How to get all VLANs access to PiHole?

CreationGuy

Hi,

I have 4 VLANs, the pihole is not on a vlan but the native em1 NIC. The internal LAN VLAN (10) has access to PH and is being filtered, the Guest VLAN (20) is internet only. How can I only allow that VLAN access to pihole for DNS?

the other

@creationguy
hey there,
so, pihole runs on LAN, which is the parent LAN for your vlans?
Do you have unbound as dns resolver also running with pihole?

Let*s say you have
LAN xxx.xxx.100.0/24
VLAN10 xxx.xxx.110.0/24
VLAN20 xxx.xxx.120.0/24
and so on

Just put your pihole wherever you want, then allow for each subnet traffic to pihole like i.e
allow ipv4 tcp/udp port 53 source: subnet xyz (i.e. VLAN10 net) destination: Pihole IP

You need another rule for subnet home to pihole, so pihole can forward its dns requests to wherever (i.e via unbound to the usual authoritative dns servers)

the other

It kinda depends on your settings btw...

is pihole just filtering?
is pihole running (i.e on a raspberry pi) with its own unbound?
is pfsense still doing dns resolving with unbound?

would you like it like this
client > pihole filtering > pfsense's unbound

or like this
client > pihole filtering > pihole's unbound?

;)

CreationGuy

I have pihole running on a mini computer. It is providing DNS DoH, ad filtering, etc. NO DHCP.

The priority for me is to get all devices that have access to the internet to use DNS DoH or DNS TLS and have ad blocking.

the other

@creationguy
Why do you need DoH and/or DoT?

I had for some years pfsense behind my ISP router plus pihole on a raspberry with unbound.

I never used DoH or DoT. Why? Because it does not work well with DNS filtering (since every DNS request is encrypted using DoH, no filtering, cause pihole cannot look into this encrypted DNS reqest).

To be honest: DoH and DoT are a pain in the bodypart you sit on.

I would recommend

client sends DNS request > this goes thru pihole (let pfsense/your DHCP server inform every client to ask pihole IP for DNS).
Pihole then filters your clients request > sends it then to your DNS resolver (unbound) or forward to some DNS server on the net...

Is there a reason for using pihole instead of pfblockerng_dev?

CreationGuy

@the-other Privacy, I don't want ISP looking at my DNS requests and seeing what I'm doing.

I've used pfblocker but it's a bit of a RAM hog and the interface is cleaner on pihole.

the other

@creationguy
why not use unbound then?
this prevents your isp from handling dns requests for it sends your dns requests not to some ISP DNS server (or even google, cloudflare, etc).

So:
make pfsense (in case that is your dhcp server) inform all clients that dns is at pihole's IP, set the rules for that.
In pihole set pfsense's unbound resolver as the one and only dns server.
you archieve this under pihole gui in
settings > DNS > enter pfsense IP in "custom 1"

So now:
client > asks pihole > pihole filters according to blacklists > sends then to unbound dns resolver on pfsense > send (if the dns answer is not in its cache) to the topmost dns root servers directly.

If you do not want pfsense to act as unbound dns resolver you can also install unbound next to pihole...

edit: is pihole connected to your ISP router or to pfsense (via switch/directly)?

CreationGuy

@the-other
Modem connections to pfsense device, pfsense to Port 24 of managed switch. Pihole connected to Port 23 of switch. Clients are all on that switch.

the other

@creationguy
okay,
so you probably just need to

...for each interface (vlans) inform every client that for DNS to ask pihole IP (under pfsense DHCP server > DNS servers)

...allow that from every subnet/vlan with a rule like
allow.......IPv4 tcp/udp......source your vlan.....destination pihole IP......port 53

...to block every other dns request elsewhere also use
deny....IPv4 tcp/udp....source your vlan.....destination any....port 53

...also block all DoT on port 853 (to prevent from going around pihole)

...in pihole set DNS custom 1 with pfsense IP

...in pfsense have unbound do the rest (resolving).

It's been a while without pihole here, but that is what I remember from that time...

:)

CreationGuy

@the-other This seems more complex then just using pfblockerNG or something like NextDNS. I don't want to use NextDNS due to $ and want to handle this locally.

the other

@creationguy
well, yeah it is a little bit more complex, since you're using an extra device.

But:
the firewall rules are very similar to allow which dns you want (pihole / pfblocker) and do NOT want (the rest).

Also, it is more handwork for all client hostnames should be set in pihole as well, so you can see which client is asking for porn/guns/bs...

I have pfsense here on an apu board. openvpn, 6 vlans, freeradius, dhcp, dns and pfblockerng_dev are running. No snort or securitata. I have 4 GB RAM, it is used by around 25 to 30 percent, so no issue with ram shortage.
I have around 8 lists in pfblocker active...
EDIT: just had a look....definitly more than 8 lists...make that around 30. So, still no stressing about RAM usage at 25%

CreationGuy

@the-other Are you running on an official appliance? If so, I wonder if that's why my desktop install of pfsense+ is using so much RAM.

I just have 5 or so VLANs, basic FW rules with some aliasing, NTOPng and pfblockerng and am at 30-45% usage.

the other

@creationguy
no,
there is just a rather cheap and 3 year old apu2 board with 3 nics and 4 gb RAM on 64 gb mssd...around 180 Euro.

Maybe NTpong uses a bit depending on your usage of it.
I do not use the + version, ce is running here...

And 30 to 45 % isn't bad, imho. Still enough reserve left.
Yeah, pihole's gui is nice. But I wanted to get rid of yet another device feeding on costly energy and time to configure and care about.
Now everything works fine on ONE device...so I can live with pfblocker's gui and report look (I do not need that much eye candy as long as it works and I spare some time for real important stuff...like living).

:)

AndyRH

For comfort, I am running PiHole (3 of them) and they are reachable as described by others from any VLAN. Super easy once you do it once. My PiHoles also use DoH.

As to why, the PiHole interface is better and DoH prevents the ISP from snooping. Are there different ways? Yes. This is my solution and I am comfortable with it and it is very easy to build PiHole to use DoH.

A few tips, add your DHCP server to the lookup list on the PiHole so it can resolve names and add PiHole to pfSense so it can resolve static DNS entries. I do not point pfSense to PiHole for its primary DNS server. This is for ease of use and just in case the fan makes brown stains on the walls.