pihole on unraid not blocking ads with pfsense

johnpoz

You would not have pihole setup anywhere in pfsense other then in the dhcpd handing out to clients. Pfsense ONLY points to itself which resolves (out of the box config).

Pihole FORWARDS to pfsense IP, which then resolves.

clients ONLY ask pihole, pihole ONLY forwards to pfsense. Pfsense then resolves anything it gets asks.. Pihole will not forward to pfsense stuff that it blocks.

mlaustin

@johnpoz said in pihole on unraid not blocking ads with pfsense:

You would not have pihole setup anywhere in pfsense other then in the dhcpd handing out to clients. Pfsense ONLY points to itself which resolves (out of the box config).

Pihole FORWARDS to pfsense IP, which then resolves.

clients ONLY ask pihole, pihole ONLY forwards to pfsense. Pfsense then resolves anything it gets asks.. Pihole will not forward to pfsense stuff that it blocks.

I want to make sure I understand this correctly. Because in phole, I have the DNS servers set for cloudflare. I don't have any DNS servers setup in pfsense other than pihole. So should I then remove the DNS servers from phole and put cloudflare as DNS in pfsense? Then I'm guessing I would put pfSense's IP address in pihole. So it goes something like this, DHCP DNS -> pihole -> pfsense -> pfSense DNS.

tman222

@mlaustin

You essentially have two options:

A. Use pfSense as a DNS Resolver:

1. No need to add any Additional DNS Servers under General Setup in pfSense
2. Under DNS Resolver settings in pfSense, make sure DNSSEC is enabled and forwarding mode is disabled (unchecked)
3. Pi-hole needs to be setup to forward its DNS traffic to pfSense.
4. If you have DNS mappings (Host Overrides) in pfSense you'll want to uncheck "Never forward reverse lookups for private IP ranges" under Pi-hole's DNS settings.
5. Make sure your clients DNS points to Pi-Hole

B. Use pfSense as the DNS Forwarder to Cloudflare (i.e. Cloudflare is the DNS Resolver):

1. Add the IP's of Cloudflare's DNS servers under General Setup in pfSense.
2. Under DNS Resolver settings in pfSense, you can disable DNSSEC if you want (because pfSense is now just forwarding requests and not resolving them) and make sure that forwarding mode is enabled (checked).
3. to 5) remain the same.

One other thing you can also think about doing is setting up NAT Redirection rules to make sure that DNS traffic that is not bound for Pi-hole is then redirected to go through Pi-hole (so nothing can circumvent it). This is useful in situations where devices may have their DNS server settings hard coded - I've seen some IoT devices behave like this.

Hope this helps.

mlaustin

@tman222

Thanks. Both scenarios worked out. I will use scenario A.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

I have been running pihole for quite some time... This is how I set it up... I have pihole running on on an actual pi In my dmz network 192.168.3/24

All clients point to pihole directly via setting dhcpd on pfsense to hand this out. pihole then forwards to pfsense.. Pfsense then "RESOLVES" using dnssec.

This allows me if I want to just ask pfsense IP directly for something if I don't want to be be blocked by piholes list. If I want a device to not use pihole, i just setup that device to use pfsense for dns.

On pihole I just set it to foward PTRs for rfc1918, ie uncheck
"Never forward reverse lookups for private IP ranges"

This requires min config on both unbound and pihole. No need to setup any conditional forwards, still get to "resolve" and use dnssec per setting on unbound. And also host overrides set on unbound work, etc.

John would you one day be able to do a step by step on how you got it working like that sounds perfect with what i am wanting to do. I sometimes find pfsense quite complicated 90% of the time.

johnpoz

I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)

Nevermind thanks anyway.

johnpoz

Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

Not really a picture tho it might help. I know you told us what you have set up I just wouldn't know how to set it up this way. I was hoping you could give a run down and the setting you did to achieve this.

johnpoz

Again - already did..

You set dhcp server in pfsense to point to pihole IP.
You set pihole to forward to pfsense IP..

What else is there to know?

Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff, and resolves public stuff and answers back to pihole, which sends it back to client.

One thing I would do is let pihole do PTR.. So uncheck
"Never forward reverse lookups for private IP ranges"

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

Again - already did..

You set dhcp server in pfsense to point to pihole IP.
You set pihole to forward to pfsense IP..

What else is there to know?

Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff back to pihole, which sends it back to client.

One thing I would do is let pihole do PTR.. So uncheck
"Never forward reverse lookups for private IP ranges"

So

SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)
now on pihole
Upstream DNS Servers
points to pfsense 10.0.0.1

Never forward non-FQDNs
Never forward reverse lookups for private IP ranges
Use DNSSEC
All ticked?

Can't seem to find PTR in the dns options unless Never forward reverse lookups for private IP ranges is it?

johnpoz

@X2LR said in pihole on unraid not blocking ads with pfsense:

SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

No where did I say anything about that??

You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

never forward non-fqdn - checked!
never private - unchecked
use dnssec - uncheck, its POINTLESS on a forwarder.. Pointless!! Unbound will do your dnssec for you out of the box.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

@X2LR said in pihole on unraid not blocking ads with pfsense:

SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

No where did I say anything about that??

You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

Sorry you are correct I miss read. Is there others correct?

x2rl

@johnpoz So

Services>DHCP >Server>LAN>Servers

DNS servers = 10.0.0.22?

johnpoz

Exactly..

Now was that hard ;)

See my edit on the checkboxes.. The only thing pfsense should point to for dns is itself, 127.0.0.1.. Unbound out of the box will resolve and use dnssec.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

Exactly..

Now was that hard ;)

Thank you.

last few questions if you don't mind.

in resolver

DNSSEC is ticked
is any of the others ticked at all?
DNS Query Forwarding etc..

also in General Setup do you tick or untick
DNS Server Override
Disable DNS Forwarder

Now I know you never said anything about General Setup just don't wont wrong set up in here.

which dns do yuo use john? ive been using quad9

johnpoz

If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

So unchecked..

If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

So unchecked..

If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

Thanks and yes i don't understand what that means so ill leave that be.

As for dns i want to use i add that in General Setup? I think ive had it wrongly set up for years i had it in the dhcp part

x2rl

Also you said you can bypass pihole if i wanted to do that for 10.0.0.20 and 10.0.0.22 would that be in pfsense or pihole settings

johnpoz

You would do that on the client :) via a dig or nslookup calling out pfsense IP.

Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.