Sunday, 5 January 2020

Mikrotik + Pi Zero + Pi-hole = advertising sinkhole with fail-safe


  • Mikrotik router with USB port - I tested on RB2011UiAS-2HnD-IN and hAP ac models
  • RouterOS in modern version - I tested with long term (6.44.6)
  • Raspberry Pi Zero - I use old one without "W", with 4GB microSD card running latest Raspbian 10 Buster (minimal, without GUI!)
  • Short micro-USB data cable - because many cheap cables don't do data

Pi Zero actually has more than enough power to run Pi-hole serving even quite large home/family network and running it completely self-contained off Mikrotik seems to work great!

Initial setup

  1. Download and burn the latest Raspbian onto the SD card - I used for this Etcher and 2019-09-26-raspbian-buster-lite.img
  2. Connect SD card to a PC and in partition called boot edit two files to enable Ethernet gadget:
    1. config.txt - at the very end of the file add a line saying dtoverlay=dwc2
    2. cmdline.txt - add modules-load=dwc2,g_ether directly after 'rootwait' and before any other parameters that may (or not) be there
  3. Boot up RPi powering from PC using the port marked as USB on the board - not the PWR IN; it's the one in the centre - only that one does power + gadget
  4. After all boots up, you should be able to run ssh pi@raspberrypi.local (thanks mDNS!) with password raspberry
  5. On the RPi create file called /etc/modprobe.d/g_ether.conf with the following content (single line of text)
    options g_ether idVendor=0x05ac idProduct=0x1402 iProduct=Pi0 iManufacturer=Raspberry
    NOTE - This is required for RPi to show up as LTE interface on Mikrotik!
  6. Configure network access on the PC to allow RPi to reach the Internet - NAT or something
  7. Install Pi-hole - instructions are here, follow the steps and you will end up with Pi with static IP address configured on it
  8. If you want to change the static assigned IP address AFTER installing Pi-hole, you can edit usb0 interface settings in /etc/dhcpcd.conf
  9. Once Pi-hole is ready, shut down both RPi and Mikrotik, connect RPi to USB port on Mikrotik, let it boot up... and then you should see lte1 under both /interfaces and /interfaces lte

  10. Add IP address to lte1 from the same subnet as set on the RPi and enjoy - you should be able to reach RPi via SSH and/or web - if not, check firewall
    NOTE - you can't add lte1 to the bridge, so just treat it as routed destination instead of bridged (sorry, no mDNS broadcasts for you!)
  11. Now you can edit DNS settings in your DHCP server - this sits under Networks - enjoy!
Note - Mikrotik is not PnP - you have to reboot it after connecting RPi. If after 1st reboot you don't see lte1 interface, reboot the Mikrotik again. You may also try updating Mikrotik firmware.

Automated fail-safe - when RPi goes down...

Now, with this being your primary DNS server, if Pi-hole or RPi goes down, you lost your DNS so ideally there's some sort of uptime testing for RPi and automatic fall-back to a default DNS server when RPi is non-responsive.

Luckily Mikrotik allows us to use Tools -> Netwatch to do it. It uses ICMP ping to check if host is up, so nothing too fancy but a good start!
  1. Enable DNS server on Mikrotik (of course blocking access from WAN on the firewall)
  2. Change DHCP Server configuration to use Mikrotik as DNS server and configure Mikrotik to use RPi as upstream DNS - you may want to disable 'Use peer DNS' in DHCP Client on Mikrotik
  3. Implement failover to known working DNS when RPi goes down - for example to (CloudFlare) or (Google)... or whatever you want to use :-)


In fact it would be also possible to write UP script that would trigger in the background once host comes up (ping ok) and script would check if DNS resolver also works, before pointing Mikrotik to RPi resolver. I may look into this at some later time.


  1. Hey, everything works, except that Pi can't access the internet - lte1 is set to .53.1, RPi .53.53 with gateway .53.1, masquerade on MikroTik. Any hints?

    1. To recap:
      - Pi and LTE1 interface are in the same network subnet
      - On the Pi (.53.53), the default gateway is set to .53.1
      - The subnet used by Pi is different than your usual LAN
      - You use NAT or MASQUERADE based on egress interface, not specific IP subnets - if you have by source subnet, then you need additional rule

      I have it set up like this and it works great. Have a try, especially make sure your Pi has LTE1 IP as default gateway and that NAT/MASQUERADE is set up correctly.

    2. Right, just figured out that I made a mistake in Pi's IP address in firewall. Works great, thx!