DoH DNS redirect not working properly on ROS7.9 and Cloudflare for Family (2024)

OK, OK. This was news to me. I assumed Quick Set was providing its own default config. NEVER assume!

Resetting with defaults enabled, loaded the defconf script sucessfully. Then, I started working from there.

Pure defconf was working fine with the APN-provided DNS servers for LAN clients. Remember - it was a pure defconf with no Wi-Fi setup, so I didn't even bother trying to connect via wireless.

Then I imported the Cloudflare for Families CA chain again and pretty much followed the rest as Normis explained in his YT DoH video, incl. disabling the APN-provided DNS.

Here is the setup after my little mods. I explicitly exported the verbose version.

Code: Select all

# may/08/2023 19:35:32 by RouterOS 7.9# software id = ## model = D53G-5HacD2HnD# serial number = /interface bridgeadd admin-mac=DC:2C:6E:C4:F5:7D ageing-time=5m arp=enabled arp-timeout=auto \ auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \ forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto name=\ bridge priority=0x8000 protocol-mode=rstp transmit-hold-count=6 \ vlan-filtering=no/interface ethernetset [ find default-name=ether1 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \ arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \ loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:7D mtu=1500 \ name=ether1 orig-mac-address=DC:2C:6E:C4:F5:7D rx-flow-control=off \ tx-flow-control=offset [ find default-name=ether2 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \ arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \ loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:7E mtu=1500 \ name=ether2 orig-mac-address=DC:2C:6E:C4:F5:7E rx-flow-control=off \ tx-flow-control=offset [ find default-name=ether3 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \ arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \ loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:7F mtu=1500 \ name=ether3 orig-mac-address=DC:2C:6E:C4:F5:7F rx-flow-control=off \ tx-flow-control=offset [ find default-name=ether4 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \ arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \ loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:80 mtu=1500 \ name=ether4 orig-mac-address=DC:2C:6E:C4:F5:80 rx-flow-control=off \ tx-flow-control=offset [ find default-name=ether5 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \ arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \ disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \ loop-protect-send-interval=5s mac-address=DC:2C:6E:C4:F5:81 mtu=1500 \ name=ether5 orig-mac-address=DC:2C:6E:C4:F5:81 rx-flow-control=off \ tx-flow-control=off/queue interfaceset bridge queue=no-queue/interface ethernet switchset 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1/interface ethernet switch portset 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabledset 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabledset 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabledset 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabledset 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabledset 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled/interface listset [ find name=all ] comment="contains all interfaces" exclude="" include="" \ name=allset [ find name=none ] comment="contains no interfaces" exclude="" include="" \ name=noneset [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \ include="" name=dynamicset [ find name=static ] comment="contains static interfaces" exclude="" \ include="" name=staticadd comment=defconf exclude="" include="" name=WANadd comment=defconf exclude="" include="" name=LAN/interface lte apnset [ find default=yes ] add-default-route=yes apn=internet authentication=\ none default-route-distance=2 ip-type=auto name=default use-network-apn=\ yes use-peer-dns=no/interface lteset [ find default-name=lte1 ] allow-roaming=no apn-profiles=default band="" \ disabled=no !modem-init mtu=1500 name=lte1 network-mode=3g,lte,5g \ nr-band=""/queue interfaceset lte1 queue=no-queue/interface macsec profileset [ find default-name=default ] name=default server-priority=10/interface wireless security-profilesset [ find default=yes ] authentication-types="" disable-pmkid=no \ eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m \ interim-update=0s management-protection=disabled mode=none \ mschapv2-username="" name=default radius-called-format=mac:ssid \ radius-eap-accounting=no radius-mac-accounting=no \ radius-mac-authentication=no radius-mac-caching=disabled \ radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \ static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\ none static-sta-private-algo=none static-transmit-key=key-0 \ supplicant-identity=MikroTik tls-certificate=none tls-mode=\ no-certificates unicast-ciphers=aes-ccmadd authentication-types=wpa2-psk disable-pmkid=yes eap-methods=passthrough \ group-ciphers=aes-ccm group-key-update=5m interim-update=0s \ management-protection=disabled mode=dynamic-keys mschapv2-username="" \ name=2.4ghz radius-called-format=mac:ssid radius-eap-accounting=no \ radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\ disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \ static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\ none static-sta-private-algo=none static-transmit-key=key-0 \ supplicant-identity="" tls-certificate=none tls-mode=no-certificates \ unicast-ciphers=aes-ccmadd authentication-types=wpa2-psk disable-pmkid=yes eap-methods=passthrough \ group-ciphers=aes-ccm group-key-update=5m interim-update=0s \ management-protection=disabled mode=dynamic-keys mschapv2-username="" \ name=5ghz radius-called-format=mac:ssid radius-eap-accounting=no \ radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\ disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \ static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\ none static-sta-private-algo=none static-transmit-key=key-0 \ supplicant-identity="" tls-certificate=none tls-mode=no-certificates \ unicast-ciphers=aes-ccm/interface wirelessset [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\ no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\ 2 area="" arp=enabled arp-timeout=auto band=2ghz-onlyn basic-rates-a/g=\ 6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20mhz \ compression=no country=no_country_set default-ap-tx-limit=0 \ default-authentication=yes default-client-tx-limit=0 default-forwarding=\ yes disable-running-check=no disabled=yes disconnect-timeout=3s distance=\ indoors frame-lifetime=0 frequency=auto frequency-mode=superchannel \ frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\ mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\ s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\ cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\ 3" hw-fragmentation-threshold=disabled hw-protection-mode=none \ hw-protection-threshold=0 hw-retries=7 installation=indoor \ interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \ mac-address=DC:2C:6E:C4:F5:82 max-station-count=2007 mode=ap-bridge mtu=\ 1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \ nv2-cell-radius=30 nv2-downlink-ratio=50 nv2-mode=dynamic-downlink \ nv2-qos=default nv2-queue-count=2 nv2-security=disabled nv2-sync-secret=\ "" on-fail-retry-time=100ms preamble-mode=both radio-name=DC2C6EC4F582 \ rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \ secondary-frequency="" security-profile=2.4ghz skip-dfs-channels=disabled \ ssid=MTK station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=\ disabled supported-rates-a/g=\ 6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\ 1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-chains=0,1 \ tx-power-mode=default update-stats-interval=disabled vlan-id=1 vlan-mode=\ no-tag wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \ wds-ignore-ssid=no wds-mode=disabled wireless-protocol=802.11 \ wmm-support=enabled wps-mode=disabledset [ find default-name=wlan2 ] adaptive-noise-immunity=none allow-sharedkey=\ no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\ 4 area="" arp=enabled arp-timeout=auto band=5ghz-onlyac basic-rates-a/g=\ 6Mbps bridge-mode=enabled channel-width=20/40/80mhz-XXXX compression=no \ country=bulgaria default-ap-tx-limit=0 default-authentication=yes \ default-client-tx-limit=0 default-forwarding=yes disable-running-check=no \ disabled=no disconnect-timeout=3s distance=indoors frame-lifetime=0 \ frequency=auto frequency-mode=regulatory-domain frequency-offset=0 \ guard-interval=any hide-ssid=no ht-basic-mcs=\ mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\ s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\ cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\ 3" hw-fragmentation-threshold=disabled hw-protection-mode=none \ hw-protection-threshold=0 hw-retries=7 installation=indoor \ interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \ mac-address=DC:2C:6E:C4:F5:83 max-station-count=2007 mode=ap-bridge mtu=\ 1500 multicast-buffering=enabled multicast-helper=default name=wlan2 \ nv2-cell-radius=30 nv2-downlink-ratio=50 nv2-mode=dynamic-downlink \ nv2-qos=default nv2-queue-count=2 nv2-security=disabled nv2-sync-secret=\ "" on-fail-retry-time=100ms preamble-mode=both radio-name=DC2C6EC4F583 \ rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \ secondary-frequency="" security-profile=5ghz skip-dfs-channels=all ssid=\ MTK station-bridge-clone-mac=00:00:00:00:00:00 station-roaming=disabled \ supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \ tdma-period-size=2 tx-chains=0,1 tx-power-mode=default \ update-stats-interval=disabled vht-basic-mcs=mcs0-7 vht-supported-mcs=\ mcs0-9,mcs0-9,mcs0-9 vlan-id=1 vlan-mode=no-tag wds-cost-range=50-150 \ wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\ disabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled/interface wireless nstremeset wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\ 3200 framer-policy=noneset wlan2 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\ 3200 framer-policy=none/ip dhcp-client optionset clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"set hostname code=12 name=hostname value="\$(HOSTNAME)"/ip hotspot profileset [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\ hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\ 0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \ smtp-server=0.0.0.0 split-user-domain=no use-radius=no/ip hotspot user profileset [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \ !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\ default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \ transparent-proxy=no/ip ipsec mode-configset [ find default=yes ] name=request-only responder=no use-responder-dns=\ exclusively/ip ipsec policy groupset [ find default=yes ] name=default/ip ipsec profileset [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \ dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \ lifetime=1d name=default nat-traversal=yes proposal-check=obey/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\ aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\ modp1024/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254/ip dhcp-serveradd address-pool=default-dhcp authoritative=yes disabled=no interface=bridge \ lease-script="" lease-time=30m name=defconf use-radius=no/portset 0 baud-rate=auto data-bits=8 flow-control=none name=usb1 parity=none \ stop-bits=1/ppp profileset *0 address-list="" !bridge !bridge-horizon bridge-learning=default \ !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \ !idle-timeout !incoming-filter !insert-queue-before !interface-list \ !local-address name=default on-down="" on-up="" only-one=default \ !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \ !session-timeout use-compression=default use-encryption=default use-ipv6=\ yes use-mpls=default use-upnp=default !wins-serverset *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \ !