Clean pfsense install needing pihole dns
-
@chachew couple of things off the top of my head that you could run into in such a setup. I run pihole myself, but just as ad filter - all my local resources I want to resolve I just added to unbound on pfsense.
First thing that comes to mind is pihole pretty sure out of the box does not like answering queries from IPs that are not on its local network..
2nd thing that comes to mind if you setup pfsense to forward to your pihole, that returns rfc1918 that would be a rebind.. So if you want rfc1918 address to be returned you would want to set your domain as private
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections
-
@viragomann The WAN interface is connected to the ATT router
The DHCP server is the LAN interface at 192.168.100.1
Should i create/move pihole from 192.168.1.152 to the LAN network(192.168.100.x) so the are on the same subnet?
-
@chachew How you skin the cat is up to you, there are many ways to skin it.. It would depend which one you feel best using.
You could move all your local dns to unbound on pfsense is one way. If you still wanted to use pihole for adblock I would put it behind pfsense and have clients ask it, then have it forward to unbound on pfsense for unbound to resolve. You could also leverage pfblocker for more dns filtering, etc.
If you do move pihole behind pfsense, and have your clients ask it, if you have more than one network you would still need to worry about that setting I showed.
-
@johnpoz honestly i dont use really any of the add blocking on pihole, i was just using it for DNS. I dont see unbound in the package manager for pfsense. How do i get that installed?
-
@chachew you don't need to install it - its built in.. There are 2 dns options builtin, unbound (resolver) and forwarder (dnsmasq).. Also a 3rd option you could install Bind.
But out of the box pfsense would use unbound and resolve..
-
@johnpoz Ok, so i enabled DNS resolver and pointed it to my server an can now resolve the custom url! So would i just now go to haproxy to further refine my services? So i can now point a url to a custom dns name with the port that it belongs to?
-
@chachew said in Clean pfsense install needing pihole dns:
and pointed it to my server
You setup forwarding? Out of the box unbound resolves, it does not forward. If you setup forwarding - and the answer your getting back is rfc1918, you would have to either set that domain as private or turn off rebind protection.
Is your server returning public IPs? Or rfc1918.. 10.x.x.x, 192.168.x.x or 172.16-31.x.x?
How exactly did you check that this worked - if pfsense directly asked your server, ie you set it up in dns general - then that wouldn't be a forward.
-
@johnpoz I created a Host Overrides entry in DNS Resolver as: internal.domain.com and pointed it to 192.168.100.54. This '192.168.100.54' server host multiple services in docker.
So now i want to be able to go to service1.domain.com and it point to internal.domain.com:8081, service2.domain.com and it point to internal.domain.com:9000, etc, etc.
I can successfully hit internal.domain.com:8081 or internal.domain.com:9000 and i can get to my services just fine. So now i just want to be able to proxy to the service via service1.domain.com, service2.domain.com, etc. Hopefully that makes sense.
I create a backend in HaProxy that point to internal.domain.com at port 8081 and no SSL. I then created a frontend that points to LAN port 80 with ACL with 'host matches' service1.domain.com with an action that points to that backend service and the ACL name from above.
Only other thing I haven't done is create a firewall rule that is noted in the external address section. I'm not sure what to create here.
'NOTE: You must add a firewall rules permitting access to the listen ports above.
If you want this rule to apply to another IP address than the IP address of the interface chosen above, select it here (you need to define Virtual IP addresses on the first). Also note that if you are trying to redirect connections on the LAN select the "any" option. In the port to listen to, if you want to specify multiple ports, separate them with a comma (,). EXAMPLE: 80,8000 Or to listen on both 80 and 443 create 2 rows in the table where for the 443 you would likely want to check the SSL-offloading checkbox.' -
@chachew a host override - oh ok yet that is another way to skin your cat..
So you really have no need of your pihole any more if all it was doing was resolving some fqdn nternal.domain.com to an IP.
-
@johnpoz Yes i removed pihole from the equation since i want using it for ad-blocking, just dns. Seems easier to just do that in pfsense with the previous suggestions.
