I have a Pihole docker on mikrotik.
Pihole works.
If I turn off the Pihole docker google chrome gives me this error:
DNS_PROBE_STARTED
If I put the DNS of the DHCP server (which points to the Pihole)
Filter everything.
If a client puts static DNS (example 8. 8. 8. 8 ) it bypasses the pihole.
If I turn off the docker of the pihole client with the static DNS (example 8. 8. 8. 8 ) gives this error:
DNS_PROBE_STARTED
So do the rules work?
I don't understand where I'm going wrong... I also asked for help in the pihole forum but they say it's a router problem... can someone help me please...
the best I got is:
With pihole docker running:
Code: Select all
dig google.com @8.8.8.8 +short
xxx.xxx.xxx.xxx
Code: Select all
dig google.com @8.8.8.8 +short
; <<>> DiG 9.16.45 <<>> google.com @8.8.8.8 +short
;; global options: +cmd
;; connection timed out; no servers could be reachedMy Config:
Code: Select all
/container mounts
add dst=/opt/list name=list_pihole src=/usb1-part1/container_pihole/list
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/container_pihole/etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
/usb1-part1/container_pihole/dnsmasq
add dst=/etc/cron.d name=crono_pihole src=/usb1-part1/container_pihole/crono
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
"500 107 861 504" type=partition
/interface bridge
add comment=Capsman name=BR-Capsman port-cost-mode=short priority=0x6000 \
vlan-filtering=yes
add comment=PiHole name=BR-PiHole port-cost-mode=short
/interface veth
add address=192.168.55.55/24 gateway=192.168.55.1 gateway6="" name=veth1
/interface vlan
add comment=Casa interface=BR-Capsman mtu=1480 name=100-Casa vlan-id=100
add comment=Mamma interface=BR-Capsman mtu=1480 name=200-Mamma vlan-id=200
add comment=Guests interface=BR-Capsman mtu=1480 name=300-Guest vlan-id=300
add comment=Domus interface=BR-Capsman mtu=1480 name=400-Domus vlan-id=400
add comment=Control disabled=yes interface=BR-Capsman mtu=1480 name=\
900-Control vlan-id=900
add comment=WAN interface=ether1 mtu=1480 name=provider-vlan vlan-id=999
/interface pppoe-client
add add-default-route=yes disabled=no interface=provider-vlan name=\
provider-pppoe use-peer-dns=yes
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface wifi channel
add band=2ghz-g disabled=no frequency=2437 name=silent width=20/40mhz-Ce
add band=2ghz-g disabled=no name=guest
add band=5ghz-ax disabled=no frequency=5200 name=wlan5_ghz skip-dfs-channels=\
all width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2437 name=wlan2_channel6_main width=\
20/40mhz
add band=2ghz-ax disabled=no frequency=2412 name=wlan2_channel1
add band=2ghz-ax disabled=no frequency=2462 name=wlan2_channel11
add band=2ghz-ax disabled=yes frequency=2422 name=mcz width=20/40mhz-Ce
/interface wifi datapath
add bridge=BR-Capsman disabled=no name=Wifi_Mamma vlan-id=200
add bridge=BR-Capsman disabled=no name=Wifi_Guest vlan-id=300
add bridge=BR-Capsman disabled=no name=Wifi_Casa vlan-id=100
add bridge=BR-Capsman disabled=no name=Wifi_Domus
add bridge=BR-Capsman disabled=yes name=capmandp vlan-id=900
/interface wifi security
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=home
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=\
guest
add authentication-types=wpa2-psk disabled=no name=silent
add authentication-types=wpa2-psk disabled=no name=service
add authentication-types=wpa2-psk disabled=yes encryption=tkip \
group-encryption=tkip group-key-update=1h name=mcz
/interface wifi configuration
add antenna-gain=2 country=Italy datapath=Wifi_Guest disabled=yes name=guest \
security=guest ssid=Clochard
add country=Italy datapath=Wifi_Mamma disabled=no hide-ssid=yes mode=ap name=\
silent security=silent ssid=silent
add channel=wlan2_channel11 country=Italy datapath=Wifi_Domus disabled=no \
hide-ssid=no mode=ap name=studio_2ghz security=service ssid=\
LimitService2G
add channel=wlan2_channel1 country=Italy datapath=Wifi_Domus disabled=no \
hide-ssid=no mode=ap name=centro_2ghz security=service ssid=\
LimitService2G
add channel=wlan2_channel6_main country=Italy datapath=Wifi_Domus disabled=no \
