Components
- Mikrotik router with USB port - I tested on RB2011UiAS-2HnD-IN and hAP ac models
- RouterOS in modern version - I tested with long term (6.44.6)
- Raspberry Pi Zero - I use old one without "W", with 4GB microSD card running latest Raspbian 10 Buster (minimal, without GUI!)
- Short micro-USB data cable - because many cheap cables don't do data
Pi Zero actually has more than enough power to run Pi-hole serving even quite large home/family network and running it completely self-contained off Mikrotik seems to work great!
Initial setup
- Download and burn the latest Raspbian onto the SD card - I used for this Etcher and 2019-09-26-raspbian-buster-lite.img
- Connect SD card to a PC and in partition called boot edit two files to enable Ethernet gadget:
- config.txt - at the very end of the file add a line saying dtoverlay=dwc2
- cmdline.txt - add modules-load=dwc2,g_ether directly after 'rootwait' and before any other parameters that may (or not) be there
- Boot up RPi powering from PC using the port marked as USB on the board - not the PWR IN; it's the one in the centre - only that one does power + gadget
- After all boots up, you should be able to run ssh pi@raspberrypi.local (thanks mDNS!) with password raspberry
- On the RPi create file called /etc/modprobe.d/g_ether.conf with the following content (single line of text)
options g_ether idVendor=0x05ac idProduct=0x1402 iProduct=Pi0 iManufacturer=Raspberry
NOTE - This is required for RPi to show up as LTE interface on Mikrotik! - Configure network access on the PC to allow RPi to reach the Internet - NAT or something
- Install Pi-hole - instructions are here, follow the steps and you will end up with Pi with static IP address configured on it
- If you want to change the static assigned IP address AFTER installing Pi-hole, you can edit usb0 interface settings in /etc/dhcpcd.conf
- Once Pi-hole is ready, shut down both RPi and Mikrotik, connect RPi to USB port on Mikrotik, let it boot up... and then you should see lte1 under both /interfaces and /interfaces lte
- Add IP address to lte1 from the same subnet as set on the RPi and enjoy - you should be able to reach RPi via SSH and/or web - if not, check firewall
NOTE - you can't add lte1 to the bridge, so just treat it as routed destination instead of bridged (sorry, no mDNS broadcasts for you!) - Now you can edit DNS settings in your DHCP server - this sits under Networks - enjoy!
Note - Mikrotik is not PnP - you have to reboot it after connecting RPi. If after 1st reboot you don't see lte1 interface, reboot the Mikrotik again. You may also try updating Mikrotik firmware.
Automated fail-safe - when RPi goes down...
Now, with this being your primary DNS server, if Pi-hole or RPi goes down, you lost your DNS so ideally there's some sort of uptime testing for RPi and automatic fall-back to a default DNS server when RPi is non-responsive.
Luckily Mikrotik allows us to use Tools -> Netwatch to do it. It uses ICMP ping to check if host is up, so nothing too fancy but a good start!
- Enable DNS server on Mikrotik (of course blocking access from WAN on the firewall)
- Change DHCP Server configuration to use Mikrotik as DNS server and configure Mikrotik to use RPi as upstream DNS - you may want to disable 'Use peer DNS' in DHCP Client on Mikrotik
- Implement failover to known working DNS when RPi goes down - for example to 1.1.1.1 (CloudFlare) or 8.8.8.8 (Google)... or whatever you want to use :-)
UPDATE:
In fact it would be also possible to write UP script that would trigger in the background once host comes up (ping ok) and script would check if DNS resolver also works, before pointing Mikrotik to RPi resolver. I may look into this at some later time.
Hey, everything works, except that Pi can't access the internet - lte1 is set to .53.1, RPi .53.53 with gateway .53.1, masquerade on MikroTik. Any hints?
ReplyDeleteTo recap:
Delete- Pi and LTE1 interface are in the same network subnet
- On the Pi (.53.53), the default gateway is set to .53.1
- The subnet used by Pi is different than your usual LAN
- You use NAT or MASQUERADE based on egress interface, not specific IP subnets - if you have by source subnet, then you need additional rule
I have it set up like this and it works great. Have a try, especially make sure your Pi has LTE1 IP as default gateway and that NAT/MASQUERADE is set up correctly.
Right, just figured out that I made a mistake in Pi's IP address in firewall. Works great, thx!
