MikroTik

Does anyone use static IP's on their network and have DNS working correctly? In v2.7 I was able to give my firewall an IP of say 192.168.0.1 then add my real DNS server IP's to my own firewall. Then for each client I would put the following:

IP: 192.168.0.2
Subnet: 255.255.255.0
Gateway: 192.168.0.1
DNS1: 192.168.0.1
DNS2: Blank

Now with v2.8 I have to actually use my real DNS IP's on each client instead of using the 192.168.0.1? Why is this, and has anyone got it working?

Please see http://www.mikrotik.com/docs/ros/2.8/ip ... e.frameset

My understanding is that basically, in the DNS cache settings you set the address(es) of your "real" DNS servers, then you redirect all client DNS requests using a destination NAT firewall rule. Here's my config to use DNS cache:

[admin@pad001X] ip dns> print
primary-dns: 212.23.8.1
secondary-dns: 212.23.8.6
allow-remote-requests: yes
cache-size: 4096 kB
cache-max-ttl: 7d
cache-used: 19 kB
[admin@pad001X] ip dns>

[admin@pad001X] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Redirect all DNS requests to local DNS Cache
dst-address=:53 protocol=udp action=redirect
[admin@pad001X] ip firewall dst-nat>

I have both static and dynamic IPs and it's working fine. I am running 2.8.12.

Hope this helps.
Guy

Guy,

Your DST-NAT rule does not make any sense to me... I thought DST-NAT was for requests coming in from outside my firewall and SRC-NAT was for request coming from inside my firewall. If my local client on my LAN hits a webpage, the DNS request is going to go through the SRC-NAT right?

Every request goes through both SRC-NAT and DST-NAT. I do not know, how could the router possibly differentiate between the traffic from your internal network and from the Internet - they both are the same, just from and to different interfaces. I gouess you should read this:
http://www.mikrotik.com/docs/ros/2.8/ip ... l.frameset
http://www.mikrotik.com/docs/ros/2.8/ip/nat.frameset

Hi jferello,

Well, I could be completely wrong, and I usually am when it comes to RouterOS, but my understanding is that NAT rules act on the source and destination address of a particular packet, rather than by the direction of flow of the packet through the router.

For example, I have two nat rules on my router. To masquerade private IP addresses to the router's public IP, I have a source NAT rule which says to masquerade any packet with a source address of 192.168.0.0/24. Obviously any packet with this source address will be comming from the private LAN. Then, to redirect DNS requests I have a dst-nat rule which says to redirect (which means redirect to the router itself) all packets with a destination address of 0.0.0.0:53, protocol UDP. In other words, any packet heading for any address on port 53, using UDP protocol, gets redirected to the router itself. I guess once the DNS cache is set up on the router, the router listens on port 53.

I've tested the DNS cache by browsing web addresses on a LAN host and checking that they appear in the cache, which they do, so I think it's all working correctly.

As I said, I could be completely wrong, and there is certainly more to NAT than I have described here. Perhaps someone can jump in and confirm what I've said?

Hope this helps,
Guy

There's no need to use NAT here as you're merely using the router as a DNS forwarder. Here's the setup from my box that does this:

[admin@Net4501] ip dns> pr
primary-dns: 195.92.195.94
secondary-dns: 195.92.195.95
allow-remote-requests: yes
cache-size: 2048 kB
cache-max-ttl: 7d
cache-used: 137 kB

Regards

Andrew

Not to be mean or anything, but "Lastguru" you are of no help, why do you continue to post? All you ever do is redirect all questions to the documentation.

Not that it is any of your business, but I have read the entire manual cover to cover several times. However not everyone is as gifted as you, meaning that I may not understand everything that I read.

This is why they setup a forum, if the documentation was so good that everyone understanded it then this forum would not need to exist.

Please forgive me, jferello, I was just trying to be helpful...

If you find something that is not covered by the manual, or something explained poorly or too complicated, please post your suggestions to the respective section of this forum. It would be a great help for everyone, including yourself.

I believe the only time you want to use that NAT rule above is if you want to FORCE users machines to use your DNS cache - even if they specify a different one outside your network. If they simply set their DNS servers to your mikrotiks ip then it should act just as any other resolver.

Ah, yes, this seems logical. For me, the idea is to force all clients onto the DNS cache to speed up requests and to reduce the traffic to and from the Internet.

I guess it depends what type of private LAN you are operating, whether you want to give users the choice.

Guy