<![CDATA[NAT Redirect Question]]>Hi all,

I'm currently using some NAT rules to automatically redirect DNS queries to a Pi-hole DNS blocker / filter on my network in order to prevent clients from circumventing the Pi-hole by contacting another DNS server. This is working fine, but I'm looking to make a minor adjustment: Is there a way to adjust the NAT redirect rules or make an additional firewall rule to allow only one client on a subnet to talk to other DNS servers, but the rest of the clients on that subnet will still be forced to always go through the Pi-hole (i.e. will be bound by that DNS NAT Redirect rule)? One way I see to do this is to put that one client on a separate subnet / VLAN, but I was hoping there might be another way as well. Thanks in advance for your help, I really appreciate it.

]]>https://forum.netgate.com/topic/144548/nat-redirect-questionRSS for NodeWed, 17 Jun 2026 19:22:31 GMTSat, 29 Jun 2019 18:47:25 GMT60<![CDATA[Reply to NAT Redirect Question on Wed, 03 Jul 2019 13:00:47 GMT]]>Thanks @Nitrobeast - really appreciate the help!

]]>https://forum.netgate.com/post/851445https://forum.netgate.com/post/851445Wed, 03 Jul 2019 13:00:47 GMT<![CDATA[Reply to NAT Redirect Question on Sun, 30 Jun 2019 00:47:30 GMT]]>@tman222 I went ahead and setup a pilot. Just create a brand new rule above the NAT firewall rule and add your alias to that rule. src = DNSBypassAlias dest = any.

]]>https://forum.netgate.com/post/850958https://forum.netgate.com/post/850958Sun, 30 Jun 2019 00:47:30 GMT<![CDATA[Reply to NAT Redirect Question on Sun, 30 Jun 2019 00:06:08 GMT]]>@tman222 Just add the pi-hole DNS to your bypass DNS alias so piehole can also bypass the NAT.

]]>https://forum.netgate.com/post/850949https://forum.netgate.com/post/850949Sun, 30 Jun 2019 00:06:08 GMT<![CDATA[Reply to NAT Redirect Question on Sat, 29 Jun 2019 19:26:38 GMT]]>Thanks @Nitrobeast - this helps. Just to clarify:

Right now for the redirect rules I have source set to "Any" and for destination IP I'm using the Pi-hole IP with "invert match" checked. Redirect target IP is set to be the IP of the Pi-hole. The way I understand this in plain English it would be, "For any host on subnet if destination DNS request is not going to Pi-hole, redirect it to Pi-hole".

Now, if I modify the rule to include a source alias as well like you described above, would the behavior essentially be this?

'If source is not ByPassDNS host and destination for DNS request is not Pi-hole, redirect DNS request to Pi-hole."

Does that sound right? Thanks again for all your help.

]]>https://forum.netgate.com/post/850934https://forum.netgate.com/post/850934Sat, 29 Jun 2019 19:26:38 GMT<![CDATA[Reply to NAT Redirect Question on Sat, 29 Jun 2019 19:05:45 GMT]]>The short answer is yes ... you can create an alias for your one device and in the NAT rule add the alias "if not alias then use NAT rule" see screenshot !!

screenshot.1.jpg

]]>https://forum.netgate.com/post/850928https://forum.netgate.com/post/850928Sat, 29 Jun 2019 19:05:45 GMT