[SOLVED] Pi-hole across VLANs?
Hello, I have an Edgerouter X with some VLANs set up. I have a Pi-hole on my secure LAN, on an unRAID server. Pi-hole is working properly on that subnet. I'd like to utilize the Pi-hole across my other VLANs. I've tried many firewall configurations and cant seem to get it working properly. Right now I have the firewall setup so the Secure LAN can establish with the other VLANs but not the other way around.
Does anyone have experience utilizing Pi-hole across VLANs?
Accepted solution
Responses (29)
When I was running pihole I pointed my dns forwarder to the pihole. Worked for all my vlans.
@nu2ubiq wrote:
When I was running pihole I pointed my dns forwarder to the pihole. Worked for all my vlans.
Can you please explain how to.do this? My VLANS are segregated with firewall rules. Will this work through segregated VLANs?
using CLI
configure
delete service dns forwarding name-server <ip address of external resolver ie: 8.8.8.8> remove all external DNS Servers.
then
set service dns forwarding name-server <ip address of your pihole>
commit
save
exit
So, instead of using an external DNS Server, it will use the pihole. The pihole will use the external DNS Server you selected (ie: 8.8.8.8), when it was configured.
Hope this makes sense..
I see but I don't think this will be allowed with my configuration since I have firewall rules to segregate the VLANs.
@adminmat wrote:
I see but I don't think this will be allowed with my configuration since I have firewall rules to segregate the VLANs.
Create "allow" rule(s) permitting port 53 access to the PiHole?
@jms33 wrote:
Create "allow" rule(s) permitting port 53 access to the PiHole?
Can you please explain how this is done?
I've tried adding a new rule to the GUEST_TO_LAN ruleset allowing TCP/UDP to destination port 53. I've tried adding the same rule to the GUEST_TO_LAN ruleset and it will not allow VLAN20 to access the internet once I change VLAN20's DNS to the pi-hole ip address.
Best to post your full config, using the </> formatting :)
Also make sure your pihole is configured to permit requests from outside its local LAN - I think by default it is not? That's in your pihole settings.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group RFC1918 {
description ""
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name GUEST_TO_LAN {
default-action accept
description "Guest & IoT"
rule 10 {
action accept
description Established
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "Network Group"
destination {
group {
network-group RFC1918
}
}
log disable
protocol all
}
}
name GUEST_TO_LOCAL {
default-action drop
description "Guest & IOT"
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol tcp_udp
}
rule 30 {
action accept
description DHCP
destination {
port 67
}
log disable
protocol udp
}
rule 40 {
action accept
description Established
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
name WAN_IN {
default-action accept
description ""
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
rule 21 {
action drop
description BLOCK_SSH
destination {
address 192.168.40.0/24
port 22
}
log disable
protocol tcp
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_OUT {
default-action accept
description ""
rule 1 {
action drop
description "BLOCK HTTP"
destination {
port 80
}
log disable
protocol tcp
source {
address 192.168.40.0/24
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 2 {
action drop
description "BLOCK HTTPS"
destination {
port 443
}
log disable
protocol tcp
source {
address 192.168.40.0/24
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 3 {
action drop
description "Block SSH"
destination {
port 22
}
log disable
protocol tcp
source {
address 192.168.40.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
address 192.168.25.1/24
description "Emergency Access"
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
description Local
mtu 1500
switch-port {
interface eth1 {
vlan {
pvid 10
}
}
interface eth2 {
vlan {
pvid 40
}
}
interface eth4 {
vlan {
pvid 10
vid 20
vid 30
}
}
vlan-aware enable
}
vif 10 {
address 192.168.10.1/24
description LAN
}
vif 20 {
address 192.168.20.1/24
description VLAN20
firewall {
in {
name GUEST_TO_LAN
}
local {
name GUEST_TO_LOCAL
}
}
}
vif 30 {
address 192.168.30.1/24
description VLAN30
firewall {
in {
name GUEST_TO_LAN
}
local {
name GUEST_TO_LOCAL
}
}
}
vif 40 {
address 192.168.40.1/24
description XX
firewall {
in {
name GUEST_TO_LAN
}
local {
name GUEST_TO_LOCAL
}
out {
}
}
mtu 1500
