Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pihole servers not utilized in pfSense via DHCP

    DHCP and DNS
    4
    8
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thimplicity
      last edited by

      Hi everyone,

      continuing on my quest to rebuild my pfSense infrastructure, I am trying to add my pihole servers back to the mix. They have been working before, but I shut them down some weeks ago, as I had problems with pfSense. Now pfSense works well again and I want to bring the Piholes into the mix again. I have two pihole servers, one running on the pfSense box (via proxmox) and one on my homelab server.

      I am using the DNS resolver for the majority of my VLANs and the forwarder for two other VLANs. I would like to use the pihole servers for the two VLANs that actually have "human contact" via devices. Both of those VLANs are using the resolver. I have DNS redirects in my pfSense NAT rules redirecting DNS to the resolver. Previously, I just added the pihole server IPs to the DHCP settings of the VLAN and it worked like a charm. I used the setup recursively, meaning that the pihole servers use pfSense as the DNS server.

      Unfortunately, the previous setup does not work anymore. I have not changed anything on the pihole servers. I just booted them up again. When I check the Wi-Fi settings, e.g. on an iPad, the correct DNS server IPs (of the pihole servers) are shown under DNS servers. I have rebooted the DHCP server and the resolver already.

      What am I missing? I am sure it is probably a very easy fix, but I am stuck - thanks for some help!

      P 1 Reply Last reply Reply Quote 0
      • T
        thimplicity
        last edited by

        After some more testing it seems to me that the request does not even get to pihole. I assume that the DNS redirect rules that I implemented based on the guide mentioned above prevent that. At the same time I thought that if it is in the DHCP settings, this is where the client goes first. When I redirect it to pihole, pihole works, but then the leaktest shows 6 instead of one DNS server, which is also not the intention.

        A johnpozJ 2 Replies Last reply Reply Quote 0
        • A
          akuma1x @thimplicity
          last edited by akuma1x

          @thimplicity Make sure you didn't list any DNS servers during setup, in the following screen:

          Screen Shot 2022-08-19 at 3.50.21 PM.png

          This is located in System -> General Setup

          It might also be possible that your host computers (the machines on your LAN or other network) have hard coded DNS settings in their network settings. Did you check there too?

          What I do on my pfsense boxes is to leave the DNS servers blank on the setup screen, then in the DHCP settings for that particular network, add the IP address of the pihole box, then some backup DNS servers after it. Works fine just like that. Also, make sure that your computers are getting a DHCP address from your pfsense box, and not from something else, like your ISP modem/router. That would make them bypass the pihole setups.

          T P 2 Replies Last reply Reply Quote 0
          • T
            thimplicity @akuma1x
            last edited by thimplicity

            @akuma1x Thanks!
            I believe I have DHCP set up properly. Also no hardcoded DNS. The DNS servers from pfSense are making it to the respective devices.

            I checked your "empty DNS servers" setting, but it breaks break my DNS forwarder setup I have for two of my VLANs, as those rely on those DNS entries. I will need to check whether I can fill those through the custom settings section in the forwarder.

            1 Reply Last reply Reply Quote 0
            • P
              pfpv @thimplicity
              last edited by

              @thimplicity said in Pihole servers not utilized in pfSense via DHCP:

              I have DNS redirects in my pfSense NAT rules redirecting DNS to the resolver.

              ^I think this is the answer. Whatever piholes are trying to do gets redirected to the resolver. You can create an alias for the pihole IPs and put it in for source and destination in your NAT rule and check "Invert match" for both.

              T 1 Reply Last reply Reply Quote 0
              • P
                pfpv @akuma1x
                last edited by

                @akuma1x said in Pihole servers not utilized in pfSense via DHCP:

                What I do on my pfsense boxes is to leave the DNS servers blank on the setup screen, then in the DHCP settings for that particular network, add the IP address of the pihole box, then some backup DNS servers after it. Works fine just like that.

                I think this leaves your pfSense stranded. If it needs to send you an email or check for updates it won't be able to resolve addresses. I put my pihole IPs there.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @thimplicity
                  last edited by

                  @thimplicity said in Pihole servers not utilized in pfSense via DHCP:

                  but then the leaktest shows 6 instead of one DNS server, which is also not the intention.

                  And what did it show? Where are you pointing? You understand if you point to say cloudflare its going to show like this right?

                  Its not going to show 1.1.1.1, same goes for googledns, etc.

                  dns.jpg

                  Pointing some major player dns is never going to show the single IP you pointed too.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • T
                    thimplicity @pfpv
                    last edited by

                    @johnpoz / @pfpv - Thanks for your comments. I think I got a step further and I tried to summarize what I did and what I am trying to do below:

                    Intended behavior:

                    • All DNS requests should be redirected to the pfSense resolver or forwarder (depending on the VLAN)
                    • DNS traffic should be routed through pi-hole where it is added in the DHCP settings of the respective VLAN
                    • DNSLeaktest should only show one server for the resolver gateway and however many (normally 4-6) for the forwarder gateway (goes through quad9) @johnpoz This relates to your question.
                    • In the best case, I only need to add the pi-hole IPs in the DHCP settings

                    Actual behavior:

                    • Option 1: Resolver and forwarder works, DNSleaks shows the correct servers, but traffic does not go through the pi-hole servers
                    • Option 2: Traffic goes through pi-hole, resolver and forwarder works, but DNSleaks shows the "wrong" servers, as the resolver server leaks into the forwarder gateway, which means I see the resolver DNS servers AND the forwarder DNS servers.

                    Temporary fix (for resolver VLANs): Disable the general DNS redirect NAT rule for resolver VLANs, as I have control over the devices and none of them are going rogue with hardcoded DNS servers, e.g. laptops. iPads, phones etc.

                    I am still missing a permanent solution for the resolver VLANs and a solution at all for the forwarder VLANs, as forwarding does not work without the NAT rule, as this goes out through a Wireguard tunnel. I have posted my NAT rules below. The pi-hole servers are part of the MGMT VLAN in case that is relevant. 10 and 20 are resolver VLANs and 30 is a forwarder VLAN:

                    9814b7c5-8528-4c19-bea1-5fa32c79584a-image.png

                    My IOT stuff is in another VLAN, which is also a forwarder VLAN (like 30 in the screenshot), so it would be great to have a solution there to make sure that rogue devices go through pi-hole, then through the pfSense forwarder. This way I can block them in pi-hole if necessary.

                    Thanks for your help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.