Community discussions

MikroTik App
  4. RouterOS
  5. General

DNS Request Coming from Gateway

Post Reply
 
seyamico
just joined
Topic Author
Posts: 9
Joined: Mon Jul 02, 2018 11:49 am

DNS Request Coming from Gateway

Wed Aug 04, 2021 8:12 am

I am facing a weird Problem.
I have a MT connected with ppppoe. I have two networks on ether2 and ether3. I have a DNS server(Adguard Home) on ether2(10.20.50.X/24). Here's my Network diagram.

Image

The problem is my DNS server is recieving DNS request from the gateway IP of the Network, not from the device/client connected to the network.

Image

Here's my router config
Code: Select all
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=bangladesh frequency=\
    auto hide-ssid=yes installation=indoor mode=ap-bridge radio-name="" ssid=\
    P2P wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether3 ] arp=reply-only name=ether
set [ find default-name=ether2 ] arp=reply-only
set [ find default-name=ether4 ] arp=reply-only
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether4 name=pppoe user=\
    131
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_LAN ranges=10.20.51.60-10.20.51.70
add name=dhcp_SERVER ranges=10.20.50.10-10.20.50.15
/ip dhcp-server
add address-pool=dhcp_LAN disabled=no interface=ether lease-time=10h name=\
    DHCP-AP
add address-pool=dhcp_SERVER disabled=no interface=ether2 lease-time=10h \
    name=DHCP-SERVER
/routing bgp instance
set default as=100 disabled=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 disabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=pppoe list=WAN
add interface=ether list=LAN
add interface=ether2 list=LAN
add interface=ether1 list=MGMT
add interface=ether1 list=LAN
/ip address
add address=10.20.50.70/24 interface=ether2 network=10.20.50.0
add address=10.20.51.30/24 interface=ether network=10.20.51.0
add address=10.10.10.1/30 network=10.10.10.0
/ip cloud
set update-time=no
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server network
add address=10.20.50.0/24 dns-server=10.20.50.15 gateway=10.20.50.70 netmask=\
    24
add address=10.20.51.0/24 dns-server=10.20.50.15 gateway=10.20.51.30 netmask=\
    32
/ip dns
set servers=10.20.50.15,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat src-address=\
    10.20.50.0/24
add action=masquerade chain=srcnat src-address=\
    10.20.51.0/24
My goal is to get DNS requests from the individual device/client of my network.
I tried natting like this
add action=masquerade chain=srcnat src-address=10.20.0.0/16 out-interface=pppoe
everything works fine. but i can't reach my AP's(AP1, AP2) from RPi Network(ether2-10.20.50.X/24). The AP's are normal home router, I disabled the DHCP server in order to use them as AP Mode.
I also need to reach my APs.
Last edited by seyamico on Wed Aug 04, 2021 9:20 am, edited 3 times in total.
Top
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1119
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: DNS Request Coming from Gateway

Wed Aug 04, 2021 8:32 am

You're having 2 maqs-rules :

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.20.50.0/24
add action=masquerade chain=srcnat src-address=10.20.51.0/24

So its normal that ALL & ANY traffic will be NAT'ed/hidden behind the exiting interface IP even internally on your LAN because you only specifiy "src-address" and a packet from 10.20.51.45 towards DNS 10.20.50.15 will MATCH this NAT-rule so the NAT/masq is applied
You normally have *1* such MASQ-rule applied on the way to Internet! so basically change the 2 rules above towards 1 rules something like below where you specify outgoing "Internet" interface :

add action=masquerade chain=srcnat src-address=10.20.0.0/16 out-interface=pppoe

Similar post has been here on the forum very recently.
Sure you can retain 2 masq-rules but there is really no need to.
Top
 
seyamico
just joined
Topic Author
Posts: 9
Joined: Mon Jul 02, 2018 11:49 am

Re: DNS Request Coming from Gateway

Wed Aug 04, 2021 8:58 am

You're having 2 maqs-rules :

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.20.50.0/24
add action=masquerade chain=srcnat src-address=10.20.51.0/24

So its normal that ALL & ANY traffic will be NAT'ed/hidden behind the exiting interface IP even internally on your LAN because you only specifiy "src-address" and a packet from 10.20.51.45 towards DNS 10.20.50.15 will MATCH this NAT-rule so the NAT/masq is applied
You normally have *1* such MASQ-rule applied on the way to Internet! so basically change the 2 rules above towards 1 rules something like below where you specify outgoing "Internet" interface :

add action=masquerade chain=srcnat src-address=10.20.0.0/16 out-interface=pppoe

Similar post has been here on the forum very recently.
Sure you can retain 2 masq-rules but there is really no need to.
Thanks to you for your suggesion.I tried NATTing out-interface=pppoe

after applying this rule, i can't reach my AP's(AP1, AP2) from the RPi(ether2-10.20.50.X/24) network. I also need that working.
Top
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1119
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: DNS Request Coming from Gateway

Wed Aug 04, 2021 10:25 am

So you cannot even ping between them (eg. from AP > RPi or vice-versa) ??
On each device default-gateway was set OK?
I do not see any other FW-filter rule/entry on your config so all traffic normally is allowed between the segments 10.20.50.x <> 10.20.51.x

With the single masquerade rule in place, do your devices have Internet access ? (or does that even not work?)
Top
 
seyamico
just joined
Topic Author
Posts: 9
Joined: Mon Jul 02, 2018 11:49 am

Re: DNS Request Coming from Gateway

Wed Aug 04, 2021 4:13 pm

So you cannot even ping between them (eg. from AP > RPi or vice-versa) ??
On each device default-gateway was set OK?
I do not see any other FW-filter rule/entry on your config so all traffic normally is allowed between the segments 10.20.50.x <> 10.20.51.x

With the single masquerade rule in place, do your devices have Internet access ? (or does that even not work?)
yes, i cannot ping between rpi-AP's after NATTING like this -
Code: Select all
add action=masquerade chain=srcnat src-address=10.20.0.0/16 out-interface=pppoe
but the DNS requests works fine now. requests are coming from individual devices of my network.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22135
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: DNS Request Coming from Gateway

Wed Aug 04, 2021 6:34 pm

Why use source anything for natting. I dont understand the purpose
It should be out-interface=wan only.
Top
 
User avatar
jvanhambelgium
Forum Guru
Forum Guru
Posts: 1119
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: DNS Request Coming from Gateway

Wed Aug 04, 2021 8:11 pm

Why use source anything for natting. I dont understand the purpose
It should be out-interface=wan only.
Perhaps you have a network-design that contains IP-ranges that you don't want to accidentally be able to reach the outside world ?
Sure you can have ip-filter rules for that, but making the SNAT-rule more detailed can also help. Its clear that such IP's would never ever be going out in the event of other config errors.

I mean, there is dozens of reason, there is no good or bad way. Even if you want 5 masq-rules each for a certain /24 in your network that is not bad unless every cpu-cycle counts and you are into extreme performance tuning.
Top
Post Reply
  4. RouterOS
  5. General