Update incident: Fixed NAT redirect to correct AdGuard IP/port

2026-01-25 13:35:03 +02:00
parent b0f78c5022
commit a3a9b58377
1 changed files with 35 additions and 0 deletions
--- a/docs/incidents/2026-01-25-dns-outbound-blocked-after-mikrotik-restart.md
+++ b/docs/incidents/2026-01-25-dns-outbound-blocked-after-mikrotik-restart.md
@@ -125,3 +125,38 @@ Devices need to renew DHCP lease to get new DNS:
 - Wait for lease expiry (default 10 min)
 - Reconnect to WiFi
 - Reboot device
+
+---
+
+## Additional Issue: NAT Redirect Wrong IP/Port (13:35)
+
+### Symptom
+- TV showing DNS 192.168.31.1 but no internet
+- DNS queries to MikroTik timing out
+
+### Root Cause
+NAT rules were redirecting DNS to wrong destination:
+
+**Before (WRONG):**
+```
+to-addresses=172.17.0.5 to-ports=5355
+```
+
+But AdGuard:
+- Is on macvlan IP: 192.168.31.4 (NOT 172.17.0.5)
+- Listens on port: 53 (NOT 5355)
+
+### Fix
+```bash
+/ip firewall nat set [find comment="Force DNS to AdGuard Home"] to-addresses=192.168.31.4 to-ports=53
+/ip firewall nat set [find comment="Force DNS to AdGuard Home TCP"] to-addresses=192.168.31.4 to-ports=53
+```
+
+**After (CORRECT):**
+```
+to-addresses=192.168.31.4 to-ports=53
+```
+
+### Verification
+- AdGuard container querying 192.168.31.1 → SUCCESS
+- MikroTik resolve command → SUCCESS