Unifi USG DNAT rule for Pi-Hole (or other DNS redirection)

I recently setup Pi-Hole on my IoT network following the instructions on Scott Helme’s blog. Unfortunately the JSON config that he suggested didn’t quite work on my network. Full disclosure the solution here is pulled mostly from the comments on his post, so this is more documenting the thing that I found, than the thing I figured out on my own.

The only things that should need to be changed for this to work in another configuration are the interface, and IP address. The IP address needs to be whatever system is hosting your Pi-Hole (or other DNS server); 192.168.12.2 here. On a USG the base interface will be “eth1”, I have a USG PRO so it is “eth0”, and whatever VLAN (“.12” here) is configured for your IoT network. If it’s untagged, then leave the “.#” off.


{
	"service": {
		"nat": {
			"rule": {
				"3": {
					"description": "DNS Redirect IoT",
					"destination": {
						"port": "53"
					},
					"inbound-interface": "eth0.12",
					"inside-address": {
						"address": "192.168.12.2"
					},
					"log": "disable",
					"protocol": "tcp_udp",
					"source": {
						"address": "!192.168.12.2"
					},
					"type": "destination"
				},
				"5500": {
					"description": "Translate IoT DNS to Internal",
					"destination": {
						"address": "192.168.12.2",
						"port": "53"
					},
					"log": "disable",
					"outbound-interface": "eth0.12",
					"protocol": "tcp_udp",
					"type": "masquerade"
				}
			}
		}
	}
}

If you’re unsure about what interface should be, the easiest way to get it 100% right is by SSH’g into the USG and running “show interfaces”.

 

1
Leave a Reply

Please Login to comment
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
1 Comment authors
Techbutton Recent comment authors
  Subscribe  
newest oldest
Notify of
Techbutton
Member

this also works really well for all devices on the network.