Thats true, if the client and the pihole are in the same lan-segment, the pihole will send the answer directly to the client (without going via the router). In that case it wont work. Example: client will connect to 8.8.8.8 the router DNATs to the pihole. The answer is from 192.168.88.3 not from 8.8.8.8 which makes the answer invalid for the client. You need(!!) a SNAT rule (assuming the client and the pi are in the same l2 segment).
Even PPPoE clients get their IP address from DHCP server. The settings are the same. Check which DHCP pool is specified in your PPPoE access concentrator settings, and set the appropriate DHCP network DNS setting to the PiHole IP address.
@@mikrotik Grateful for the information. Keeping in line with the idea that I want to capture, the IP addresses of the users are supplied by the PPPoE server and through their username and password, they take the pre-established (Static) IP address. I do not know if you understand me.
RouterOS supports user authentication against RADIUS. If you provide "domain" option in the menu "/radius client", Active Directory could also work. You can also ask this question in our forum, maybe somebody has a more complete setup forum.mikrotik.com
What is difference between your suggested settings (ip/ DHCP Server/ Networks/ DNS server) and IP/ DNS Settings/ Servers? Or even DNS static? There is too much options!
Like described in the video, first method works if all devices use dhcp. Second method needed if your lan users are not under your control and use their own dns settings, but you want to force them
I tried with static DNS to regex match all hostnames to the wrong IP, but the browser prevents opening the wrong site due to hostname mismatch with the TLS certificate. Perhaps Burp suite can do it.
It's working fine, but the problem is that I can see only 1 client in the top client list, that is the pihole's docker internal ip itself (172.x.x.x range). The pi hole in itself is functioning correctly, tested with 2 different hosts, by manually adding Windows 10 host IP, as DNS server, DNS queries are getting resolved, ads are getting blocked but, there's only 1 IP showing no matter ho many hosts are there. I want to have the segregation on a per-host basis.
Change the pi-hole to an IP Address outside the range of your network and setup a route for the pi-hole. You can then omit the NAT and the pi-hole will see individual devices.
this happens when all the dns requests are being forwarded to pihole, so pi hole sees all dns requests from the router. what i did was add the pi hole to dhcp server, and a dst-nat rule to forward traffic not already going to the pi hole. in other words, forward dns that came from a rogue client that does not want to use the pihole. in this scenario only those clients will be marked from the router
i use these rules to catch te real ip address from all my devices, well its not the "real ip" because it changes the 1st octet (192 to 10), this wotks also for my hairpin nat /ip firewall mangle add action=accept chain=prerouting comment=HairPin dst-address=10.168.0.0/24 /ip firewall nat add action=netmap chain=srcnat comment="Hairpin NAT masquerade" \ to-addresses=10.168.0.0/24 add action=dst-nat chain=dstnat comment="Pi-Hole rule 1" dst-address=!192.168.0.8 \ dst-port=53 in-interface=bridge protocol=udp src-address=!192.168.0.8 \ to-addresses=192.168.0.8 add action=dst-nat chain=dstnat comment="Pi-Hole rule 2" dst-address=!192.168.0.8 \ dst-port=53 in-interface=bridge protocol=tcp src-address=!192.168.0.8 \ to-addresses=192.168.0.8 add action=masquerade chain=srcnat comment="Pi-Hole rule 3" dst-address=\ 192.168.0.8 dst-port=53 protocol=udp add action=masquerade chain=srcnat comment="Pi-Hole rule 4" dst-address=\ 192.168.0.8 dst-port=53 protocol=tcp
Thanks for video again! How about settings in "IP-DNS-Servers:" if using this methods? Before watching this video I using IP my Pi-hole in "IP-DNS-Servers:" and works well good.
@@Ekz0rcyst скажи пожалуйста, ты как то отказоустоичивость делал? у меня в докере на одной из виртуалок стоит адгуард, если падает докер, у хостов нет резолва
I'm also struggle with that. I just cannot set up pihole with custom upstream via unbound or stubby. DoH is working only if directly setup in router (one of previous videos form MikroTik shows how to do it), but then pihole is not solving and filtering requests obviously.
@@mikrotik in this presentation. but since router os can run the pihole or other containers, do a tutorial please, with all the rules catches etc all of these contained within router os
1:48 - "This is not the DNS you are looking for." Nice one=D
I'm super grateful for this, nat rules are intimidating
I've used a similar rule a few weeks ago when I installed AdGuard here and had to transition from using the router as the local DNS server to said AdGuard server.
Works like a charm.
thanks for video. please tell me, do you have plan b ? for example ,if pihole down , hosts can't resolve. how i can do fault tolerance? maybe netwatch or some script? how i can do it correctly?
Nice! I enjoy learning more about networking and Mikrotik whit this short videos.
You guys are legends for making this video.
