Update incident: Fixed NAT redirect to correct AdGuard IP/port

docs/incidents/2026-01-25-dns-outbound-blocked-after-mikrotik-restart.md

@@ -125,3 +125,38 @@ Devices need to renew DHCP lease to get new DNS:
 - Wait for lease expiry (default 10 min)
 - Reconnect to WiFi
 - Reboot device
+
+---
+
+## Additional Issue: NAT Redirect Wrong IP/Port (13:35)
+
+### Symptom
+- TV showing DNS 192.168.31.1 but no internet
+- DNS queries to MikroTik timing out
+
+### Root Cause
+NAT rules were redirecting DNS to wrong destination:
+
+**Before (WRONG):**
+```
+to-addresses=172.17.0.5 to-ports=5355
+```
+
+But AdGuard:
+- Is on macvlan IP: 192.168.31.4 (NOT 172.17.0.5)
+- Listens on port: 53 (NOT 5355)
+
+### Fix
+```bash
+/ip firewall nat set [find comment="Force DNS to AdGuard Home"] to-addresses=192.168.31.4 to-ports=53
+/ip firewall nat set [find comment="Force DNS to AdGuard Home TCP"] to-addresses=192.168.31.4 to-ports=53
+```
+
+**After (CORRECT):**
+```
+to-addresses=192.168.31.4 to-ports=53
+```
+
+### Verification
+- AdGuard container querying 192.168.31.1 → SUCCESS
+- MikroTik resolve command → SUCCESS