LAN to LAN rules, is it possible?

  • I would like to know IF its possible to route 53/80/443 traffic from devices like firesticks/roku's to another IP that is running PiHole within my LAN?

    Currently I have NAT rules set for TCP/UDP for ports 53/67/80/443 going from a Roku device in my LAN to a PiHole in my LAN but I cannot seem to get to work, at this point I do not even know if its possible.

    Yes I know about pfBlocker but I would be asking for the same thing, specific IP's to route to the PiHole or pfBlocker as I do not want to use the blocker on everyone in my LAN.

  • Nope. When you access machines (hosts) on the same subnet/network, in this case your LAN network, pfsense doesn’t get involved. Traffic never touches your firewall.

    To accomplish this, you need to move the pi-hole to another network, either real or virtual. Do you have any other network ports available on your pfsense machine? If not, you can setup a VLAN, add your pi-hole to that network, then setup pfsense to route the appropriate traffic to there.

    Here’s a good post to read on a proper pinhole setup:


  • I will have to go with your 2nd suggestion. As I have never done this before, how would I go about doing this?

    PiHole is which is a virtual device.

  • There are some screenshot instructions in that post I linked to.

    In a nutshell, on your LAN DHCP interface, you set the DNS server to the pihole address on the "other" network. Then, on your LAN interface, you make a port forward to get DNS traffic moving to the pihole. Allow that port forward to auto-create the companion firewall rule. Then point the pihole back to pfsense. And then, finally, set the DNS resolver to "enabled" in pfsense. That means the pfsense box will ultimately run the DNS resolving and caching for your LAN network, after it has been sanitized by the pihole system.


Log in to reply