Unifi USG DNAT rule for Pi-Hole (or other DNS redirection)

I recently setup Pi-Hole on my IoT network following the instructions on Scott Helme’s blog. Unfortunately the JSON config that he suggested didn’t quite work on my network. Full disclosure the solution here is pulled mostly from the comments on his post, so this is more documenting the thing that I found, than the thing I figured out on my own.

The only things that should need to be changed for this to work in another configuration are the interface, and IP address. The IP address needs to be whatever system is hosting your Pi-Hole (or other DNS server); 192.168.12.2 here. On a USG the base interface will be “eth1”, I have a USG PRO so it is “eth0”, and whatever VLAN (“.12” here) is configured for your IoT network. If it’s untagged, then leave the “.#” off.


{
	"service": {
		"nat": {
			"rule": {
				"3": {
					"description": "DNS Redirect IoT",
					"destination": {
						"port": "53"
					},
					"inbound-interface": "eth0.12",
					"inside-address": {
						"address": "192.168.12.2"
					},
					"log": "disable",
					"protocol": "tcp_udp",
					"source": {
						"address": "!192.168.12.2"
					},
					"type": "destination"
				},
				"5500": {
					"description": "Translate IoT DNS to Internal",
					"destination": {
						"address": "192.168.12.2",
						"port": "53"
					},
					"log": "disable",
					"outbound-interface": "eth0.12",
					"protocol": "tcp_udp",
					"type": "masquerade"
				}
			}
		}
	}
}

If you’re unsure about what interface should be, the easiest way to get it 100% right is by SSH’g into the USG and running “show interfaces”.

 

Leave a Reply

Please Login to comment
  Subscribe  
Notify of