PfSense + Pi-Hole + OpenVPN
-
Hello all. Since this forum has been profoundly helpful with my numerous past issues, I thought I'd reach out about this one. I currently use a pfSense box as a router for our home network. It also serves OpenVPN, so that we can VPN in from our mobile devices.
In an effort to make the DNS blacklisting/whitelisting process easier for my wife, and prevent her from having to access the pfSense box directly (short of emergencies), I'm trying to transition our DNS blacklisting from pfBlockerNG to Pi-Hole. This process was pretty painless for the network itself. The problem is that doing so prevents devices that are bridged into our LAN via the VPN from being able to send/receive DNS requests.
According to ipconfig /all, the bridged devices are querying the correct internal IP (10.4.143.3) for the Pi-Hole. Using nslookup, I can confirm that they are in fact sending their DNS queries to that address. The problem is that they are coming up "unknown" and timing out.
Network setup and information:
-
pfSense box (10.4.143.1) is serving OpenVPN so that our mobile devices can bridge into our LAN.
-
Pi-Hole (10.4.143.3) is visible and correctly handles DNS requests for devices physically in our home.
-
DNS queries sent from VPN clients connecting from outside the network are sent to Pi-Hole (10.4.143.3), but time out.
-
The NAT rules that previously blocked all DNS requests that were not directed at the pfSense box have all been adjusted to instead direct requests to the Pi-Hole.
What I have tried:
-
Transitioning DHCP responsibilities from pfSense to the Pi-Hole. Does not help.
-
Keeping the DNS resolver up and sending the Pi-Hole's upstream queries to that. Does not help.
-
Disabling the DNS resolver and sending the Pi-Hole's upstream queries to Google DNS. Does not help.
-
Enabling DNS forwarder. When that didn't work, I disabled it again. No change.
-
Disabling the NAT rules that blocked all DNS requests that were not directed at the Pi-Hole. Does not help.
I apologize if this would be better posted in a different subforum. I'm happy to provide any other relevant information – just let me know!
-
-
"so that our mobile devices can bridge into our LAN."
So your using tap vs tun? Why are you doing that? I vpn into my network all the time via tun.. and I can query my pihole running on my network.
C:\Windows\System32>dig @192.168.3.10 www.google.com
; <<>> DiG 9.11.1 <<>> @192.168.3.10 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35179
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 300 IN A 172.217.6.100;; Query time: 104 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Wed Jun 07 15:18:20 Central Daylight Time 2017
;; MSG SIZE rcvd: 59192.168.3.10 is my pihole..
Can you ping your pihole? Can you ping other devices on this 10.4.143 network? If your tap vs tun you would also be on the 10.4.143 network I take it? So there really should be nothing stopping you from doing a query to pihole.
So from this trace you can see I go down my tunnel network that is 10.0.8 and then hit my pihole that hangs off a segment connected to my pfsense at home.
-
Thanks for the post. I'll get back to the rest of it when I have a little more time, but I did want to touch on this.
So your using tap vs tun? Why are you doing that? I vpn into my network all the time via tun.. and I can query my pihole running on my network.
Yes, but as a matter of fact, I was originally using TUN. The problem is that as a complete neophyte with networking, I was having trouble getting the VPN devices to behave how I wanted them to. Specifically, I direct virtually all traffic out of my home network using another VPN (currently PIA) and policy routing. I wanted devices that were connecting via VPN to access WAN via the PIA VPN. Using TAP and bridging them to the LAN, which is already configured to use PIA, was the easiest way I found to do this. I tried TUN for quite some time, but could never get it working.
-
Can you ping your pihole? Can you ping other devices on this 10.4.143 network? If your tap vs tun you would also be on the 10.4.143 network I take it? So there really should be nothing stopping you from doing a query to pihole.
I cannot ping my Pi-Hole from a VPN device. Here is the result I get from my laptop, which I'm using to test from my office. I have tested with Windows firewall and without.
dig @10.4.143.3 www.google.com ; <<>> DiG 9.10.5 <<>> @10.4.143.3 www.google.com ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reachedFrustratingly, when checking the firewall logs, I see nothing hitting the firewall from either 10.4.143.137 (my laptop's IP on the LAN), or from my office's IP address.
-
that is not a ping that is a dig..
Do a ping - and can you ping any other devices on that network? Can you ping the pfsense IP on that network?