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \ !idle-timeout !incoming-filter !insert-queue-before !interface-list \ !local-address name=default-encryption on-down="" on-up="" only-one=\ default !outgoing-filter !parent-queue !queue-type !rate-limit \ !remote-address !session-timeout use-compression=default use-encryption=\ yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server/queue typeset 0 kind=pfifo name=default pfifo-limit=50set 1 kind=pfifo name=ethernet-default pfifo-limit=50set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \ red-limit=60 red-max-threshold=50 red-min-threshold=10set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \ pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \ pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \ pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiBset 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \ pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \ pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \ pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \ pcq-total-limit=2000KiBset 7 kind=none name=only-hardware-queueset 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-defaultset 9 kind=pfifo name=default-small pfifo-limit=10/queue interfaceset ether1 queue=only-hardware-queueset ether2 queue=only-hardware-queueset ether3 queue=only-hardware-queueset ether4 queue=only-hardware-queueset ether5 queue=only-hardware-queueset wlan1 queue=wireless-defaultset wlan2 queue=wireless-default/interface wireless manual-tx-power-tableset wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\ bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\ 17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\ T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\ 7:17"set wlan2 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\ bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\ 17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\ T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\ 7:17"/routing bgp templateset default as=65530 name=default/snmp communityset [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\ no encryption-protocol=DES name=public read-access=yes security=none \ write-access=no/system logging actionset 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memoryset 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 \ disk-stop-on-full=no name=disk target=diskset 2 name=echo remember=yes target=echoset 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\ 0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\ bsd-syslog target=remote/user groupset read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\ eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=defaultset write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\ ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=defaultset full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\ winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default/caps-man aaaset called-format=mac:ssid interim-update=disabled mac-caching=disabled \ mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username/caps-man managerset ca-certificate=none certificate=none enabled=no package-path="" \ require-peer-certificate=no upgrade-policy=none/caps-man manager interfaceset [ find default=yes ] disabled=no forbid=no interface=all/certificate settingsset crl-download=yes crl-store=ram crl-use=yes/interface bridge portadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none hw=yes ingress-filtering=yes interface=ether1 \ internal-path-cost=10 learn=auto multicast-router=temporary-query \ path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \ restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none hw=yes ingress-filtering=yes interface=ether2 \ internal-path-cost=10 learn=auto multicast-router=temporary-query \ path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \ restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none hw=yes ingress-filtering=yes interface=ether3 \ internal-path-cost=10 learn=auto multicast-router=temporary-query \ path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \ restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none hw=yes ingress-filtering=yes interface=ether4 \ internal-path-cost=10 learn=auto multicast-router=temporary-query \ path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \ restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none hw=yes ingress-filtering=yes interface=ether5 \ internal-path-cost=10 learn=auto multicast-router=temporary-query \ path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \ restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none ingress-filtering=yes interface=wlan1 internal-path-cost=10 \ learn=auto multicast-router=temporary-query path-cost=10 point-to-point=\ auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no \ tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\ defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \ horizon=none ingress-filtering=yes interface=wlan2 internal-path-cost=10 \ learn=auto multicast-router=temporary-query path-cost=10 point-to-point=\ auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no \ tag-stacking=no trusted=no unknown-multicast-flood=yes \ unknown-unicast-flood=yes/interface bridge port-controller# disabledset bridge=none cascade-ports="" switch=none/interface bridge port-extender# disabledset control-ports="" excluded-ports="" switch=none/interface bridge settingsset allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \ use-ip-firewall-for-vlan=no/ip firewall connection trackingset enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \ tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\ 1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \ tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \ udp-stream-timeout=3m udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN lldp-med-net-policy-vlan=disabled mode=\ tx-and-rx protocol=cdp,lldp,mndp/ip settingsset accept-redirects=no accept-source-route=no allow-fast-path=yes \ arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \ max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\ yes send-redirects=yes tcp-syncookies=no/ipv6 settingsset accept-redirects=yes-if-forwarding-disabled accept-router-advertisem*nts=\ yes-if-forwarding-disabled disable-ipv6=no forward=yes \ max-neighbor-entries=4096/interface detect-internetset detect-interface-list=none internet-interface-list=none \ lan-interface-list=none wan-interface-list=none/interface l2tp-server serverset accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \ authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \ default-profile=default-encryption enabled=no keepalive-timeout=30 \ l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \ !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\ unlimited mrru=disabled one-session-per-host=no use-ipsec=no/interface list memberadd comment=defconf disabled=no interface=bridge list=LANadd comment=defconf disabled=no interface=lte1 list=WAN/interface lte settingsset firmware-path=firmware mode=auto/interface ovpn-server serverset auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \ default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 \ keepalive-timeout=60 mac-address=FE:0C:0D:FA:78:42 max-mtu=1500 mode=ip \ netmask=24 port=1194 protocol=tcp redirect-gateway=disabled reneg-sec=\ 3600 require-client-certificate=no tls-version=any tun-server-ipv6=::/interface pptp-server server# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol insteadset authentication=mschap1,mschap2 default-profile=default-encryption \ enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled/interface sstp-server serverset authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\ default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\ disabled pfs=no port=443 tls-version=any verify-client-certificate=no/interface wireless alignset active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\ 00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \ frames-per-second=25 receive-all=no ssid-all=no/interface wireless capset bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \ caps-man-names="" certificate=none discovery-interfaces="" enabled=no \ interfaces="" lock-to-caps-man=no static-virtual=no/interface wireless snifferset channel-time=200ms file-limit=10 file-name="" memory-limit=10 \ multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\ no streaming-max-rate=0 streaming-server=0.0.0.0/interface wireless snooperset channel-time=200ms multiple-channels=yes receive-errors=no/ip addressadd address=192.168.88.1/24 comment=defconf disabled=no interface=bridge \ network=192.168.88.0/ip cloudset ddns-enabled=yes ddns-update-interval=none update-time=yes/ip cloud advancedset use-local-address=no/ip dhcp-server configset accounting=yes interim-update=0s radius-password=empty store-leases-disk=\ 5m/ip dhcp-server networkadd address=192.168.88.0/24 caps-manager="" comment=defconf dhcp-option="" \ dns-server=192.168.88.1 gateway=192.168.88.1 !next-server ntp-server="" \ wins-server=""/ip dnsset allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \ doh-max-concurrent-queries=50 doh-max-server-connections=5 doh-timeout=5s \ max-concurrent-queries=100 max-concurrent-tcp-sessions=20 \ max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \ servers="" use-doh-server=https://1.1.1.3/dns-query verify-doh-cert=yes/ip dns staticadd address=192.168.88.1 comment=defconf disabled=no name=router.lan ttl=1d/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-portsadd action=redirect chain=dstnat !connection-bytes !connection-limit \ !connection-mark !connection-rate !connection-type !content disabled=no \ !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \ dst-port=53 !fragment !hotspot !icmp-options !in-bridge-port \ !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \ !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \ !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier \ !port !priority protocol=tcp !psd !random !routing-mark !src-address \ !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \ !time !to-addresses !to-ports !ttladd action=redirect chain=dstnat !connection-bytes !connection-limit \ !connection-mark !connection-rate !connection-type !content disabled=no \ !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \ dst-port=53 !fragment !hotspot !icmp-options !in-bridge-port \ !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \ !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \ !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier \ !port !priority protocol=udp !psd !random !routing-mark !src-address \ !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \ !time !to-addresses !to-ports !ttl/ip firewall service-portset ftp disabled=yes ports=21set tftp disabled=yes ports=69set irc disabled=yes ports=6667set h323 disabled=yesset sip disabled=yes ports=5060,5061 sip-direct-media=yes sip-timeout=1hset pptp disabled=yesset rtsp disabled=yes ports=554set udplite disabled=noset dccp disabled=noset sctp disabled=no/ip hotspot service-portset ftp disabled=no ports=21/ip hotspot userset [ find default=yes ] comment="counters and limits for trial users" \ disabled=no name=default-trial/ip ipsec policyset 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\ all src-address=::/0 template=yes/ip ipsec settingsset accounting=yes interim-update=0s xauth-use-radius=no/ip proxyset always-from-cache=no anonymous=no cache-administrator=webmaster \ cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \ max-cache-object-size=2048KiB max-cache-size=unlimited \ max-client-connections=600 max-fresh-time=3d max-server-connections=600 \ parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \ src-address=::/ip serviceset telnet address="" disabled=yes port=23 vrf=mainset ftp address="" disabled=yes port=21set www address="" disabled=yes port=80 vrf=mainset ssh address="" disabled=yes port=22 vrf=mainset www-ssl address="" certificate=none disabled=yes port=443 tls-version=any \ vrf=mainset api address="" disabled=yes port=8728 vrf=mainset winbox address="" disabled=no port=8291 vrf=mainset api-ssl address="" certificate=none disabled=yes port=8729 tls-version=\ any vrf=main/ip smbset allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\ all/ip smb sharesset [ find default=yes ] comment="default share" directory=/flash/pub \ disabled=no max-sessions=10 name=pub/ip smb usersset [ find default=yes ] disabled=no name=guest read-only=yes/ip socksset auth-method=none connection-idle-timeout=2m enabled=no max-connections=\ 200 port=1080 version=4 vrf=main/ip sshset allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no \ host-key-size=2048 host-key-type=rsa strong-crypto=no/ip tftp settingsset max-block-size=4096/ip