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Emergency_Access {
authoritative disable
subnet 192.168.25.0/24 {
default-router 192.168.25.1
dns-server 192.168.25.1
dns-server 8.8.8.8
lease 86400
start 192.168.25.5 {
stop 192.168.25.10
}
}
}
shared-network-name LAN {
authoritative enable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.2
lease 86400
start 192.168.10.2 {
stop 192.168.10.243
}
static-mapping Switch8 {
ip-address 192.168.10.57
mac-address XXXX
}
}
}
shared-network-name VLAN20 {
authoritative disable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 192.168.20.1
dns-server 8.8.8.8
lease 86400
start 192.168.20.5 {
stop 192.168.20.99
}
}
}
shared-network-name VLAN30 {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
lease 86400
start 192.168.30.5 {
stop 192.168.30.99
}
}
}
shared-network-name VLAN40 {
authoritative disable
subnet 192.168.40.0/24 {
default-router 192.168.40.1
dns-server 192.168.40.1
dns-server 8.8.8.8
lease 86400
start 192.168.40.2 {
stop 192.168.40.20
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth3
listen-on switch0.10
listen-on eth4
listen-on switch0.20
listen-on switch0.30
listen-on switch0.40
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description DNS
destination {
port 53
}
inbound-interface switch0
inside-address {
address 192.168.10.2
port 53
}
log disable
protocol tcp_udp
source {
address !192.168.10.2
}
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
host-name ubnt
login {
user xxxx {
authentication {
encrypted-password xxxxx
plaintext-password xxxxx
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone xxx
traffic-analysis {
dpi enable
export enable
DNS access firewall rule from a separate vlan (kids vlan 40 -10.0.40.0/24- on eth3) to a dns server on another vlan:
You should change destination address with your pi-hole local ip and source address with your vlan from which dns requests are made .
You should edit your specific VLAN_IN firewall rules.
configure set firewall name KIDS_IN default-action accept set firewall name KIDS_IN description 'Kids wi-fi access to lan/wan' set firewall name KIDS_IN rule 10 action accept set firewall name KIDS_IN rule 10 description 'Kids wi-fi to local dns server' set firewall name KIDS_IN rule 10 destination address 192.168.0.2/32 set firewall name KIDS_IN rule 10 destination port 53 set firewall name KIDS_IN rule 10 log disable set firewall name KIDS_IN rule 10 protocol tcp_udp set firewall name KIDS_IN rule 10 source address 10.0.40.0/24 set firewall name KIDS_IN rule 20 action accept set interfaces ethernet eth3 vif 40 firewall in name KIDS_IN commit; save; exit
PS (
Based on your config you dont have any GUEST_IN firewall rules.
L.E.
You must have firewall rules (in/out) for each vlan separately, in your case 3 vlans => 3 IN rules and 3 LOCAL rules.
Also you have in GUEST_IN (GUEST_TO_LAN), new disabled, therefore no new packets initiated from your guest network cant access anything (including DNS requests).
I thought I had the firewall rules worked out. I can't ping anything outside of the quest network. I thought the Network Group I used helped with isolation? What do you recommend? (And thanks for the VLAN rules above, I'll try this)
@ogo wrote:
PS (
Based on your config you dont have any GUEST_IN firewall rules.
L.E.
You must have firewall rules (in/out) for each vlan separately, in your case 3 vlans => 3 IN rules and 3 LOCAL rules.
Also you have in GUEST_IN (GUEST_TO_LAN), new disabled, therefore no new packets initiated from your guest network cant access anything (including DNS requests).
@ogo I see what you are saying but in my configuration I've listed the interfaces of each of the VLANs in the GUEST_TO_LAN which should act as having the rules set up for each VLAN. I don't think this shows in the Configuration Report. Am I misunderstanding this?
You should understand IN , LOCAL and OUT firewall rules 1st:
IN: ANY IPV4 traffic forwarded (entering) through the router and intended to your VLAN/LAN from OTHER LAN/VLANS/WAN (web browsing, internet games, ssh, printer in another vlan etc/etc)
LOCAL: ANY IPV4 traffic FROM your vlan(lan/wan) and intended to ROUTER itself (router interfaces) directly (router web interface, router ssh, router dns server, router dhcp etc/etc)
OUT: ANY IPV4 traffic from your vlan/lan forwarded through the router and intended to OTHER LAN/VLANS/WAN
You use OUT rules, but almost every-time is better to protect your NETWORK from internet(other networks) not INTERNET (other networks) from your network.
