pihole on unraid not blocking ads with pfsense

johnpoz

I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)

Nevermind thanks anyway.

johnpoz

Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

Not really a picture tho it might help. I know you told us what you have set up I just wouldn't know how to set it up this way. I was hoping you could give a run down and the setting you did to achieve this.

johnpoz

Again - already did..

You set dhcp server in pfsense to point to pihole IP.
You set pihole to forward to pfsense IP..

What else is there to know?

Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff, and resolves public stuff and answers back to pihole, which sends it back to client.

One thing I would do is let pihole do PTR.. So uncheck
"Never forward reverse lookups for private IP ranges"

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

Again - already did..

You set dhcp server in pfsense to point to pihole IP.
You set pihole to forward to pfsense IP..

What else is there to know?

Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff back to pihole, which sends it back to client.

One thing I would do is let pihole do PTR.. So uncheck
"Never forward reverse lookups for private IP ranges"

So

SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)
now on pihole
Upstream DNS Servers
points to pfsense 10.0.0.1

Never forward non-FQDNs
Never forward reverse lookups for private IP ranges
Use DNSSEC
All ticked?

Can't seem to find PTR in the dns options unless Never forward reverse lookups for private IP ranges is it?

johnpoz

@X2LR said in pihole on unraid not blocking ads with pfsense:

SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

No where did I say anything about that??

You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

never forward non-fqdn - checked!
never private - unchecked
use dnssec - uncheck, its POINTLESS on a forwarder.. Pointless!! Unbound will do your dnssec for you out of the box.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

@X2LR said in pihole on unraid not blocking ads with pfsense:

SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

No where did I say anything about that??

You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

Sorry you are correct I miss read. Is there others correct?

x2rl

@johnpoz So

Services>DHCP >Server>LAN>Servers

DNS servers = 10.0.0.22?

johnpoz

Exactly..

Now was that hard ;)

See my edit on the checkboxes.. The only thing pfsense should point to for dns is itself, 127.0.0.1.. Unbound out of the box will resolve and use dnssec.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

Exactly..

Now was that hard ;)

Thank you.

last few questions if you don't mind.

in resolver

DNSSEC is ticked
is any of the others ticked at all?
DNS Query Forwarding etc..

also in General Setup do you tick or untick
DNS Server Override
Disable DNS Forwarder

Now I know you never said anything about General Setup just don't wont wrong set up in here.

which dns do yuo use john? ive been using quad9

johnpoz

If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

So unchecked..

If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

So unchecked..

If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

Thanks and yes i don't understand what that means so ill leave that be.

As for dns i want to use i add that in General Setup? I think ive had it wrongly set up for years i had it in the dhcp part

x2rl

Also you said you can bypass pihole if i wanted to do that for 10.0.0.20 and 10.0.0.22 would that be in pfsense or pihole settings

johnpoz

You would do that on the client :) via a dig or nslookup calling out pfsense IP.

Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.

johnpoz

@X2LR said in pihole on unraid not blocking ads with pfsense:

As for dns i want to use i add that in General Setup?

No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

@X2LR said in pihole on unraid not blocking ads with pfsense:

As for dns i want to use i add that in General Setup?

No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.

Where would you put dns? (9.9.9.9 ? im lost now.)

@johnpoz said in pihole on unraid not blocking ads with pfsense:

You would do that on the client :) via a dig or nslookup calling out pfsense IP.

Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.

Hmmm? sounds very complicated, ill leave that for another day.

johnpoz

@X2LR said in pihole on unraid not blocking ads with pfsense:

Where would you put dns? (9.9.9.9 ? im lost now.)

You wouldn't!!! what would be the freaking point of that?

So you want clients to ask pihole, and then pihole to ask pfsense (Only for local stuff) and then forward to 9.9.9.9?? Sure you could do that... If your going to do, might as well just take pfsense out of the equation and let pihole be your dhcp so it can resolve your local clients and take pfsense out of it for dns/dhcp.

But now your forwarding - not resolvoing.

x2rl

@johnpoz said in pihole on unraid not blocking ads with pfsense:

@X2LR said in pihole on unraid not blocking ads with pfsense:

Where would you put dns? (9.9.9.9 ? im lost now.)

You wouldn't!!! what would be the freaking point of that?

okay i don't understand this at all than.

this is what i thought would happen.

Quad 9 would be my dns
Pihole would just remove ads and block sites.

I am clearly misunderstanding this big time.

johnpoz

Se my edit... If all you want is quad9 as your dns.. Just have pihole forward to it.. Why would you need pfsense in the mix..

Nowhere in my discussion of how I am setup did I ever mention pfsense not resolving.. No external name services are needed, or desired if you ask me. If you want pfsense to forward to quad9, then sure you can do that - but you don't need dnssec check on unbound than... If you forward - dnssec is POINTLESS!! Only a resolver can do anything with dnssec.