hide-ssid=no mode=ap name=server_2ghz security=service ssid=\
LimitService2G
add channel=wlan2_channel11 country=Italy datapath=Wifi_Domus disabled=no \
hide-ssid=no mode=ap name=taverna_2ghz security=service ssid=\
LimitService2G
add channel=wlan2_channel1 country=Italy datapath=Wifi_Domus disabled=no \
hide-ssid=no mode=ap name=esterno_2ghz security=service ssid=\
LimitService2G
add antenna-gain=2 country=Italy datapath=Wifi_Casa disabled=no mode=ap name=\
home2G security=home ssid=HyperLimitless
add country=Italy datapath=Wifi_Domus disabled=no hide-ssid=no mode=ap name=\
service5G security=service ssid=LimitService5G
add channel=wlan5_ghz country=Italy datapath=Wifi_Casa disabled=no mode=ap \
name=home5G security=home ssid=HyperLimitless
add country=Italy disabled=yes hide-ssid=no mode=station name=mcz security=\
mcz ssid=MCZ-014A3FDA26BB90
/interface wifi
add configuration=service5G disabled=no name=wifi1 radio-mac=\
48:A9:8A:0E:06:A8
add configuration=service5G disabled=no name=wifi2 radio-mac=\
48:A9:8A:BC:A5:24
add configuration=service5G disabled=no name=wifi3 radio-mac=\
48:A9:8A:0E:09:5D
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:06:A8 \
master-interface=wifi1 name=wifi4
add configuration=home5G disabled=no mac-address=4A:A9:8A:BC:A5:24 \
master-interface=wifi2 name=wifi5
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:09:5D \
master-interface=wifi3 name=wifi6
add configuration=service5G disabled=no name=wifi7 radio-mac=\
48:A9:8A:0E:03:51
add configuration=service5G disabled=no name=wifi8 radio-mac=\
48:A9:8A:0E:06:47
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:03:51 \
master-interface=wifi7 name=wifi9
add configuration=home5G disabled=no mac-address=4A:A9:8A:0E:06:47 \
master-interface=wifi8 name=wifi10
add configuration=centro_2ghz disabled=no name=wifi11 radio-mac=\
48:A9:8A:0E:06:A9
add configuration=esterno_2ghz disabled=no name=wifi12 radio-mac=\
48:A9:8A:0E:09:5E
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:A9 \
master-interface=wifi11 name=wifi13
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:06:AA \
master-interface=wifi11 name=wifi14
add configuration=studio_2ghz disabled=no name=wifi15 radio-mac=\
48:A9:8A:0E:03:52
add configuration=taverna_2ghz disabled=no name=wifi16 radio-mac=\
48:A9:8A:0E:06:48
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:09:5E \
master-interface=wifi12 name=wifi17
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:09:5F \
master-interface=wifi12 name=wifi18
add configuration=server_2ghz disabled=no name=wifi19 radio-mac=\
48:A9:8A:BC:A5:25
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:03:52 \
master-interface=wifi15 name=wifi20
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:03:53 \
master-interface=wifi15 name=wifi21
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:0E:06:48 \
master-interface=wifi16 name=wifi22
add configuration=home2G disabled=no mac-address=4A:A9:8A:0E:06:49 \
master-interface=wifi16 name=wifi23
# SSID not set
add configuration=guest disabled=no mac-address=4A:A9:8A:BC:A5:25 \
master-interface=wifi19 name=wifi24
add configuration=home2G disabled=no mac-address=4A:A9:8A:BC:A5:26 \
master-interface=wifi19 name=wifi25
add configuration=silent disabled=no mac-address=4A:A9:8A:BC:A5:27 \
master-interface=wifi19 name=wifi26
/ip kid-control
add disabled=yes fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d \
thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=\
0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=MammaPool ranges=10.255.255.100-10.255.255.200
add name=GuestsPool ranges=172.16.0.2-172.16.15.254
add name=DomusPool ranges=192.168.240.100-192.168.240.200
add name=CasaPool ranges=192.168.0.100-192.168.0.200
add name=ControlPool ranges=10.10.0.100-10.10.0.200
/ip dhcp-server
add add-arp=yes address-pool=CasaPool interface=100-Casa lease-script="# When \
\"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"comment\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
ameShort\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=1d name=Casa_dhcp
add add-arp=yes address-pool=MammaPool bootp-support=none interface=200-Mamma \