By default, there are no OUT firewall rules in edgeOS default firewall rules.
Also, you should to re-lecture packet states: new, established, related and invalid.
My opinion is to re-configure your router from scratch (however, save your actual conf, better safe than sorry) using router fast web config and after that try to add vlans (one by one) and customize them per your need.
As i mentioned, each vlan needs their separately IN and LOCAL firewall rules; 3 VLANS <=> 3 IN and 3 LOCAL rules.
Below, one example for 1 vlan (to easily understand and get inspired - NOTICE! i use edgerouter 4 without switch chip but I've tried to change/adapt my configuration based on ER-X ):
My kids network can access a dns server, an iperf3 server and a plex server, all located in main lan (192.168.0.0/24) and also should respond to pings (icmp) from router interface and main lan. All other packets from kids vlan to main vlan are dropped. Kids have free internet access (i control it via wifi schedule and opendns dns servers with moderate filtering, with nat rule 100 - see lasts lines)
DISCLAIMER!!!
I DON'T USE AN EDGEROUTER X, below config is adapted from EDGEROUTER 4 who does not have a switch chip!!!!!
configure set firewall group network-group LAN_NETWORKS description 'local networks - RFC1918 ranges' set firewall group network-group LAN_NETWORKS network 192.168.0.0/16 set firewall group network-group LAN_NETWORKS network 172.16.0.0/12 set firewall group network-group LAN_NETWORKS network 10.0.0.0/8 commit; save set interfaces switch switch0 vif 40 address 10.0.40.1/24 set interfaces switch switch0 vif 40 description 'Kids network' set interfaces switch switch0 vif 40 mtu 1500 commit; save set service dhcp-server shared-network-name 'Kids network dhcp server' authoritative enable set service dhcp-server shared-network-name 'Kids network dhcp server' subnet 10.0.40.0/24 default-router 10.0.40.1 set service dhcp-server shared-network-name Kids subnet 10.0.40.0/24 dns-server 208.67.222.222 set service dhcp-server shared-network-name Kids subnet 10.0.40.0/24 dns-server 208.67.220.220 set service dhcp-server shared-network-name 'Kids network dhcp server' subnet 10.0.40.0/24 lease 86400 set service dhcp-server shared-network-name 'Kids network dhcp server' subnet 10.0.40.0/24 start 10.0.40.100 stop 10.0.40.200 commit; save <<< i am not sure about the NEXT 2 lines, i dont use edgerouter X, you should be very-VERY careful!!! >>> set interfaces switch switch0 switch-port vlan-aware enable set interfaces switch switch0 switch-port interface eth4 vlan pvid 40 <<< your physical interface for your vlan will be eth4 (i guess!!) commit; save set firewall name KIDS_IN default-action accept set firewall name KIDS_IN description 'Kids wi-fi access to lan/wan' set firewall name KIDS_IN rule 10 action accept set firewall name KIDS_IN rule 10 description 'Kids wi-fi to local dns server' <<< this rule is redundant as long as i use service nat for dns redirect - see nat rule 100 at the end set firewall name KIDS_IN rule 10 destination address 192.168.0.2/32 set firewall name KIDS_IN rule 10 destination port 53 set firewall name KIDS_IN rule 10 log disable set firewall name KIDS_IN rule 10 protocol tcp_udp set firewall name KIDS_IN rule 10 source address 10.0.40.0/24 set firewall name KIDS_IN rule 20 action accept set firewall name KIDS_IN rule 20 description 'Kids wi-fi reply to icmp from lan' set firewall name KIDS_IN rule 20 destination group network-group LAN_NETWORKS set firewall name KIDS_IN rule 20 log disable set firewall name KIDS_IN rule 20 protocol icmp set firewall name KIDS_IN rule 20 source address 10.0.40.0/24 set firewall name KIDS_IN rule 20 state established enable set firewall name KIDS_IN rule 20 state invalid disable set firewall name KIDS_IN rule 20 state new disable set firewall name KIDS_IN rule 20 state related enable set firewall name KIDS_IN rule 25 action accept set firewall name KIDS_IN rule 25 description 'iperf3 kids to lan' set firewall name KIDS_IN rule 25 destination address 192.168.0.22/32 set