traffic-flowset active-flow-timeout=30m cache-entries=64k enabled=no \ inactive-flow-timeout=15s interfaces=all packet-sampling=no \ sampling-interval=0 sampling-space=0/ip traffic-flow ipfixset bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \ dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \ igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \ ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\ yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \ out-interface=yes packets=yes protocol=yes src-address=yes \ src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \ tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \ ttl=yes udp-length=yes/ip upnpset allow-disable-external-interface=no enabled=no show-dummy-rule=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" disabled=no \ dynamic=no list=bad_ipv6add address=::1/128 comment="defconf: lo" disabled=no dynamic=no list=\ bad_ipv6add address=fec0::/10 comment="defconf: site-local" disabled=no dynamic=no \ list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=no \ dynamic=no list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" disabled=no dynamic=no list=\ bad_ipv6add address=100::/64 comment="defconf: discard only " disabled=no dynamic=no \ list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" disabled=no \ dynamic=no list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" disabled=no dynamic=no \ list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" disabled=no dynamic=no list=\ bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/ipv6 ndset [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \ disabled=no dns="" hop-limit=unspecified interface=all \ managed-address-configuration=no mtu=unspecified other-configuration=no \ pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \ ra-preference=medium reachable-time=unspecified retransmit-interval=\ unspecified/ipv6 nd prefix defaultset autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d/ppp aaaset accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \ use-radius=no/radius incomingset accept=no port=3799 vrf=main/routing igmp-proxyset query-interval=2m5s query-response-interval=10s quick-leave=no/snmpset contact="" enabled=no engine-id="" location="" src-address=:: \ trap-community=public trap-generators=temp-exception trap-target="" \ trap-version=1 vrf=main/system clockset time-zone-autodetect=yes time-zone-name=/system clock manualset dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\ "jan/01/1970 00:00:00" time-zone=+00:00/system identityset name=MikroTik/system leds# using RSRP, modem-signal-threshold ignoredset 0 disabled=no interface=lte1 leds=led1,led2,led3,led4,led5 \ modem-signal-threshold=-91 type=modem-signal/system leds settingsset all-leds-off=never/system loggingset 0 action=memory disabled=no prefix="" topics=infoset 1 action=memory disabled=no prefix="" topics=errorset 2 action=memory disabled=no prefix="" topics=warningset 3 action=echo disabled=no prefix="" topics=critical/system noteset note="" show-at-login=no/system ntp clientset enabled=yes mode=unicast servers=time.cloudflare.com vrf=main/system ntp serverset auth-key=none broadcast=no broadcast-addresses="" enabled=no \ local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\ main/system ntp client serversadd address=time.cloudflare.com auth-key=none disabled=no iburst=yes \ max-poll=10 min-poll=6/system resource irqset 0 cpu=autoset 1 cpu=autoset 2 cpu=autoset 3 cpu=autoset 4 cpu=autoset 5 cpu=autoset 6 cpu=autoset 7 cpu=autoset 8 cpu=autoset 9 cpu=autoset 10 cpu=autoset 11 cpu=autoset 12 cpu=autoset 13 cpu=autoset 14 cpu=auto/system resource irq rpsset ether1 disabled=yesset ether2 disabled=yesset ether3 disabled=yesset ether4 disabled=yesset ether5 disabled=yes/system resource usb settingsset authorization=no/system routerboard settingsset auto-upgrade=yes boot-device=nand-if-fail-then-ethernet boot-protocol=\ bootp force-backup-booter=no preboot-etherboot=disabled \ preboot-etherboot-server=any protected-routerboot=disabled \ reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no/system routerboard mode-buttonset enabled=yes hold-time=0s..1m on-event=dark-mode/system routerboard reset-buttonset enabled=no hold-time=0s..1m on-event=""/system routerboard wps-buttonset enabled=no hold-time=0s..1m on-event=""/system scriptadd comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source="\r\ \n :if ([system leds settings get all-leds-off] = \"never\") do={\r\ \n /system leds settings set all-leds-off=immediate \r\ \n } else={\r\ \n /system leds settings set all-leds-off=never \r\ \n }\r\ \n "/system upgrade mirrorset check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\ 0.0.0.0 user=""/system watchdogset auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \ ping-timeout=1m watch-address=none watchdog-timer=yes/tool bandwidth-serverset allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\ 100/tool e-mailset address=0.0.0.0 from=<> port=25 tls=no user="" vrf=main/tool graphingset page-refresh=300 store-every=5min/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool mac-server pingset enabled=yes/tool romonset enabled=no id=00:00:00:00:00:00/tool romon portset [ find default=yes ] cost=100 disabled=no forbid=no interface=all/tool smsset allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no/tool snifferset file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \ filter-dst-ip-address="" filter-dst-ipv6-address="" \ filter-dst-mac-address="" filter-dst-port="" filter-interface="" \ filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \ filter-mac-address="" filter-mac-protocol="" \ filter-operator-between-entries=or filter-port="" filter-size="" \ filter-src-ip-address="" filter-src-ipv6-address="" \ filter-src-mac-address="" filter-src-port="" filter-stream=no \ filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no \ streaming-enabled=no streaming-server=0.0.0.0:37008/tool traffic-generatorset latency-distribution-max=100us measure-out-of-order=no \ stats-samples-to-keep=100 test-id=0/user aaaset accounting=yes default-group=read exclude-groups="" interim-update=0s \ use-radius=no/user settingsset minimum-categories=0 minimum-password-length=0

