Hi folks,

I've had a working setup for a while now on a single default VLAN 1 with everything all talking nicely. I've wanted to segment the network with VLANs and I have run into my first issue.

I have a RaspberryPi running PiHole for DNS and I have the MikroTik setup to redirect any DNS request to the PiHole, just in case some sneaky manufacturer hard codes DNS into their appliance.

Using this in my config to achieve the redirect. PiHole is on 192.168.88.3

This all works just fine. Now today I have added in a VLAN and in DHCP server I specified 8.8.8.8 as the DNS server, which is fine as it should be redirected but it doesn't respond. If I disable the NAT rule it works fine. I'm failing to see my mistake here, and ideally I'd like to be able to not redirect to PiHole, perhaps for a Guest VLAN that can do whatever it wants.

It might be the way I have implemented the VLAN, so I include that here:
Please excuse the VLAN name, it started out as a way to put a single device on a VLAN, a Cisco box that acts as a mobile (cell) phone in my house.

I have started a diagram, which I've attached.

Nice diagram by the way.
I am getting my pi 3+B this week so I plan on something similar
All my subnets running PCs will have to go through pi for dns resolving and add blocking.
For my smart devices, media devices, game devices, dont think it really matters unless someone has a compelling reason.

I should be able then to of more assistance.
In the meantime for you vlan setup, this is the best reference.
viewtopic.php?f=13&t=143620

Oh wow, that thread is great. Thanks!

OK so my VLAN setup wasn't bad. I was however setting the VLAN tag on each wlan interface and adding it as a tagged interface instead of using PVID and then putting it untagged, so I swapped those over. Working fine.

I think I have a fix for my PiHole conundrum.

So I only want my main LAN using the PiHole for now, and any Guest or other VLANs using a.n.other DNS provider.

So I did this:

/ip firewall address-list
add address=192.168.88.3 list=PiHole

Then updated the DNS Rerouting NAT entries to this:

add action=dst-nat chain=dstnat comment="DNS Rerouting" dst-address=\
!192.168.88.3 dst-port=53 log=yes log-prefix=redirect-gdns-udp protocol=\
udp src-address=192.168.88.0/24 src-address-list=!PiHole to-addresses=\
192.168.88.3 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.88.3 dst-port=53 log=yes \
log-prefix=redirect-gdns-tcp protocol=tcp src-address=192.168.88.0/24 \
src-address-list=!PiHole to-addresses=192.168.88.3 to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 \
log-prefix=masq protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.3 dst-port=53 \
log-prefix=masq protocol=tcp src-address=192.168.88.0/24

I'm not sure if this is the correct way to achieve the result but it does work. I'm always concerned about hacking something in when there is a more efficient way of doing it.

Good questions..................
I see what you are doing wrt to redirect!! Except you need to use action=redirect
Perhaps we can simplify those rules.

add action=redirect chain=dstnat \
dst-port=53 log=yes log-prefix=redirect-gdns-udp \
protocol=udp

add action=redirect chain=dstnat \
dst-port=53 log=yes log-prefix=redirect-gdns-tcp \
protocol=tcp

In IP DNS settings, you allow remote requests.
You can put a few servers in there 8.8.8.8, 8.8.4.4 for example.
For each subnet network configuration under DNS SERVER you put.
192.168.88.3 (for all those you want to force to pi-hole).
192.168.X.1 (same as the subnets gateway setting and this is for subnets which dont require redirection)

As far as masquerade rules go, dont confuse them with DNS redirect etc............
Its normally for source nat use cases and typically for nat translation out and back to the internet.

add action=masquerade chain=srcnat out-interface=eth1

Cheers. I will give that a go and report back.

Just remember, that I am no IT networking guru and wont have my PI device to confirm until later this week.

I work in IT but I'm servers and storage not networking. This is a new world to me.

Natting will work for redirecting naturally, but maybe cleaner / simpler: define different dns server depending on network segment?

So, ex:

Oh yeah I have the PiHole specified as the DNS server given out by DHCP but I have found some devices *cough* Google Android *cough* ignore those if it pleases them and do direct calls out to 8.8.8.8 and 8.8.4.4.

This dst-nat rule will capture any outgoing connections on udp53 and re-direct them to the PiHole.

If you don't have the dst-nat rule then certain apps on Android will still show adverts, as they bypass local DNS lookup. Doing the dst-nat they are all disabled and blocked by PiHole.