firewall name KIDS_IN rule 25 destination port 5200-5250 set firewall name KIDS_IN rule 25 log disable set firewall name KIDS_IN rule 25 protocol tcp_udp set firewall name KIDS_IN rule 25 source address 10.0.40.0/24 set firewall name KIDS_IN rule 27 action accept set firewall name KIDS_IN rule 27 description 'Kids to Plex server' set firewall name KIDS_IN rule 27 destination address 192.168.0.22/32 set firewall name KIDS_IN rule 27 destination port 32400 set firewall name KIDS_IN rule 27 log disable set firewall name KIDS_IN rule 27 protocol tcp_udp set firewall name KIDS_IN rule 30 action drop set firewall name KIDS_IN rule 30 description 'Kids wi-fi to local lan' set firewall name KIDS_IN rule 30 destination group network-group LAN_NETWORKS set firewall name KIDS_IN rule 30 log disable set firewall name KIDS_IN rule 30 protocol all set firewall name KIDS_IN rule 30 source address 10.0.40.0/24 commit; save set interfaces switch switch0 vif 40 firewall in name KIDS_IN commit; save set firewall name KIDS_LOCAL default-action drop set firewall name KIDS_LOCAL description 'Kids wi-fi network to router' set firewall name KIDS_LOCAL rule 10 action accept set firewall name KIDS_LOCAL rule 10 description 'Kids reply to icmp from router' set firewall name KIDS_LOCAL rule 10 destination group network-group LAN_NETWORKS set firewall name KIDS_LOCAL rule 10 log disable set firewall name KIDS_LOCAL rule 10 protocol icmp set firewall name KIDS_LOCAL rule 10 source address 10.0.40.0/24 set firewall name KIDS_LOCAL rule 10 state established enable set firewall name KIDS_LOCAL rule 10 state invalid disable set firewall name KIDS_LOCAL rule 10 state new disable set firewall name KIDS_LOCAL rule 10 state related enable commit; save set interfaces switch switch0 vif 40 firewall local name KIDS_LOCAL commit; save set service nat rule 100 description 'DNS redirect for KIDS network' <<< all dns request from kids vlan are re-routed to open dns safe server set service nat rule 100 destination port 53 set service nat rule 100 inbound-interface switch0 <<<< i am not sure about this line, you should be very careful!!!!>>> set service nat rule 100 inside-address address 208.67.222.222 set service nat rule 100 inside-address port 53 set service nat rule 100 log disable set service nat rule 100 protocol tcp_udp set service nat rule 100 source address 10.0.40.0/24 set service nat rule 100 type destination commit; save; exit
@ogo ok so a few questions here.
- If the traffic cant get in to the router in the first place then why do I need to create an OUT rule? I followed this Willie Howe video to set this up and he didn't mention any OUT rules. Not saying I don't need them, just asking.
- I'm used to setting up in the GUI but I would prefer to use the CLI for this. When entering these rules in the CLI can i enter more than one rule at a time?
- The EdgerouterX does have a switch as far as I know. So I assume it would be the same. I run most of the VLANS on switch0.
- what is your icmp protocal for? Is that the iperf3 ? if so, Cool. I want to do that too.
- what do you mean by"re-lecture packet states: new, established, related and invalid"?
- All this above configuration is just for your kids VLAN, right? I still need my WAN_IN, WAN_LOCAL, WAN_OUT rules, right? I can probably keep these as is?
- Where are your OUT rules in the above config?
One thing I've always been confused about is when to enter a port # as the "destination" or "source" when setting up a rule. When opening ports between VLANS. Does it even matter? Cant you just open it both ways?
It took me about 2 weeks (~70 hours) to come up with my current rules and to get everything working. I've done test pings in every way possible to check for leaks and there is no way to get from one VLAN to the other. (AFAIK) Except that I allow VLAN20 to establish to other VLANS. And this all works. So before I start from scratch are you sure I need to?
@ogo wrote:
You must have firewall rules (in/out) for each vlan separately, in your case 3 vlans => 3 IN rules and 3 LOCAL rules.