And here we are again in funny territory. Router itself can ping and resolve everything, but my LAN clients didn't have this luck. What you're seeing in the attached screenshot is more or less self-explanatory. When I ping google.com I get the error in PS, while nothing seemingly happens in the router. However, when I nslookup google.com from PS, I get a response from 192.168.88.1 and the dstnat redirect rule counters increase, as well as router's internal DNS cache is being properly populated (marked in red rectangles).

While I now realize my previous mistakes and I'm (hopefully) learning from them, this time I'm completely lost... DoH DNS redirect not working properly on ROS7.9 and Cloudflare for Family (1)

DoH DNS redirect not working properly on ROS7.9 and Cloudflare for Family (2024)
Top Articles
Latest Posts
Article information

Author: Rev. Leonie Wyman

Last Updated:

Views: 5914

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Rev. Leonie Wyman

Birthday: 1993-07-01

Address: Suite 763 6272 Lang Bypass, New Xochitlport, VT 72704-3308

Phone: +22014484519944

Job: Banking Officer

Hobby: Sailing, Gaming, Basketball, Calligraphy, Mycology, Astronomy, Juggling

Introduction: My name is Rev. Leonie Wyman, I am a colorful, tasty, splendid, fair, witty, gorgeous, splendid person who loves writing and wants to share my knowledge and understanding with you.