Hi,

I'm trying to configure a DNS redirect for all my client IPs, except a specific IP range. The DNS redirect works fine, but the excluded IP range gets ignored so far. Something seems to be wrong with my config. I tried this with address-lists and with one single IP address, but the result was the same.

Following configuration: Would be great to get some help. Thanks a lot!

Best regards

You are in different subnets and if the clients know the DNS server in a other subnet then I would source nat.

If you want to rewrite the destination address then you need to stay in same subnet 192.168.0.0/16 and not /24 for each subnet. The DNS server can't find the way back to otherwise.

I dont think its a particularly useful exercise to split a subnet in functionality as in IP ranges........
Much better to separate in vlans, and if you need them to talk to each other then make the necessary firewall rules.
Then you can redirect in NAT rules very easily or whatever functionality you need impart.

add chain=dstnat action=redirect source-address-list etc.......... one for udp one for tcp port 53
source-address list contains vlanX and vlanY but not vlanZ

Thanks for the replies.

There should be no problem regarding the different subnets. Each subnet is assigned to a VLAN, where each client is able to communicate with each other. There is a route back to both client subnets, which allows direct communication between the clients and the DNS server. The Mikrotik router routes between all subnets.

The only issue with my NAT rules: The excluded address-list gets ignored.

The DNS traffic of both subnets gets correctly forwarded to the DNS server. Something seems to be wrong with the NAT rule, because the exclusion doesn't work.

Do the counters increase on those two lines if there is traffic natted?