NAT Redirect Question



  • Hi all,

    I'm currently using some NAT rules to automatically redirect DNS queries to a Pi-hole DNS blocker / filter on my network in order to prevent clients from circumventing the Pi-hole by contacting another DNS server. This is working fine, but I'm looking to make a minor adjustment: Is there a way to adjust the NAT redirect rules or make an additional firewall rule to allow only one client on a subnet to talk to other DNS servers, but the rest of the clients on that subnet will still be forced to always go through the Pi-hole (i.e. will be bound by that DNS NAT Redirect rule)? One way I see to do this is to put that one client on a separate subnet / VLAN, but I was hoping there might be another way as well. Thanks in advance for your help, I really appreciate it.



  • The short answer is yes ... you can create an alias for your one device and in the NAT rule add the alias "if not alias then use NAT rule" see screenshot !!

    screenshot.1.jpg



  • Thanks @Nitrobeast - this helps. Just to clarify:

    Right now for the redirect rules I have source set to "Any" and for destination IP I'm using the Pi-hole IP with "invert match" checked. Redirect target IP is set to be the IP of the Pi-hole. The way I understand this in plain English it would be, "For any host on subnet if destination DNS request is not going to Pi-hole, redirect it to Pi-hole".

    Now, if I modify the rule to include a source alias as well like you described above, would the behavior essentially be this?

    'If source is not ByPassDNS host and destination for DNS request is not Pi-hole, redirect DNS request to Pi-hole."

    Does that sound right? Thanks again for all your help.



  • @tman222 Just add the pi-hole DNS to your bypass DNS alias so piehole can also bypass the NAT.



  • @tman222 I went ahead and setup a pilot. Just create a brand new rule above the NAT firewall rule and add your alias to that rule. src = DNSBypassAlias dest = any.



  • Thanks @Nitrobeast - really appreciate the help!


Log in to reply