Works great!

dnat is a sure way to force your way

Okay I am ready to deploy my Rasp PI with Hole Ad blocking but I have a dilemma.
The questions is how to implement in a multi-VLAN universe.
I have two options ( I will be using an available port on the router as I thought the closer to source the better).
Option A. Create a pi-hole VLAN for this purpose lets say vlan15
Option B. Put the pi-hole on the main house vlan (vlan11)

The issues I have is that if the pi-hole is on a port on the router and if Assign it to my home vlan, it will be an access port???? (or to vlan15 for that matter)
So how do I get multiple vlans to talk to the pi-hole. How do I get pi-hole to respond to non vlan11 traffic
How do I ensure that non vlan11 traffic doesnt get stripped when ingressing the port.
As you can see either way I am stumped on how to handle all traffic going to port 53 on this address.
Will firewall rules do the trick all that is needed? But vlan filtering doesnt care about fw rules......

The best best would be to make the ethernet connection on the raspberry pi a trunk port but not sure that is possible as it assumes the port it will connect to is capable of being a hybrid port.
For example untagged for vlan11 on eth0 and then tagged for the rest of the vlans....... (RouterOS does not do hybrid ports).
Stumped for now.

I hope I’m understanding your issue right. The Rasp Pi can support as many VLANs as you need, right? Setup in /etc/dhcpcd.conf. I have 2 on mine with separate DHCP on each, but expect to go to 4 soon. Doesn’t seem to cause any issue for the Pi-Hole app. It just shows the appropriate originating IP.

You don't have to use untagged on rpi (linux). It's perfectly fine to make rpi-connecting port trunk and configure network on rpi as tagged-only. @cifzo already hinted at how it's done. Network configuration is likely in /etc/network/interface ... if it's not, tell us and I'll enlighten you further

You should adjust the base network interface name ... in the code above it's eth0, but it might be something else (such as eno1 or enp0s3 or something). You can get it either from current setup or issuing command ip address ...

OMG, I am getting ill, I am going to have to program another box, this time in snotty linus code... Egads, I am really stooping low here. Where is my spoon its feeding time.
Okay so put vlan11 on the eth0 port and with a fixed static LANIP. That part seems okay.
Next are you saying I have to add EVERY OTHER FRICKEN VLAN setup (same as for vlan11), assign a static IP for each vlan and use a diff ethport???

Hmmm I guess than I just tag eth4 with all the vlans.............
Also I could create a vlan just for the pi but that means one more vlan to setup LOL.................

What about firewall rules.........
PI to router?? (I dont think so and I can get rid of my input chain lan to router for port 53 rules?? but still keep my allow remote IP dns)
PI to internet on port 53, udp and tcp (most likely)
All vlans to PI address on port 53, udp and tcp (most likely) BUT NOT the reverse right!!!! (return packets allowed thus no need for PI to vlans rule)

++++++++++++++++++++++
Wait, what if for the vlans I want lets say vlan11,100,200,69,66 I use the gateway IP of the associated subnet as the DNS server (AS I DO NOW).
Then since its really the router I am pointing them at....... I tell the router send all my DNS requests to the pi-hole.
Is that possible?? Some sort of redirect function. Thus I dont have to do anything too funky.
(if so, would it be best to put the pi hole on ether4 not on a bridge but on its own LANX for example).
(I would only need one LANX static IP for the pi-hole and I assume some vlan to LAX fw filter rules).

++++++++++++++++++++++
Wait, what if for the vlans I want lets say vlan11,100,200,69,66 I use the gateway IP of the associated subnet as the DNS server (AS I DO NOW).
Then since its really the router I am pointing them at....... I tell the router send all my DNS requests to the pi-hole.
Is that possible?? Some sort of redirect function. Thus I dont have to do anything too funky.
(if so, would it be best to put the pi hole on ether4 not on a bridge but on its own LANX for example).
(I would only need one LANX static IP for the pi-hole and I assume some vlan to LAX fw filter rules).

As you know, it's best if I stay away from VLAN questions. I have my RPI on x.x.x.4 on each subnet. Then I specify that IP as the primary DNS in the DHCP server. Unfortunately, that does put the DNS traffic outside the router. But that's fine in my scenario.

++++++++++++++++++++++
Wait, what if for the vlans I want lets say vlan11,100,200,69,66 I use the gateway IP of the associated subnet as the DNS server (AS I DO NOW).
Then since its really the router I am pointing them at....... I tell the router send all my DNS requests to the pi-hole.
Is that possible?? Some sort of redirect function. Thus I dont have to do anything too funky.
(if so, would it be best to put the pi hole on ether4 not on a bridge but on its own LANX for example).
(I would only need one LANX static IP for the pi-hole and I assume some vlan to LAX fw filter rules).

