DNS через VPN

Обсуждение ПО и его настройки
Ответить
qpp-mikrotik
Сообщения: 7
Зарегистрирован: 17 янв 2021, 09:42

Добрый день.
При обновлении на ROS 7.6 столкнулся с проблемой, до этого на ROS6 работало исправно.
Задача завернуть весь DNS в VPN
делал по этой статье
https://prohoster.info/blog/administrir ... j-tutorial
Маркировка трафика, а так же редирект на 53 порт
Когда создаю маршрут для маркированного трафика я немогу заходить на сайты, хотя пинги с ПК проходят, но DNS запросы -нет .
https://disk.yandex.ru/d/WtmhdFFqC_ITOg



Подскажите как правильно решить данную проблему, т.к. если я пускаю весь трафик через VPN все работает отлично.


 
# nov/14/2022 08:23:29 by RouterOS 7.6
# software id = UAAW-KV92
#
# model = RB952Ui-5ac2nD
# serial number = BEE80BBC7B91
/interface bridge add admin-mac=C4:AD:34:52:91:44 auto-mac=no comment=defconf name=bridge
/interface l2tp-client add connect-to=****** disabled=no name=l2tp-out1 use-ipsec=yes user=vpnuser
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-529148 wireless-protocol=802.11
/interface wireguard add disabled=yes listen-port=55516 mtu=1420 name=WG0
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=office81 supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=ss supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=2417 installation=indoor security-profile=ss ssid=YOTA-8DD2 wireless-protocol=802.11
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=dhcp_pool1 ranges=10.81.81.230-10.81.81.254
/ip dhcp-server add address-pool=dhcp_pool1 interface=bridge name=dhcp1
/ppp profile add change-tcp-mss=yes name=profile1 use-compression=no use-encryption=yes use-ipv6=no use-upnp=no
/routing table add disabled=no fib name=DNS
/routing table add disabled=no fib name=HTTP
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge interface=ether1
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add interface=wlan1 list=WAN
/interface wireguard peers add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=89.208.105.24 endpoint-port=55516 interface=WG0 persistent-keepalive=25s public-key="******"
/ip address add address=10.81.81.1/24 comment=defconf interface=bridge network=10.81.81.0
/ip address add address=10.66.66.3 disabled=yes interface=WG0 network=10.66.66.0
/ip dhcp-client add default-route-distance=5 interface=wlan1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=10.81.81.0/24 gateway=10.81.81.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=mark-routing chain=prerouting dst-port=53 new-routing-mark=DNS passthrough=no protocol=tcp
/ip firewall mangle add action=mark-routing chain=prerouting dst-port=53 new-routing-mark=DNS passthrough=no protocol=udp
/ip firewall mangle add action=mark-routing chain=output dst-port=53 new-routing-mark=DNS passthrough=no protocol=udp
/ip firewall mangle add action=mark-routing chain=output dst-port=53 new-routing-mark=DNS passthrough=no protocol=tcp
/ip firewall mangle add action=mark-routing chain=prerouting connection-nat-state=!dstnat dst-address=!10.81.81.1 dst-port=80 new-routing-mark=HTTP passthrough=yes protocol=tcp
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=all-ppp
/ip firewall nat add action=redirect chain=dstnat comment="Redirect dns-query to local DNS" dst-port=53 in-interface-list=!WAN protocol=tcp
/ip firewall nat add action=redirect chain=dstnat comment="Redirect dns-query to local DNS" dst-port=53 in-interface-list=!WAN protocol=udp
/ip firewall nat add action=redirect chain=dstnat comment="DNS Redirect (TCP)" dst-address=!10.81.81.1 dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall nat add action=redirect chain=dstnat comment="DNS Redirect (UDP)" dst-address=!10.81.81.1 dst-port=53 in-interface-list=LAN protocol=udp
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip route add comment="DNS over VPN" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 pref-src="" routing-table=DNS scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=HTTP disabled=no distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 pref-src="" routing-table=HTTP scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN


gmx
Модератор
Сообщения: 3290
Зарегистрирован: 01 окт 2012, 14:48

Честно, ковыряться в конфиге нет сил и времени.
Но в целом, можно поступить проще.
Отправьте ВЕСТЬ трафик нужного DNS через ВПН.

Что-то вреде такого:

route IP_АДРЕС_ДНС/32 gateway ВАШ_ИНТЕРФЕЙС_ВПН

Это через IP-Routes.

И тогда можно будет обойтись без маркировки и перехвата трафика DNS.


qpp-mikrotik
Сообщения: 7
Зарегистрирован: 17 янв 2021, 09:42

gmx писал(а): 14 ноя 2022, 11:35 Честно, ковыряться в конфиге нет сил и времени.
Но в целом, можно поступить проще.
Отправьте ВЕСТЬ трафик нужного DNS через ВПН.

Что-то вреде такого:

route IP_АДРЕС_ДНС/32 gateway ВАШ_ИНТЕРФЕЙС_ВПН

Это через IP-Routes.

И тогда можно будет обойтись без маркировки и перехвата трафика DNS.
у меня все в дефолт сброшено, и начал с настройки DNS через VPN. Это что качается "копаться в конфиге"

правильно я понял предложение:

/ip route add comment="DNS over VPN" disabled=no distance=1 dst-address=1.1.1.1/32 gateway=l2tp-out1 pref-src="" routing-table=DNS scope=30 suppress-hw-offload=no target-scope=10

и всё?


qpp-mikrotik
Сообщения: 7
Зарегистрирован: 17 янв 2021, 09:42

Кому интересно, делюсь :

при маркировке трафика, сначала должны отмаркироваться соединения и только потом маркировать пакеты/маршруты.

Помогло.


gmx
Модератор
Сообщения: 3290
Зарегистрирован: 01 окт 2012, 14:48

qpp-mikrotik писал(а): 14 ноя 2022, 12:21

правильно я понял предложение:

/ip route add comment="DNS over VPN" disabled=no distance=1 dst-address=1.1.1.1/32 gateway=l2tp-out1 pref-src="" routing-table=DNS scope=30 suppress-hw-offload=no target-scope=10

и всё?

Да, и все. ВСЕ пакеты в строну 1.1.1.1 пойдут через интерфейс l2tp-out1.

Вариант с маркировками тоже работает, но через route проще.


Ответить