Segment53 on MikroTik with DNAT
Segment53 allows you to create multiple segments with different endpoints for Do53. This enables a single IP to be linked to different network segments, each with specific control and security policies.
It is possible to apply this feature in networks with VLANs and DNAT on a MikroTik network. In this article, we will discuss its use with DNAT.
When we use DNAT to direct a specific Address List to different DNS servers, we are applying specific address redirection rules to manipulate DNS traffic (port 53) based on the source IP group (Address List).
Please note: This article is not recommended if you have a domain server (AD) on your network. If you have any questions, please contact support.
Let's see how it works in practice:
Creating sites in Lumiun DNS
At this initial stage, we will create two sites in Lumiun DNS. The first site will have queries resolved by MikroTik, while the second will have queries resolved by other DNS servers through DNAT. We will link the same public IP, but we will change the segment referring to the site. See the image below:
For Employees, we will follow the standard MikroTik installation guide.
For Managers, we will configure DNAT.
Warning: Due to limitations in information collection, configurations via DNAT do not have internal IP addresses in reports.
Configuration via DNAT
-
We will create the Address List. In this example, the list should contain the IP addresses of the management team's devices.
-
Go to the IP → Firewall menu. Click on the Address Lists tab and then on the Add New button.
-
Fill in the Name field with managers_ips.
-
Fill in the Address field with the IP address of one of the devices on the local network. Tip: You can also specify an address range, such as 192.168.88.10-192.168.88.20, or a subnet, for example, 10.10.10.0/24.
-
Save by clicking the OK button.
-
Repeat this procedure to add the IP addresses of all devices that are part of the management.
-
- Creating the redirect.
-
Go to the IP → Firewall → NAT menu and click the Add New button.
-
In the Chain field, select dstnat.
-
In the Protocol field, select udp.
-
Fill in the Dst. Port field with 53.
-
In the Src. Address List field, select managers_ips.
-
In the Action field, select dst-nat.
-
Fill in the To Addresses field with the primary DNS server for the managers site. To view it, click on Settings in the Managers site.
-
Save by clicking the OK button.
-
Repeat this procedure, changing only the Protocol field to tcp.
-
That's it! Now, the IPs entered in the Address List managers_ips will follow the rules of the Policy defined in the Lumiun DNS site.
You can use this same process to create other sites and use Segment53 to define other IP groups.