Hi,
I just changed my isp.
Before the change connections via wifi and ethernet to the internet for computer and phones worked flawlessly.
Now only if I use a public dns server like 1.1.1.1 on computers or phones, internet work.
The DNS servers given by dhcp from my isp work. If I connect directly, bypassing the rb3011 or unifi, all is good.
Sniffing my dns servers on android phone gives me that I'm using the ones given to me by dhcp from my isp (the working ones).
Could I have blocked something in the firewall, it was a long time since I built it and I do not remember the settings I did.

My hardware is rb3011,
Ubiquiti unifi access point for wifi.

My DNS settings in winbox is:
servers: 1.1.1.1 (I entered it after the problem to see if it helped, but it did not)
Dynamic servers: dhcp given dns servers that work.
Does not allow remote requests. Should I allow it?
max udp package size: 4096
cach size 2048
Cache used 23KiB

It was a long time since I set up my rb3011 and I'm a little rusty so I do not know how to check for faults.
So I wonder if you could help me?
Thanks

Edit: if I allow remote requests I see that my phone uses my router as dns server and I get access to the internet.
Is it my settings or is it the isp:s settings that do not allow NAT:ed requests directly to their dns server or some other setting at the isp?
If it is my isp what setting could they have that make this problem?

Hi ho,

your dns-settings in routerOS seem to be ok.
But your router doesnt know how it can reach the DNS-Servers in the internet.
So you need to tell him what route (internet connection) it has to take.

Go to IP -> Routes -> Add a new route.
As Destination add "0.0.0.0/0" and in Gateway enter your PPPoE-Connection or whatever you have as an internet-connection.

After this click "ok" and your DNS-Client that is integrated in your router knows how to find the internet-connection.

Hi ho, on you as well :)
I have since before a route:
DAS Destination address:"0.0.0.0/0" Gateway: "100.65.42.1 reachable ether 1" Distance: "1"
traceroute shows that I reach 100.65.42.1 as first hop after my routers ip, when I see what hops I do when I go for an internet address.
I use dns server 1.1.1.1. on my computer.
So is your suggestion not already implemented or do I missunderstand?

Post your config
/export hide-sensitive file=anynameyouwish

Here is the file:
The dns server 1.1.1.1 is something I tried to add to make all work and I did not know how to remove afterwards.
I would like to load webpages fast so I think that means that I would like to let my RB cache dns queries.
Also I would like to be able to set dns server on my RB and that will be distributed to my devices. E.g. so if I'm not happy with the dns server supplied by my isp I can use e.g. 1.1.1.1.
Dynamic DNS servers are: 100.127.254.10, 100.127.254.11.

# mar/28/2021 14:13:45 by RouterOS 6.46.6
# software id = E66J-P7EA
#
# model = RouterBOARD 3011UiAS
# serial number = 780E0634248D
/interface bridge
add admin-mac=6C:3B:6B:F8:8E:8F auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.254 mac-address=70:8B:CD:56:03:05 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set servers=1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan
add address=1.1.1.1 disabled=yes name=cloudflairDNS
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
out-interface=!bridge
add action=drop chain=forward comment=\
"Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/lcd
set time-interval=hour
/system clock
set time-zone-name=Europe/Stockholm
/system script
add dont-require-permissions=no name=releaseIPonWan owner=johannes policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ip dhcp-client\r\
\nrelease 0\r\
\nset 0 disabled=yes"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

The settings in /ip dns are what the router itself uses to do lookups. It will always get the dynamic addresses from your ISP, and you can give your own DNS servers too (like the 1.1.1.1 you have there). Manual entries will be preferred by the router when doing lookups.

The clients can be given their DNS servers in /ip/dhcp/networks, the same place they are given their gateway. So, if you want the dhcp clients to use the router for DNS, put the router's IP address there. If you want clients to use 1.1.1.1, put that there. This entry does not have to match the router's own setting above.

As you discovered, you also need to allow remote requests if you want the router to relay and cache DNS for you. That tells the router to let clients ask it for DNS; otherwise it only uses its DNS for itself.

I just wanted to add this: As you enabled the setting to allow remote DNS query, Make sure to drop any incoming traffic from WAN on port 53 TCP/UDP as anyone can use your DNS service and may be used it to attack others or your own router.

Thanks a lot, my router now distributes 1.1.1.1 as dns-server to all my devices.
For optimum throughout put is it wise to use the router as DNS server. When I enabled "allow remote requests" and checked at the speed against a server it seemed as if the speed in the beginning of the test, i.e. emulating loading a light web-page was slower then with the option disabled. It could have been a just by chance that the low speeds occurred just then.

To get the router to distribute my isp's dns servers so it works, how do I do that?
Also the setting /ip dns set server=1.1.1.1, I do not know what it was before so I can not reset it so do you know what does that do and what should it say?

I just wanted to add this: As you enabled the setting to allow remote DNS query, Make sure to drop any incoming traffic from WAN on port 53 TCP/UDP as anyone can use your DNS service and may be used it to attack others or your own router.

Code: Select all

/ip firewall nat
add action=redirect chain=dstnat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-addresses=192.168.88.1 to-ports=53
add action=redirect chain=dstnat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53
/ip firewall filter
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="Drop DNS - TCP" port=53 protocol=tcp in-interface-list=WAN
add action=drop chain=input comment="Drop DNS - UDP" port=53 protocol=udp in-interface-list=WAN

Hey own3r1138 your credibility suffers when you dont even read the config............... what do you think this rule does in his config......

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

YUP blocks all WAN to ROUTER traffic not coming from the LAN, including port 53 traffic.

I just wanted to add this: As you enabled the setting to allow remote DNS query, Make sure to drop any incoming traffic from WAN on port 53 TCP/UDP as anyone can use your DNS service and may be used it to attack others or your own router.

Code: Select all

/ip firewall nat
add action=redirect chain=dstnat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-addresses=192.168.88.1 to-ports=53
add action=redirect chain=dstnat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53
/ip firewall filter
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="Drop DNS - TCP" port=53 protocol=tcp in-interface-list=WAN
add action=drop chain=input comment="Drop DNS - UDP" port=53 protocol=udp in-interface-list=WAN

Hey own3r1138 your credibility suffers when you dont even read the config............... what do you think this rule does in his config......

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

YUP blocks all WAN to ROUTER traffic not coming from the LAN, including port 53 traffic.

Hello,
Yes, you are correct guilty as charged.

Besides the advice on DNS,
the real problem in this config is the disaster mess in the Firewall filter chain rules.
Duplicates all over the place which also places order of rules into chaos.

Suggest the OP stick with the default rules until they understand what they are doing.