As you know, it's best if I stay away from VLAN questions. I have my RPI on x.x.x.4 on each subnet. Then I specify that IP as the primary DNS in the DHCP server. Unfortunately, that does put the DNS traffic outside the router. But that's fine in my scenario.

Can you elaborate? Is the RPI connected to the router on its own LAN? Not sure what you mean by .4 on each subnet? Diagram?
How is your RPI configured?

Just using MKX's rpi configuration... It's got the rpi on 192.168.11.13 as a static IP on VLAN 11, and on 192.168.15.42 as a static IP on VLAN 15.

So on the router...
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=\
192.168.11.13,208.67.222.222,208.67.220.220 gateway=192.168.11.1
add address=192.168.15.0/24 dns-server=\
192.168.15.42,208.67.222.222,208.67.220.220 gateway=192.168.15.1

So you configured the RPI itself with multiple VLAN subnets??

The best source I've found on Rpi VLANs is:
https://www.sbprojects.net/projects/ras ... i/vlan.php (unfortunately, Raspbian changed how it does things, so anything over a year old isn't completely correct)

If you do the VLANs first, and then install pihole, you get prompted for which interface to use. Choose whichever you plan to administer the pihole through. By the way, the pihole install has you set up a static IP, so no need to mess with that in advance.

After the VLANs are up and the pihole is running, go to pihole web interface. Under Settings, go to the DNS tab. There, you need to check 'Listen on all interfaces'.

Assuming you've got active clients on your VLAN, you should be able to check the pihole, and see those IPs come through.

There may well be a way to do this in the router. I'm just *slightly* better at Linux than I am at Mikrotik. )

If I don't have an easier router method, I shall take your advice. Much thanks either way!

I'm not sure if that would do the trick ... but can't you use main router as DNS server for clients and use rpi as router's upstream DNS server? So set /ip dns set allow-remote-requests=yes servers=<single IP of rpi here> ... Or do dst-nat on TCP port 53 for "LAN" connections and set up rpi as target (if rpi has got its own IP subnet, hairpin nat is not necessary).
This simplifies setup on rpi which seems to be truly necessary in @anav's complicated life (where to store that snow shovel that it's gonna be needed before end of August?) ...

I'm not sure if that would do the trick ... but can't you use main router as DNS server for clients and use rpi as router's upstream DNS server? So set /ip dns set allow-remote-requests=yes servers=<single IP of rpi here> ... Or do dst-nat on TCP port 53 for "LAN" connections and set up rpi as target (if rpi has got its own IP subnet, hairpin nat is not necessary).
This simplifies setup on rpi which seems to be truly necessary in @anav's complicated life (where to store that snow shovel that it's gonna be needed before end of August?) ...

Okay so MKX lets say I use eth4 for the pi, give it its own LAN (not on my vlan bridge), 192.168.4.1 gateway etc........ This I can setup statically on the PI and setup on the router with relative ease.

TWO options as not clear what you mean.
(1) Then instead of DNS server on DHPC networks set to 1.1.1.1 or vlan Subnet gateway, I put in the ACTUAL LANIP of the PI!!
a. will this work
b. what firewall rules would I need (input or forward chain).
c. what do I put for IP DNS remote requests NO ??
OR
(2) Put IP of PI as IP DNS single dynamic server entry, plus allow remote requests ??

TWO options as not clear what you mean.
(1) Then instead of DNS server on DHPC networks set to 1.1.1.1 or vlan Subnet gateway, I put in the ACTUAL LANIP of the PI!!
a. will this work
b. what firewall rules would I need (input or forward chain).
c. what do I put for IP DNS remote requests NO ??
OR
(2) Put IP of PI as IP DNS single dynamic server entry, plus allow remote requests ??

Both options are possible.

About option (1)
a. it will work just as setting external DNS server (e.g. 8.8.8.8.) works
b. you need firewall rules for forward chain ... allowing VLANs to connect to rpi's IP address port 53 (both TCP and UDP) and allowing rpi to connect to internet (most important is to allow it to connect remote DNS servers. Which ones depends on rpi DNS server setup, you can set it up to use a few select forwarders so it will only connect those ... or you can set it up without forwardes, in that case it will connect all DNS server in the wild if needed to resolve some particular address)
c. you can if all the clients are going to use rpi directly

About option (2)
Yup.