You are a legend for watching it! :)
You are missing one component to ensure success. Clue........ the server and users are on the same subnet.................... hairpin!
Require a source nat rule, add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.0/24.
Further in dhcp -server network I would not change the dns server to the pihole ( for the server subnet ), as that is also sending requests to oneself, but a good plan for all other subnets if any. Your destination nat rules will ensure users requests go to PiHOLE and the exception used prevents pihole from tripping over itself again.
"This is not the DNS you are looking for"....
hahaha... Nice!
In first method, what if I give 2 DNS server address, say, 192.168.88.3 , 192.168.88.1, will the LAN device (dhcp client) use both randomly , or always use the 88.3 frist and if fails, fall back to 88.1 ?
No, it's random as far as I know.
I've done that. I'm running pihole in a container in the router itself. As far I can see the clients use the 192.168.88.3 as default and the 192.168.88.1 only if pihole is down. The problem is that when pihole comes online the clients continue to use 192.168.88.1, I'll figure how to fix this one day... 😂
Wait, why not IP>DNS the set PiHole IP to server list. Add Netwatch rule to change to 1.1.1.1 if PiHole is unreachable?
Any plans for multi-gig poe switches now that some access points have 2.5G uplinks? :')
Good idea, but missing two really important details...
1) What happens if the devices have hardcode DoT or DoH DNS settings... how do you control this?
2) What happens when your "pi-hole" dns is down for maintenance or failure?
1) you can't control that, except block known DoH servers by IP
2) since your router controls which DNS server your LAN is using, you can make a failover setup. if pihole down, use router as DNS server
@@mikrotik could you please help somehow configuring the failover setup in case pihole is down?
Without setting up the masquerade, the method via nat does not work. It does not return the dns server request to the client
The video assumes your network is already configured correctly
Thats true, if the client and the pihole are in the same lan-segment, the pihole will send the answer directly to the client (without going via the router). In that case it wont work. Example: client will connect to 8.8.8.8 the router DNATs to the pihole. The answer is from 192.168.88.3 not from 8.8.8.8 which makes the answer invalid for the client. You need(!!) a SNAT rule (assuming the client and the pi are in the same l2 segment).
@@mikrotik is there any article showing step by step how to configure the option to intercept dns requests through nat?
I don't understand your question. This video is what you are asking.
@@mikrotik Thanks in advance for your reply
Easy, thx for shared ❤
Greetings. I have a system working under PPPoE and not DHCP. How could I configure in this case?. Thank you!
Even PPPoE clients get their IP address from DHCP server. The settings are the same. Check which DHCP pool is specified in your PPPoE access concentrator settings, and set the appropriate DHCP network DNS setting to the PiHole IP address.
@@mikrotik Grateful for the information. Keeping in line with the idea that I want to capture, the IP addresses of the users are supplied by the PPPoE server and through their username and password, they take the pre-established (Static) IP address. I do not know if you understand me.
what if I use this method, but the hotspot user cannot display the login page?
How to integrate mikrotik with Active directory? Is there any docker container for that or else
What would you like to integrate? RouterOS users?
@@mikrotik active directory users with RouterOS
RouterOS supports user authentication against RADIUS. If you provide "domain" option in the menu "/radius client", Active Directory could also work. You can also ask this question in our forum, maybe somebody has a more complete setup forum.mikrotik.com
What is difference between your suggested settings (ip/ DHCP Server/ Networks/ DNS server) and IP/ DNS Settings/ Servers? Or even DNS static? There is too much options!
Like described in the video, first method works if all devices use dhcp. Second method needed if your lan users are not under your control and use their own dns settings, but you want to force them
@@mikrotik Without setting up the masquerade, the method via nat does not work. It does not return the dns server request to the client
It works fine. Most likely you have other things in your setup that must be configured first
Is there any ETA on RouterOS 7.x LTS?
did anyone catch the glitch at 1:48 ? may the force be with you mikrotik
LOL rewatch it at 0.25 speed.
im interested in your plex configuration ) 1:56
Can I use it to redirect every DNS request on my company's network to adult websites? (especially the company intranet sites).
I tried with static DNS to regex match all hostnames to the wrong IP, but the browser prevents opening the wrong site due to hostname mismatch with the TLS certificate. Perhaps Burp suite can do it.
@@RB01-lite thx will direct all company traffic to the gay side of the hub.
I had configer pihole container in v7.5 it worked well but i couldn't configer a load balance probably in the same rb
What if I use specific dns server like opendns for my lan clients and want to keep them and just use pi hole for add removal?
Use the instructions in this video, and then in your PiHole set to use opendns
all ips in pi-hole are routeros'ip ,how to show real ip in pi-hole with dns dst-nat
It's working fine, but the problem is that I can see only 1 client in the top client list, that is the pihole's docker internal ip itself (172.x.x.x range). The pi hole in itself is functioning correctly, tested with 2 different hosts, by manually adding Windows 10 host IP, as DNS server, DNS queries are getting resolved, ads are getting blocked but, there's only 1 IP showing no matter ho many hosts are there. I want to have the segregation on a per-host basis.