Also you have in GUEST_IN (GUEST_TO_LAN), new disabled, therefore no new packets initiated from your guest network cant access anything (including DNS requests).
If the rulesets are the same, why do you think you need different ones? That isn't the way I understood the firewall to work. In other words, if he wants to keep guest (v)lan and iot (v)lan separate, but treat them both as untrusted and treated equally with respect having access only to dhcp and dns local service, and no ability to establish a new connection to any other RFC1918 subnet, I can see no reason why the firewall he has will prevent that.
I see no reason he needs to have a separate rulesets for each vlan.
The only time you need different rulesets is when you want different behavior. Even the same ruleset can be used on the WAN interface for both local and in if the access restrictions are identical. The wizard creates two identical rulesets, so it is easy for the user to modify the behavior of what is allowed to a service on the router itself (local) or to apply to routed traffic passing through the router (in).
I think the issue that is causing @adminmat problems is what @nu2ubiq said in his previous post. And described in this help article:
EdgeRouter - DNS Forwarding Setup and Options see the section Defining the name servers
The firewall ruleset name is arbitrary just like variable names in a program. They should be named so the humans reading the config will have the best opportunity to understand their purpose, but what the firewall will do, depends only on what is in the rulesets and the way the rulesets are applied to interfaces.
1 and 7: i dont use OUT rules, by default there are no OUT rules in edgeOS. However, as i said, is not a bad thing to use it if you need a more granular control of your exiting packets to other lans BUT i dont use it (and i guess that there are very few persons who use OUT rules).
2. i guess it is possible, but i never tried before.
3. yes, edgerouter X has a switch chip BUT edgerouter 4 has not - therefore the configuration sintax is somehow different if you intend to use edgerouter X switch-chip (i.e. one wan port and the remaining interfaces to be switched in same lan)
4. ping is using icmp protocol - in order to be able to ping other clients from different vlans and get an reply from them i enabled this protocol in clients vlan firewalls (in and local) /// iperf3 is a diagnostic network tool - i use it to check/measure throughput between clients in different vlans - you will need 1st to setup an iperf3 server (in one vlan) and a client from which to check throughput in another vlan.
6. of course, you will need your wan in and local rules for packets from internet to your lan (IN) or router (LOCAL).
First of all, I'm am not really sure what you intend to accomplish with your vlans, thus i dont really know if you should start from scratch or not - but as long as you save your config file into your laptop/desktop there is no problem trying new things :)
I see no reason he needs to have a separate rulesets for each vlan. <-- therefore he can use only 1 vlan, not 2 (guest/iot), as long as firewall rules (permissions) are the same for all vlans; i my view, each vlan needs different permissions (behaviour as you said) so by default different IN/LOCAL/OUT firewall rules, in order to be tailored per his needs.
Also, @adminmat blocked all NEW packets from vlans to dns server, so no dns request can be made from guest vlan to his main lan:
name GUEST_TO_LAN {
default-action accept
description "Guest & IoT"
rule 10 {
action accept
description Established
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
Moreover , DNS acceptance rules from his firewall LOCAL rules implies that there is an DNS server running on his edgerouter:
name GUEST_TO_LOCAL {
default-action drop
description "Guest & IOT"
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol tcp_udp
}
but he clearly mentioned that he is using and intend to use for all vlans a pi-hole on a different local server.
Also, all of his dns request are forwarded but there is no dns forwarding name-server set up, therefore all dns request are forwarded to his ISP dns servers (default options as per edgeOS) :
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth3
listen-on switch0.10
listen-on eth4
listen-on switch0.20
listen-on switch0.30
listen-on switch0.40
}
@ogo wrote:
@BuckeyeNet
...
Also, @adminmat blocked all NEW packets from vlans to dns server, so no dns request can be made from guest vlan to his main lan:
name GUEST_TO_LAN {
default-action accept
description "Guest & IoT"
rule 10 {
action accept
description Established
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
Moreover , DNS acceptance rules from his firewall LOCAL rules implies that there is an DNS server running on his edgerouter:
name GUEST_TO_LOCAL {
default-action drop
description "Guest & IOT"
rule 10 {
action accept
description DNS
destination {
port 53
}
log disable
protocol tcp_udp
}
but he clearly mentioned that he is using and intend to use for all vlans a pi-hole on a different local server.