DeleteHi, I am stuck at this point:
ReplyDelete6. Configure network access on the PC to allow RPi to reach the Internet - NAT or something
And in step 4. After all boots up, you should be able to run ssh pi@raspberrypi.local (thanks mDNS!) with password raspberry
I had to make SSH file on SD card (boot) to enable SSH, just a hint. (name ssh without extensions)
Can I do that step when insert RPI to mikrotik, and how to change LTE adress in mikrotik? Thanks
I did the pihole install. My mikrotik range is 192.168.88.0, and I put my Pihole address to 192.168.88.150, getaway 192.168.88.1 (like mikrotik)
DeleteAnd now, how can I add address to my LTE1 interface ?
To add IP address to an interface, go to IP/Addresses and hit "+".
DeleteI put adress 192.168.88.150/24 for LTE1 device. Then loose internet.
DeleteWhat should I do after that. After that I cant seem to get it all right.
Thank you
Ah. Maybe try setting another subnet, different from LAN. I have set 192.168.53.1/24 for LTE1 (Pi has 192.168.53.53) and home/guest/mgmt are on 192.168.5.0/20.0/0.0 subnets.
DeleteI think that's the issue.
You need effectively 3 subnets - one for WAN link, different one for LAN and yet another (different from the other two) for LTE1 and raspberry pi.
DeleteIf your WAN and LTE1 networks are identical, system won't know which interface to use to reach internet. At best it will work intermittently, at worst (and most likely) not at all.
Thx. Got it working. I can access now my LTE(Pihole) over network and get to pihole. My pihole address is 192.168.8.2, when I set that as my DNS in mikrotik I get no internet.
DeleteIn mikrotik NAT I "masquarade LTE1 device". What else shuld I do so my DNS gets me out ot internet
I did it. My gateway on RPI has to be the same as the LTE device in mikrotik (range out of the mikrotik address). So my RPI (pihole) is 8.2, gateway is 8.1, and LTE mikrotik device is 8.1. LAN range is 88.0, DNS now is 8.2.
DeleteThis is brilliant thank you.
ReplyDeleteJust using it for the second time after my first PiHole SDCard was corrupted by an unexpected power outage.
One thing to add, when editing files in step 2 - I needed to add a blank file called "SSH" (no file extension) to the boot partition to get SSH to be automatically enabled.
True, very true... I guess I didn't mention that because I assumed we already have that in place...
Deletehi good day! I have done the steps above. But every time I implement "options g_ether idVendor=0x05ac idProduct=0x1402 iProduct=Pi0 iManufacturer=Raspberry". I cannot ssh to pi Zero when reboot/dc to session.
ReplyDeleteDo you have SSH start at boot? If you can ping raspberry pi, then you need to turn on ssh.
DeleteIs that pi zero or pi zero w with wifi?
same for me - it appears in windows as com port, not network thingy
Deleteso one must install pi-hole at first, and them make rpi to be a lte
Hi, thanks for this tutorial. I followed and was able to perform all the steps but my routerboard RB951G-2HnD doesn't recognize the pi zero. Any clues what can help?
ReplyDeleteIf you configured Pi Zero correctly (as ethernet widget - g_ether above) then it should come up as LTE interface and speak IP protocol. Works ok on 'long term' routeros channel
DeleteI think I did, I am able to connect to it via the PC. Created NAT trough the PC, installed pihole. Can it be something related to the model of router or the raspbian version? Also, are you connecting additional power to the raspberry or just a single cable from the router to the usb port?
DeleteDo you have the LTE package installed on the router? Check in system packages, you might have to download it in "all packages" RouterOS version for your OS version.
DeleteIf that doesn't help, try System/Ports/Firmware, uncheck "Ignore-DirectIP-Modem".
This comment has been removed by the author.
DeleteHi, I use the same device, LTE came but I cannot provide access. SSH file added but I can't see the Putty Denger.
DeleteFirst question - can you ping from your computer the IP address of the RPi. Start with basics, then go to ssh if ping works. If ping doesn't work then you need to find out why.
DeleteThis comment has been removed by the author.
ReplyDeleteThanks for this guide. I am having an issue once i connect to the pi, the device does not resolve anything. I can ssh into the pi from my lan and the pi is able to access the internet. what does your masquerade rule look like?
ReplyDeleteI don't have a specific rule for this... I use default
Delete/ip firewall add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-WAN
Besides that it is important to tell RPi that default gateway and route is via the IP address of Mikrotik, the one assigned to lte1 interface. This should sort it out...