Hello,

192.168.0.0/16 is my main LAN and I have a guest network at 172.16.0.0/12.

I want the router to query my private DNS server at 192.168.x.x on behalf of the clients in the guest network.

How would I do this?

Can you share your current config?
Remove serial and any other private info.

Can you share your current config?

The 9.9.9.9 DNS server is temporary.


RouterOS 7.13.5#

/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge
add name=bridge_guest
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2300-7300 \
.skip-dfs-channels=10min-cac configuration.country=REDACTED .mode=ap .ssid=\
REDACTED .tx-chains="" disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
add channel.band=2ghz-n configuration.mode=ap .ssid=REDACTED \
disabled=no mac-address=D6:01:C3:6E:7F:3B master-interface=wifi1 name=\
guest_wifi security.connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.x.x-192.168.x.x
add name=guest_pool ranges=172.16.0.2-172.31.255.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
add address-pool=guest_pool interface=bridge_guest name=guest
/port
set 0 name=serial0
/interface bridge filter
add action=drop chain=forward in-interface=guest_wifi
add action=drop chain=forward out-interface=guest_wifi
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge_guest interface=guest_wifi
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_guest list=LAN
/ip address
add address=192.168.x.x/24 comment=defconf interface=bridge network=\
192.168.x.x
add address=172.16.0.1/12 interface=bridge_guest network=172.16.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.0.0/12 comment=guest dns-server=9.9.9.9 gateway=172.16.0.1 \
netmask=12
add address=192.168.x.x/24 comment=main dns-server=192.168.x.x gateway=\
192.168.x.x netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.x.x use-doh-server=\
https://REDACTED/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.x.x comment=defconf name=router.lan
add address=192.168.x.x comment= match-subdomain=yes name=\
REDACTED
/ip firewall filter
add action=drop chain=input comment=\
"Deny ICMP echo (ping) requests from outside" icmp-options=8:0-255 \
in-interface-list=!LAN protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="allow guest only internet" \
in-interface=bridge_guest out-interface=!ether1
add action=reject chain=input comment="deny guest to main network" disabled=\
yes dst-address=192.168.0.0/16 reject-with=icmp-network-unreachable \
src-address=172.16.0.0/12
add action=reject chain=output comment="Block UDP port 53" dst-address=\
!192.168.x.x dst-port=53 log=yes log-prefix="block DNS" protocol=udp \
reject-with=icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat log=yes out-interface=bridge src-address=\
172.16.0.0/12 to-addresses=192.168.x.x
add action=dst-nat chain=dstnat comment="Redirect DNS to router" dst-address=\
!192.168.x.x dst-port=53 log=yes protocol=udp src-address=!192.168.x.x \
to-addresses=192.168.x.x to-ports=53
add action=dst-nat chain=dstnat protocol=udp src-address=192.168.x.x/24 \
src-port=53 to-addresses=192.168.x.x
add action=dst-nat chain=dstnat dst-address=!192.168.x.x dst-port=53 log=yes \
protocol=tcp src-address=!192.168.x.x to-addresses=192.168.x.x to-ports=\
53
add action=masquerade chain=srcnat log=yes protocol=udp src-address=\
192.168.x.x/24 to-ports=53
add action=masquerade chain=srcnat log=yes protocol=tcp src-address=\
192.168.x.x/24 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-address=172.16.0.0/12 \
to-addresses=192.168.x.x
/ip service
set telnet disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-autodetect=no time-zone-name=UTC
/system logging
add topics=wireless,debug
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set mode=multicast
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Should try to only use ONE Bridge where possible.
In this case you dont need two bridge.
Simply assign the wifi interface the appropriate address as the second subnet.
Do not use bridge filters unless necessary, in your case not necessary.

This is wrong.......
/ip dns static
add address=192.168.x.x comment=defconf name=router.lan

Here you need to put the unencrypted servers that the router needs to contact FIRST ( regular DNS, to reach encrypted DNS).