lease-time=1d name=Mamma_dchp relay=10.255.254.2 server-address=\
10.255.254.1
add add-arp=yes address-pool=GuestsPool interface=300-Guest lease-time=12h \
name=Guests_dhcp
add add-arp=yes address-pool=DomusPool interface=BR-Capsman lease-script="# Wh\
en \"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for\
\_non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"domus\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other\
\_lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"comment\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientH\
ostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerNa\
me\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnameShort \"\$leaseClientHostname\"\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :set leaseClientHostname \"\$leaseClientHostname.\$dnsDomain\"\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname,\$leaseClientHostn\
ameShort\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\
\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" \
and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\
\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=1d name=Domus_dhcp
add add-arp=yes address-pool=ControlPool disabled=yes interface=BR-Capsman \
lease-time=2w1d name=Control_dhcp
/container
add envlist=pihole_envs interface=veth1 mounts=\
list_pihole,etc_pihole,dnsmasq_pihole,crono_pihole root-dir=\
usb1-part1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Europe/Rome
add key=WEBPASSWORD name=pihole_envs value="password"
add key=DNSMASQ_USER name=pihole_envs value=root
add key=FTLCONF_LOCAL_IPV4 name=pihole_envs value=192.168.55.55
/interface bridge port
add bridge=BR-Capsman interface=sfp-sfpplus1 internal-path-cost=10 path-cost=\
10
add bridge=BR-Capsman interface=ether8 internal-path-cost=10 path-cost=10
add bridge=BR-PiHole interface=veth1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=BR-Capsman comment="Mamma VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=200
add bridge=BR-Capsman comment="Guest VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=300
add bridge=BR-Capsman comment="Domus VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=400
add bridge=BR-Capsman comment="Casa VLAN" tagged=BR-Capsman,sfp-sfpplus1 \
vlan-ids=100
# BR-Capsman not a bridge port
add bridge=BR-Capsman comment="Control VLAN" disabled=yes tagged=\
BR-Capsman,sfp-sfpplus1 vlan-ids=900
/interface list member
add interface=provider-pppoe list=WAN
add interface=100-Casa list=LAN
add interface=provider-vlan list=WAN
add interface=200-Mamma list=LAN
add interface=300-Guest list=LAN
add interface=400-Domus list=LAN
add interface=100-Casa list=TRUSTED
add interface=400-Domus list=TRUSTED
add disabled=yes interface=900-Control list=LAN
add interface=BR-Capsman list=LAN
add disabled=yes interface=BR-PiHole list=LAN
/interface wifi access-list
add action=accept comment="Apple Device" disabled=no mac-address=\
18:34:51:00:00:00 mac-address-mask=FF:FF:FF:00:00:00
/interface wifi capsman
set enabled=yes interfaces=BR-Capsman package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=service5G \
name-format="" radio-mac=48:A9:8A:BC:A5:24 slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=studio_2ghz \
name-format="" radio-mac=48:A9:8A:0E:03:52 slave-configurations=\
guest,home2G
add action=create-enabled disabled=no master-configuration=service5G \
name-format="" radio-mac=48:A9:8A:0E:06:47 slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=service5G \
name-format="" radio-mac=48:A9:8A:0E:09:5D slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=service5G \
name-format="" radio-mac=48:A9:8A:0E:06:A8 slave-configurations=home5G
add action=create-enabled disabled=no master-configuration=esterno_2ghz \
name-format="" radio-mac=48:A9:8A:0E:09:5E slave-configurations=\
guest,home2G
add action=create-enabled disabled=no master-configuration=server_2ghz \
name-format="" radio-mac=48:A9:8A:BC:A5:25 slave-configurations=\
guest,home2G,silent
add action=create-enabled disabled=no master-configuration=service5G \