Also, all of his dns request are forwarded but there is no dns forwarding name-server set up, therefore all dns request are forwarded to his ISP dns servers (default options as per edgeOS) :
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth3
listen-on switch0.10
listen-on eth4
listen-on switch0.20
listen-on switch0.30
listen-on switch0.40
}
My understanding is that states with disable are just ignored. See this post in this thread.
in other words, these two can be removed with no effect on what gets matched by the rule
set firewall name GUEST_TO_LAN rule 10 state invalid disable set firewall name GUEST_TO_LAN rule 10 state new disable
So the more concise
name GUEST_TO_LAN {
default-action accept
description "Guest & IoT"
rule 10 {
action accept
description Established
log disable
protocol all
state {
established enable
related enable
}
is equivalent, and is not matched by a new connection, so it the firewall goes to the next rule
rule 30 {
action drop
description "Network Group"
destination {
group {
network-group RFC1918
}
}
log disable
protocol all
}
Which does match, and since action is drop, the packet never gets routed to the other LAN.
But it doesn't need to get to the other LAN with the PiHole on it, it just needs to get to the dns forwarder. The request isn't going to the PiHole, it is going to the ER, and the dsn forwarder forwards it to a name server if it can't find it in its cache.
Yes, DNS request are going to his router, every instance of dhcp server has dns-server address being an ER interface address. So the firewall rule set GUEST_TO_LOCAL lets the request to get through to the DNS forwarder.
Your last objection is corrrect, but I stated that I thought that was the problem (the reason why requests were not getting to the PiHole), and that the problem was not the firewall. Once the request has made it to the dns service, it can forward it to the PiHole, as long as it is told to do so.
I think the issue that is causing @adminmat problems is what @nu2ubiq said in his previous post. And described in this help article:
EdgeRouter - DNS Forwarding Setup and Options see the section Defining the name servers
The config doesn''t have the needed instruction to the dns forwarder to go the the PiHole, as nu2ubiq pointed out before either you or I got involved in this thread.
Hi @ogo and @BuckeyeNet. Thanks for looking over this. To clarify, I made a little diagram of how things are currently configured. Currently the VLANs can not establish a connection unless it originates from VLAN10 (Secure LAN).
The Pi-hole is running in a Docker Container on an unRAID server in the 192.168.10.0/24 subnet. It blocks ads perfectly well for any thing in the Secure LAN network.
Hope this diagram helps. If I have to start from scratch I will but I'm hoping not. Everything I've tried regarding opening port 53 has failed. As soon as I change the DNS of a VLAN to 192.168.10.2 (the Pi-Hole IP address) the clients can not connect to the internet at all. (And I do reset the client network settings each time)
Do you guys know if there is someone I can pay to set this up for me? I figure it will be worth is since i'm already like 80 + hours into it.
Here is the drawing:
@adminmat Is the config in this post still current?
Have you read the article EdgeRouter - DNS Forwarding Setup and Options ?
How do you know the PiHole is filtering anything? Can you see statistics from it? I should load PiHole up and try it out, but I haven't yet, so I really don't know how it works.
Have you used the commands in the article to check what the dns forwarder is doing?
show dns forwarding nameservers show dns forwarding statistics
Also, if you have a Windows PC in the 192.168.10.0/24 network that gets its ip and dns config via dhcp, what does the output of
ipconfig/all netstat -rn
show?
I don't think you should have 8.8.8.8 listed as a secondary dns in the dhcp section, if you want to make sure the PiHole is used. But I haven't researched PiHole.
Ok. Good news. I got it working. 🤘 😊 🤘
I had to move the "allow PiHole DNS" rule to the top of the ruleset. OMG. What a relief. I tested on the phone and NO ADS!
I created a rule called in the Ruleset GUEST_TO_LAN called "allow PiHole DNS":
I'm allowing traffic Both TCP and UDP:
I'm NOT checking "Established" and "Related":
In the "Destination" tab I'm listing the Pi-Hole's IP address and Port 53:
And I can now list ONLY the Pi-Hole's IP address as the DNS server for VLAN20:
I just connected my Windows 10 desktop and ran a
ipconfig/alland i get this:DNS Servers . . . . . . . . . . . : 192.168.10.2Success! This was probably pretty simple for most of you but it sure had me stumped.