RouterOS 7.13.5#

/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT

/ip pool
add name=dhcp ranges=192.168.x.x-192.168.x.x
add name=guest_pool ranges=172.16.0.2-172.31.255.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
add address-pool=guest_pool interface=guest_wifi name=guest

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1

/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=guest_wifi list=LAN
add comment=defconf interface=bridge list=MGMT

/ip address
add address=192.168.x.x/24 comment=defconf interface=bridge network=\
192.168.x.x
add address=172.16.0.1/12 interface=guest_wifi network=172.16.0.0

/ip dhcp-server network
add address=172.16.0.0/12 comment=guest dns-server=192.168.x.x gateway=172.16.0.1 \
netmask=12
add address=192.168.x.x/24 comment=main dns-server=192.168.x.x gateway=\
192.168.x.x netmask=24

/ip dns
set allow-remote-requests=yes servers=192.168.x.x use-doh-server=\
https://REDACTED/dns-query verify-doh-cert=yes[/i]
/ip dns static
add address=doh server site but regular DNS address
add address=doh server site but regular DNS address

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add chain=input comment="allow ping" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 protocol=udp in-interface=bridge src-address=192.168.x.x ( allow private DNS to internet for initial connection )
add action=accept chain=input dst-port=53 protocol=tcp in-interface=bridge src-address=192.168.x.x ( allow private DNS to internet for initial connection )
add action=drop chain=input comment="drop all else"
++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Guest to DNS" in-interface=guest_wifi dst-port=53 protocol=udp dst-address=192.168.x.x
add action=accept chain=forward comment="Guest to DNS" in-interface=guest_wifi dst-port=53 protocol=tcp dst-address=192.168.x.x
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="force DNS to private server" in-interface-list=LAN
dst-port=53 log=yes protocol=udp src-address=!192.168.x.x to-addresses=192.168.x.x
add action=dst-nat chain=dstnat comment="force DNS to private server" in-interface-list=LAN
dst-port=53 log=yes protocol=tcp src-address=!192.168.x.x to-addresses=192.168.x.x

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Should try to only use ONE Bridge where possible.
In this case you dont need two bridge.

All the tutorials I followed for creating a guest wifi did it this way.

Simply assign the wifi interface the appropriate address as the second subnet.

You mean I have to make the guest pool a subnet of 192.168.x.x/x and cannot use 172.16.0.0/12?

Router is optimized to use one bridge, using two is very possible and not illegal or WRONG, just loads the CPU unnecessarily.

No, the guest network accesses the guest pool 172..........., where do you see them getting any other IP addresses?

No, the guest network accesses the guest pool 172..........., where do you see them getting any other IP addresses?

Bear with me. I'm new. I'm trying to clarify what you said.
I still have not figured out how to use only one bridge.

No problem.
Think of this way, you only have ONE PORT required for the guest subnet correct?
If it was not wifi but wired, you would just assign that subnet to the port, no need for a bridge.
A bridge makes sense when you have one flat subnet that goes out on all ports.
Once you need multiple subnets, invariably then you need to use vlans and the bridge does no dhcp etc...

In this case, its not one physical port but only one wireless port that needs to carry the guest subnet.
So we assign the guest wifi port the Ip address.

we assign the guest wifi port the Ip address.

Where can I do that?

The guest_wifi port has no option that I know of to specify a network, and in DHCP server > guest_wifi interface with guest_pool, I get the error "Couldn't change DHCP Server <guest> - can not run on slave interface (6)"

Any help is appreciated.

Why do you ask, I gave it to you in the config!!!
add address=172.16.0.1/12 interface=guest_wifi network=172.16.0.0
It would be no different if it was a physical port like ether2!
add address=172.16.0.1/12 interface=ether2 network=172.16.0.0


/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=guest_wifi list=LAN
add comment=defconf interface=bridge list=MGMT

/ip address
add address=192.168.x.x/24 comment=defconf interface=bridge network=\
192.168.x.x
add address=172.16.0.1/12 interface=guest_wifi network=172.16.0.0

/ip dhcp-server network
add address=172.16.0.0/12 comment=guest dns-server=192.168.x.x gateway=172.16.0.1 \
netmask=12
add address=192.168.x.x/24 comment=main dns-server=192.168.x.x gateway=\
192.168.x.x netmask=24

Why do you ask, I gave it to you in the config!!!
add address=172.16.0.1/12 interface=guest_wifi network=172.16.0.0

I already have this.
I thought you were quoting me so I ignored the wall of text.
I'm using the webfig but let me take another look.

