I was about to loose it before I found the solution of why my rules were not working. In my network scenario I NEED the srcnat rules!
Only creating dstnat rules was not enough, I'm sure people more versed on networking will be able to explain why, I'm just happy I found the solution to my problem and hope this helps someone on the same boat.
the two
10.10.1.251 is my adguard local server
for context my network is quite complex maybes this case will not apply for everyone.
I run 2 local subnets (10.10.1.0 & 10.10.2.0) to seperate lan devices, have a zerotier devices subnet on 10.10.3.0, have one pppoe as wan1 and a wan failover on another network on 10.10.4.1
a glimpse of my network:
Only creating dstnat rules was not enough, I'm sure people more versed on networking will be able to explain why, I'm just happy I found the solution to my problem and hope this helps someone on the same boat.
Code:
/ip firewall natadd action=masquerade chain=srcnat out-interface-list=WANadd action=masquerade chain=srcnat dst-address=10.10.1.251 dst-port=53 protocol=tcpadd action=masquerade chain=srcnat dst-address=10.10.1.251 dst-port=53 protocol=udpadd action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address-list=!DNS_pihole to-addresses=10.10.1.251 to-ports=53add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=!DNS_pihole to-addresses=10.10.1.251 to-ports=53were the key on my case, without them anyone trying to use a DNS server besides my adguard would get blocked instead of just forced to use my dns server!action=masquerade chain=srcnat
10.10.1.251 is my adguard local server
for context my network is quite complex maybes this case will not apply for everyone.
I run 2 local subnets (10.10.1.0 & 10.10.2.0) to seperate lan devices, have a zerotier devices subnet on 10.10.3.0, have one pppoe as wan1 and a wan failover on another network on 10.10.4.1
a glimpse of my network:
Code:
/ip routeadd disabled=no distance=1 dst-address=10.10.3.0/24 gateway=10.10.1.251 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=32add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.4.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10add disabled=no distance=1 dst-address=1.1.1.1/32 gateway=pppoe-ENTEL pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=31Statistics: Posted by guajojo — Tue Jan 30, 2024 10:24 pm