MikroTik

Hello,
I have a MK router which uses Cloudflare as DNS resolver and also I have on the lan NAS a local DNS server. I would like to add to the MK router this NAS DNS server to resolve local names for some dockers containers running on the NAS.
I would like to know if someone can help me to add to the MK router the NAS DNS server so when I'm accessing the NAS locally or from the WireGuard VPN I can run the containers using the names defined on the NAS Web Station instead typing on the browser the NAS IP:port.
At this moment I have defined the containers names on the MK router, (MK configuration lines 66 to 77) but I would like to use for them the DNS Server on the NAS.
Attached a digram of my configuration and MK router configuration.
Tks in advance!
1 # 2024-10-04 18:08:16 by RouterOS 7.16
2 # software id = UE3C-1FI0
3 #
4 # model = RB760iGS
5 # serial number =
6 /interface bridge
7 add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=local \
port-cost-mode=short
8 /interface ethernet
9 set [ find default-name=ether1 ] name="ether1[WAN]"
10 set [ find default-name=sfp1 ] disabled=yes
11 /interface wireguard
12 add listen-port=35001 mtu=1420 name=WG_ALL
13 /interface list
14 add comment=defconf name=WAN
15 add comment=defconf name=LAN
16 /ip pool
17 add name=dhcp ranges=192.168.88.2-192.168.88.254
18 /ip dhcp-server
19 add address-pool=dhcp interface=local lease-time=10m name=defconf
20 /ip smb users
21 set [ find default=yes ] disabled=yes
22 /port
23 set 0 name=serial0
24 /interface bridge port
25 add bridge=local comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
26 add bridge=local comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
27 add bridge=local comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
28 add bridge=local comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
29 add bridge=local comment=defconf interface=sfp1 internal-path-cost=10 \
path-cost=10
30 /ip firewall connection tracking
31 set udp-timeout=10s
32 /ip neighbor discovery-settings
33 set discover-interface-list=all
34 /ipv6 settings
35 set disable-ipv6=yes forward=no
36 /interface list member
37 add comment=defconf interface=local list=LAN
38 add comment=defconf interface="ether1[WAN]" list=WAN
39 /interface wireguard peers
40 add allowed-address=192.168.100.3/32 client-dns=192.168.88.1 interface=WG_ALL \
name="Adm - Dynabook X30L-K ESM" public-key=\
41 add allowed-address=192.168.100.5/32 interface=WG_ALL name=\
"Adm - MacBook Air M1 ESM" preshared-key=\
“” private-key=\ “” public-key=\ “”
42 add allowed-address=192.168.100.4/32 interface=WG_ALL name=\
"Adm - iPad Pro 12.9 ESM" preshared-key=\ “” private-key=\”” public-key=\””
43 add allowed-address=192.168.100.6/32 interface=WG_ALL name=\
"Adm - iPhone15ProMax ESM" public-key=\ “”
44 add allowed-address=192.168.100.7/32 interface=WG_ALL name=\
"Adm - iPadPro 11 Jenny" public-key=\ “”
45 add allowed-address=192.168.101.3/32 interface=WG_ALL name=\
"G24A1U01A - MacBook Air M1 ESM" private-key=\”” public-key=\””
46 add allowed-address=192.168.101.4/32 interface=WG_ALL name=\
"G24A1U02A - MacBook Air M1 ESM" private-key=\”” public-key=\””
47 add allowed-address=192.168.102.2/32 client-address=::/0 interface=WG_ALL \
name=G24B1U01A private-key="" \ public-key=\””
48 /ip address
49 add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
50 add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
51 add address=190.141.32.176/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
52 add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL \
network=192.168.101.0
53 add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL \
network=192.168.102.0
54 /ip arp
55 add address=192.168.88.253 interface=local mac-address=00:00:00:00:00:00
56 add address=192.168.88.2 interface=local mac-address=00:00:00:00:00:00
57 /ip cloud
58 set ddns-update-interval=15m
59 /ip dhcp-server lease
60 add address=192.168.0.0 client-id=1:00:00:00:00:00:00 mac-address=\
00:00:00:00:00:00 server=defconf
61 add address=dhcp comment="DS1517+ SUNSET55N1" mac-address=00:00:00:00:00:00 \
server=defconf use-src-mac=yes
62 /ip dhcp-server network
63 add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
64 /ip dns
65 set allow-remote-requests=yes use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
66 /ip dns static
67 add address=104.16.248.249 name=cloudflare-dns.com type=A
68 add address=104.16.249.249 name=cloudflare-dns.com type=A
69 add address=192.168.88.1 name=router.local type=A
70 add address=192.168.88.2 comment="ofidatalab host" disabled=yes name=\
ofidatalab type=A
71 add address=192.168.88.2 comment="ofidatalab FS23A01" name=fs23a01 type=A
72 add address=192.168.88.2 comment="ofidatalab NC24A01" name=nc24a01 type=A
73 add address=192.168.88.2 comment="ofidatalab FS24A01" name=fs24a01 type=A
74 add address=192.168.88.2 comment="ofidatalab NC24A02" name=nc24a02 type=A
75 add address=192.168.88.2 name=hm23a01 type=A
76 add address=192.168.88.2 name=fs24a02 type=A
77 add address=192.168.88.253 name=DYNABK-ESM type=A
78 /ip firewall filter
79 add action=drop chain=input comment="Block Port Scanners" src-address-list=\
PORT-SCANNERS
80 add action=fasttrack-connection chain=forward comment=\
"OK defconf: fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related hw-offload=yes
81 add action=accept chain=forward comment="OK defconf: accept established,relate\
d, untracked (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related,untracked
82 add action=drop chain=forward comment=\
"OK defconf: drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=\
invalid