I gave it to you in the config

What you posted seems to reflect my config except the "MGMT" part. I have not copy-pasted literally because annoyingly the terminal doesn't allow pasting and I have not setup SSH.

So far even though the guest_wifi interface is associated with the 172.16.0.0 network, clients still get assigned addresses in the 192.168.0.0 space.

Probable because you have not taken the guest_wifi interface off of the /interface bridge port settings yet.
Bedtime here...

Probable because you have not taken the guest_wifi interface off of the /interface bridge port settings yet.

But then I can't connect to guest wifi anymore.

I will go back to using a guest bridge for the time being.
So back to my original question: how do I make the router a DNS proxy for the guests?

Edit: I made it work by creating a masquerade rule in the srcnat chain to permit guests to query the DNS server on port 53 as if they were the router.

Now I need to fix the DoH. I tried importing root certificates but it didn't work.
But more importantly, I need to know why the Internet is accessing my LAN despite being denied by the firewall, or so I think.
I have not inspected the rules yet but here they are anyway:

If an interface is a bridge port it becomes a slave interface and inherits IP configuration from that bridge. If you remove the interface from the bridge, IP configuration must be set for this interface as bridge IP configuration no longer applies to that interface.

You cannot connect to guest wifi anymore because the DHCP server still runs on the bridge and your wifi interface is now detached from that bridge.

If you decide to get rid of the "bridge_guest", make sure to change interface for guest DHCP server from "bridge_guest" to "guest_wifi" (I cannot grasp the proper name of it by looking at your config) and set IP address for "guest_wifi" and not "bridge_guest".

When that works and your guests are able to get IP addresses from the guest pool, change the DNS server in the guest DHCP server as you need.

msrzu
Also gave that to the OP in the recommended config.....
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
add address-pool=guest_pool interface=guest_wifi name=guest

YOu need to post the latest config WITH the recommended changes that you claim does not work.
THen we can make progress.

YOu need to post the latest config WITH the recommended changes that you claim does not work.
THen we can make progress.

DNS works with a guest bridge now so I'm not sure I want to give it another shot with just one. If all the tutorials I've seen are using a guest bridge, it's probably good enough for me.
It's my time to sleep now.

yup, if it works, and the rest of the users are happy, then its an exercise in config, that is not necessary at this point.
To be frank, until recently I would never assign subnets to ports or wifi ports, and would only use vlans.......so everyone learns at their own pace.

192.168.0.0/16 is my main LAN and I have a guest network at 172.16.0.0/12.

It's wrong to allocate so much space to IPs:
I don't think you have ~65024 devices in the main network,
as I don't think you can have (on a single wifi then...) ~1040384 guests.
All it takes is a stupid antivirus or an IP scan to fill the device cache and block your entire network...

Default ARP size is 8192 record, and just your main LAN is 8 times more... And guests 127 times more...

Maybe he has a large extended family

192.168.0.0/16 is my main LAN and I have a guest network at 172.16.0.0/12.

It's wrong to allocate so much space to IPs:
I don't think you have ~65024 devices in the main network,
as I don't think you can have (on a single wifi then...) ~1040384 guests.
All it takes is a stupid antivirus or an IP scan to fill the device cache and block your entire network...

Default ARP size is 8192 record, and just your main LAN is 8 times more... And guests 127 times more...

Noted. I used these for the sake of simplicity during testing.

Probable because you have not taken the guest_wifi interface off of the /interface bridge port settings yet.
Bedtime here...

Actually there is another report by a user that was not able to make a DHCP server listening to wifi slave interface even if that interface is not in a bridge.
And I replicated part of his setup to confirm that.

See viewtopic.php?p=1082216#p1081397