In my setup, I actually have a hybrid solution: I'm using option (1) for LAN subnets which are "friendly" and I'm using option (2) for "alien" LAN subnets where I don't want to expose my home DNS server (not an rpi, it's a proper linux server).
Regardless of using option (2) only for a few select subnets I don't restrict access to router's DNS service for "friendly" LAN subnets so I don't have any special firewall filter rules regarding DNS service on chain=input ... call me naïve, but I somehow trust myself

Okay, so the scenario is I have 5 VLANS vlan5,6,7,8,9,10 all on the same bridge (being fed on eth2, eth3 to two different managed switches etc.........
vlan5,6,7 require Pi-hole to block advertising, vlans 8,9,10 do not.
RPI is on ether4, not on the bridge, not on a vlan with IP 192.168.4.2 (gateway 192.168.4.1)

Option 1A
vlans 5-7 dhcp network gateway=vlan5-7 gatewayIP respectively and dns-server=192.168.4.2 for all
vlans 8-10 dchp network gateway=vlan8-10 gatewayIP respectively and dns-server vlan8-10=vlan-gatewayIP respectively.
IP DNS remote requests enabled (yes)
Dynamic servers 1.1.1.1, 8.8.4.4 for example.
/ip firewall filter
allow source vlans 5-8 to access destination 192.168.4.2 dst port 53 protocol udp/tcp
allow source 192.168.4.2 dest port 53 protocol udp/tcp destination-address-list=RPI_servers
(address list = RPI-servers - list of dns servers I wish to allow RPI to use for resolving)
In addition to prevent vlan5-7 devices to be configured to bypass the DNS setting for the subnet (to use proxy or to hard code DNS in PC setting) I need to add a redirect rule to these vlans for this purpose.............. Not needed for the non-RPI vlans unless you can think of a good reason?
/ip firewall NAT
add action=redirect chain=dstnat comment=\
"Force vlan Users 5-7 to RPI for DNS - TCP/UDP" disabled=yes dst-port=53 protocol=\
tcp/udp src-address-list=VLAN,5-8 subnets (or perhaps in-interface-list=RPI_VLANS (if so created in /interfaces for example).

"Option 1B"
Same as above except I encode all subnets with a fixed list of available servers such that
vlan5-7 is RPI IP, vlans8-10 dhcp-network dns-server is set to 1.1.1.1 or 8.8.4.4
In this case I should be able to set IP remote requests=NO.
I will still need the redirect rule for the RPI vlans5-7 to ensure they dont stray from RPI IP for dns resolving.
I dont think I need any other forward rules - for vlan8-10 to get access public DNS (as they already have a VLAN to internet allow rule).
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Option 2.
The distinct difference in our outlook here MKX is that they are polar opposites LOL. I am not trusting my friendly networks (or I should say I am protecting my friendly networks from advertising (vlans5-7), but don't care to protect other vlans from advertising (vlans8-10)
This option is using the RPI as the Dynamic server that the router is allowed to use for DNS requests.
In this option allow remote requests is allowed (yes). VLANs 5-8 have their vlan subnet gateway also as dns-server IP respectively.
I require input filter chain to allow vlans5-7, to router for port 53 etc..........
The other vlans (8-10) have their dhcp-network DNS-server settings set to 1.1.1.1 or 8.8.4.4 for example.
In this case I still need the redirect rule for vlans5-7!
The vlans do not require forward filter rules as they already have allow to internet rules in place.
RPI still needs access to internet for port53
Vlans5-7 do not require forward filter rules for port 53.

So in essence to summarize we have two instances of two blocks of vlans (with 3 possible outcomes)
(1) RPI vlans defined by dhcp-network DNS set to RPI IP / IP remote settings not required / forward chain to RPI required / router dynamic server not required
(2) RPI vlans defined by dhcp-network DNS set to gatewayIP / IP remote settings yes required / input chain to 53 required / router dynamic server = RPI IP
Note: both require redirect dstnat rule to ensure RPI cannot be bypassed.

(3) Vlans8-10 defined by dhcp-network server set to public DNS servers / IP remote settings not required / access for vlans to internet already exist / router dynamic server not required
(4) vlans8-10 defined by dhcp-network server set to gatewayIP / IP remote settings yes required / input chain to 53 required / router dynamic servers set to public DNS servers.

Thus
(1) + (4) = Option 1A above
(1) + (3) = Option 1B above
(2) + (3) = Option 2 above.

The selection of (2) +(4) is not possible (although is many cases is the defacto standard setup) because then all vlans would be either set to RPI or public servers and we wish a mix of both.
Comments??