name-format="" radio-mac=48:A9:8A:0E:03:51 slave-configurations=home5G \
supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=centro_2ghz \
name-format="" radio-mac=48:A9:8A:0E:06:A9 slave-configurations=\
guest,home2G
add action=create-enabled disabled=no master-configuration=taverna_2ghz \
name-format="" radio-mac=48:A9:8A:0E:06:48 slave-configurations=\
guest,home2G
/ip address
add address=192.168.0.1/24 interface=100-Casa network=192.168.0.0
add address=172.16.0.1/20 interface=300-Guest network=172.16.0.0
add address=10.255.254.1/24 interface=200-Mamma network=10.255.254.0
add address=192.168.240.1/24 interface=BR-Capsman network=192.168.240.0
add address=192.168.55.1/24 interface=BR-PiHole network=192.168.55.0
add address=10.10.0.1/24 disabled=yes interface=BR-Capsman network=10.10.0.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1m servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.0.0/24 comment="Casa NET" list=net_casa
add address=xxx.xxx.xxx.xxx list=PublicIP
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.55.55 comment="Excluded from PiHole" list=excluded
add address=192.168.240.0/24 comment="Domus NET" list=net_domus
add address=10.10.0.0/24 comment="Excluded from PiHole" list=excluded
add address=192.168.240.10 comment="Excluded from PiHole" list=excluded
add address=192.168.0.0/24 comment="Filtered from PiHole" list=filtered
add address=192.168.240.0/24 comment="Filtered from PiHole" list=filtered
add address=10.10.0.0/24 comment="Control NET" list=net_control
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"ONLY allow trusted subnet full access to router services" \
src-address-list=net_casa
add action=accept chain=input comment=PiHole dst-port=53,123 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN src-address-list=!net_control
add action=accept chain=forward comment="internet traffic" \
out-interface-list=WAN src-address=192.168.55.55
add action=accept chain=forward comment="allow access to ALL DomusNET" \
dst-address-list=net_domus src-address-list=net_casa
add action=accept chain=forward comment="allow access to ALL ControlNET" \
dst-address-list=net_control src-address-list=net_casa
add action=accept chain=forward comment="allow access to AP Mamma" \
dst-address=10.255.254.2 src-address-list=net_casa
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
192.168.55.55 in-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat comment=Internet out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DNS Redirect to PI-Hole" dst-port=53 \
in-interface-list=LAN protocol=udp src-address-list=!excluded \
to-addresses=192.168.55.55 to-ports=53
add action=dst-nat chain=dstnat comment="DNS Redirect to PI-Hole" dst-port=53 \
in-interface-list=LAN protocol=tcp src-address-list=!excluded \
to-addresses=192.168.55.55 to-ports=53
add action=masquerade chain=srcnat comment="PiHole hairpin NAT" dst-address=\
192.168.55.55 dst-port=53 protocol=udp src-address-list=filtered
add action=masquerade chain=srcnat comment="PiHole hairpin NAT" dst-address=\
192.168.55.55 dst-port=53 protocol=tcp src-address-list=filtered
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.255.255.0/24 gateway=10.255.254.2 \
routing-table=main suppress-hw-offload=no
/ip upnp interfaces
add interface=provider-pppoe type=external
add interface=100-Casa type=internal
add interface=400-Domus type=internal
add interface=provider-vlan type=external
add interface=BR-PiHole type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Router
/system logging
set 2 disabled=yes
add action=echo disabled=yes topics=dhcp
add action=echo disabled=yes topics=dhcp
add disabled=yes topics=wireless
add action=echo disabled=yes topics=wireless
add action=remote disabled=yes topics=wireless
add disabled=yes prefix=dhcp topics=debug
add disabled=yes prefix=wireless topics=debug
add topics=wireless,debug,error,info,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes local-clock-stratum=1 manycast=yes use-local-clock=yes
/system ntp client servers
add address=0.it.pool.ntp.org
add address=1.it.pool.ntp.org
add address=2.it.pool.ntp.org
add address=3.it.pool.ntp.org