83 add action=accept chain=forward comment=\
"OK allow internet traffic (MK Forum 2023-04-12 ANAV)" \
in-interface-list=LAN out-interface-list=WAN
84 add action=accept chain=forward dst-address=192.168.88.2 dst-port=80 \
in-interface="ether1[WAN]" protocol=tcp
85 add action=accept chain=forward dst-address=192.168.88.2 dst-port=443 \
in-interface="ether1[WAN]" protocol=tcp
86 add action=accept chain=forward disabled=yes dst-address=192.168.88.2 \
dst-port=9083 in-interface="ether1[WAN]" protocol=tcp
87 add action=accept chain=forward dst-address=192.168.88.2 dst-port=6690 \
in-interface="ether1[WAN]" protocol=tcp
88 add action=accept chain=forward comment=\
"OK WG Administracion (MK Forum 2023-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.100.0/24
89 add action=accept chain=forward comment=\
"OK WG-Users G24A1 (MK Forum 2023-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.101.0/24
90 add action=accept chain=forward comment=\
"WG-Users G24A2 (MK Forum 2024-04-12 ANAV)" dst-address=192.168.88.2 \
in-interface=WG_ALL src-address=192.168.102.0/24
91 add action=drop chain=forward comment="drop all else"
92 add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
93 add action=accept chain=input comment="defconf: accept ICMP" in-interface=\
"ether1[WAN]" packet-mark="" protocol=icmp
94 add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
95 add action=accept chain=forward comment="defconf: accept in ipsec policy" \
connection-state=established,related ipsec-policy=in,ipsec
96 add action=add-src-to-address-list address-list=PORT-SCANNERS \
address-list-timeout=1d chain=input comment="Port Scanner Detector" log=\
yes protocol=tcp psd=21,3s,3,1
97 add action=drop chain=input dst-port=53 in-interface="ether1[WAN]" protocol=\
tcp
98 add action=drop chain=input dst-port=53 in-interface="ether1[WAN]" protocol=\
udp
99 add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
100 add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
101 /ip firewall nat
102 add action=masquerade chain=srcnat comment=\
"defconf: masquerade (MK Forum 2023-04-12 ANAV))" ipsec-policy=out,none \
out-interface-list=WAN
103 add action=dst-nat chain=dstnat dst-port=80 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=80
104 add action=dst-nat chain=dstnat dst-port=443 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=443
105 add action=dst-nat chain=dstnat disabled=yes dst-port=9082 in-interface=\
"ether1[WAN]" protocol=tcp to-addresses=192.168.88.2 to-ports=9083
106 add action=dst-nat chain=dstnat dst-port=6690 in-interface="ether1[WAN]" \
protocol=tcp to-addresses=192.168.88.2 to-ports=6690
107 /ip hotspot profile
108 set [ find default=yes ] html-directory=hotspot
109 /ip ipsec profile
110 set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
111 /ip route
112 add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.141.32.177 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
113 /ip service
114 set telnet disabled=yes
115 set ftp disabled=yes
116 set www address= port=
117 set ssh address= port=
118 set api disabled=yes
119 set winbox address=
120 set api-ssl disabled=yes
121 /ip smb shares
122 set [ find default=yes ] directory=/flash/pub
123 /ip ssh
124 set strong-crypto=yes
125 /ipv6 firewall address-list
126 add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
127 add address=::1/128 comment="defconf: lo" list=bad_ipv6
128 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
129 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
129 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
130 add address=100::/64 comment="defconf: discard only " list=bad_ipv6
131 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
132 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
133 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
134 /ipv6 firewall filter
135 add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
136 add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
137 add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
138 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
139 add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
140 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
141 add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
142 add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
143 add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
144 add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
145 add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
146 add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
147 add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
148 add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
149 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
150 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
151 add action=accept chain=forward comment="defconf: accept HIP" protocol=139
152 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
153 add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
154 add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
155 add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
156 add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
157 /system clock
set time-zone-name=America/Panama
158 /system identity
159 set name="MK hEX S Casa 55"
160 /system note
161 set note=none@hotmail.com
162 /system ntp client
163 set enabled=yes
164 /system ntp server
165 set enabled=yes manycast=yes multicast=yes
166 /system ntp client servers
167 add address=pool.ntp.org
168 /tool mac-server
169 set allowed-interface-list=LAN
170 /tool mac-server mac-winbox
171 set allowed-interface-list=LAN