Change the pi-hole to an IP Address outside the range of your network and setup a route for the pi-hole. You can then omit the NAT and the pi-hole will see individual devices.
@@jbrewerii PiHole IP(10.0.1.2) is outside of my network range(192.168.1.0/24). What NAT rules i need to see all client ips?
this happens when all the dns requests are being forwarded to pihole, so pi hole sees all dns requests from the router. what i did was add the pi hole to dhcp server, and a dst-nat rule to forward traffic not already going to the pi hole. in other words, forward dns that came from a rogue client that does not want to use the pihole. in this scenario only those clients will be marked from the router
i use these rules to catch te real ip address from all my devices, well its not the "real ip" because it changes the 1st octet (192 to 10), this wotks also for my hairpin nat
/ip firewall mangle
add action=accept chain=prerouting comment=HairPin dst-address=10.168.0.0/24
/ip firewall nat
add action=netmap chain=srcnat comment="Hairpin NAT masquerade" \
to-addresses=10.168.0.0/24
add action=dst-nat chain=dstnat comment="Pi-Hole rule 1" dst-address=!192.168.0.8 \
dst-port=53 in-interface=bridge protocol=udp src-address=!192.168.0.8 \
to-addresses=192.168.0.8
add action=dst-nat chain=dstnat comment="Pi-Hole rule 2" dst-address=!192.168.0.8 \
dst-port=53 in-interface=bridge protocol=tcp src-address=!192.168.0.8 \
to-addresses=192.168.0.8
add action=masquerade chain=srcnat comment="Pi-Hole rule 3" dst-address=\
192.168.0.8 dst-port=53 protocol=udp
add action=masquerade chain=srcnat comment="Pi-Hole rule 4" dst-address=\
192.168.0.8 dst-port=53 protocol=tcp
Is it possible to us this settings if using pihole with unbound?
no difference if you are running unbound on same host as pihole
How i can enter to Lan from Wan
Thanks for video again! How about settings in "IP-DNS-Servers:" if using this methods?
Before watching this video I using IP my Pi-hole in "IP-DNS-Servers:" and works well good.
Update. I answer my own question - I used the DHCP method - works great! Thanks! Again.
@@Ekz0rcyst скажи пожалуйста, ты как то отказоустоичивость делал? у меня в докере на одной из виртуалок стоит адгуард, если падает докер, у хостов нет резолва
@@valentinegraev9350 Питанням відмовостійкості, я не займався. Немає потреби.
Saludos. Es necesario una Raspberry Pi para esto?
This is a MikroTik channel, we do not have instructions to use Raspberry Pi. This only teaches you the MikroTik part.
I get It. But my question Is about if I should have an Raspberry Pi hardware to do this. Thanks!
It is up to you, where you will install PiHole. It is your choice. docs.pi-hole.net/main/basic-install/
@@mikrotik Thanks for all!
Niiiiice!
Cant work client those using 8.8.8.8 or others public dns to force use pi hole.
Need help with my mikrotik cheateu LTE port going off and will not come back on even with reboot still same ,did log for it to see the error
LTE 1 no response for At E0 V1
No signal ,was working b4 but stop ,and use different sim will work for sometime and vanish
make a post in forum.mikrotik.com to get some help
It will not allow me on the page
@MikroTik thanks 👍
then in ip dns, it need real dns server or not ?
that menu is only for router itself. it does not matter what you have in "IP DNS" if you use the steps in this video
@@mikrotik then what is the purpos of this step ?
your?
Please, new video about new series of reliable buisness switches(24,48)...present for christmas :) :)
You only need UDP, as queries only uses UDP.
I understand that DNS uses TCP and UDP.
Give me speedify in a container.
starwars, starwars, seaguls
1:48 🤣
It was subliminal messaging or advertising in that frame ;)
Lmao, just for 1frame to star wars. 🤣🤣🤣🤣🤣🤣🤣
Can you send me your sweater if you ever get rid of it. I'll pay for shipping.
Cover IPv6 as well when you do these videos.
+1
now combine it in a tutorial, setting it up, redirecting and using its own recursive server with encrypted data transfer
This is still a MikroTik channel though
@@mikrotik yes, i know. configured in router os
PiHole is on a separate device.
I'm also struggle with that. I just cannot set up pihole with custom upstream via unbound or stubby. DoH is working only if directly setup in router (one of previous videos form MikroTik shows how to do it), but then pihole is not solving and filtering requests obviously.
@@mikrotik in this presentation. but since router os can run the pihole or other containers, do a tutorial please, with all the rules catches etc
all of these contained within router os