@enricosm60

Sorry, but the configuration file you posted is completely impossible to read. Make a normal export of the configuration and post it here. In the CODE tag. Without your additional line numbering.

About using local DNS server. I suggest you think about what domain name you want to use on your local network. Configure your NAS DNS server to use that domain name. And make the DNS server of your router forward all requests to this domain name to the local DNS server.

As an example. Let's use the domain name “samba-rumba.loc” for the local network. And internal DNS server, which will serve this domain name, let it have the address 192.168.188.188. Then it will be enough to add a line on your router:

This should be the cleaned up version in CODE tags:

In addition to what I wrote on configuring DNS query forwarding earlier.

I ran the tests from my smartphone. The client settings are like this:
Although the “correct” (10.19.99.1) DNS server address was received by the smartphone and appeared in the settings - not all applications on the smartphone use it.
I.e., only by forcibly specifying, that 10.19.99.1 should be used as the DNS address, it was possible to PING the full domain name of the computer.

I have not attempted to connect from my computer to test it.

Hello,

I'm going to test.

One thing.... I'm curious why @BrateloSlava adds on the Wireguard Peer the Private Key and also the Client Address and DNS as per screenshot he attached on post dated October 20. In my case I have none of them (this fields on my router are blank) and the WireGuard connection in my case works well.
It is better to add them? If yes why?

Enrico

One thing.... I'm curious why @BrateloSlava adds on the Wireguard Peer the Private Key and also the Client Address and DNS as per screenshot he attached on post dated October 20. In my case I have none of them (this fields on my router are blank) and the WireGuard connection in my case works well.

The lower part of the dialog is ONLY used to help generate the a WG config to cut-and-paste in a client WG app, using the WG config in textbox at very bottom. i.e. All of the values starting with "Client Xxxxx:" are the "template variables" for the WG config. .

And those "Client ...:" values do NOT change anything on the Mikrotik WG operational side. It's just there to help build a wireguard client config that already has all the Mikrotik keys/etc info in ONE place to cut-and-paste. Wireguard's native clients use that config format. And WG's app don't offer much more than "config edit" - so the file in right format is useful.

And, yes, it is confusing. Those things should be on NEW tab like "Example Config" or "Client Config", or behind a button like "Config Maker", or something...

@enricosm60, @Amm0

When configuring Wireguard, I don't perform any additional actions on the client. Basically, I have described it all in this message.