Need help with a firewall rule to allow PiHole DNS and block users from accessing the PiHole GUI....

Ghost 0

@johnpoz

I have done extensive testing of the firewall and found no leaks after implanting your suggested rules; pfSense appears to be functioning as intended. However, I had to make a slight modification of one of your rules to accommodate the Unifi Captive Guest Portal on one of the subnets. The issue was connected hosts were unable to access the captive portal web page. Rule #2 of your sample rules had to be modified: "Source, test subnets" was changed to "any" and port 53(DNS) was changed to no port.

Ghost 0

@viragomann

Thanks for replying to my post! johnpoz solved it for me by re-writing the majority of my pfSense rules.; everything is now peachy . The vlans (WiFi) are now restricted to only ICMP/NTP/DNS/internet. They are no longer able to access other resources on the network including GUI's.

vf1954

@johnpoz I am running into a similar issue. I have a VLAN on a wireless router (disabled DHCP/NAT/etc).

LAN 192.168.3.1 (pfsense)
LAN 192.168.3.3 (wifi-router1)
LAN 192.168.3.20 (pihole DNS+ubound)
VLAN_STAFF 192.168.10.1
VLAN 192.168.10.2 (wifi-router2)

If I connect to the first router it will resolve "ping google.com"
If I connect to the second router it will resolve "ping 1.1.1.1" but not "ping google.com". So this tells me I MAY have internet but I definitely do not have DNS.

Setup:
ISP -> netgate SG3100 (pfsense+) -> TL-SG1016DE (switch) -> {pi-hole, wifi-router1, wifi-router2, ubuntu laptop, etc.}

When I connect to wifi-router2 it tells me my DNS is 192.168.3.20 in the settings ...
It says my routing is 192.168.10.1
I can ping 192.168.3.20 (pi-hole) if I'm on wifi-router2 too (DHCP gives me 192.168.10.200 on my linux laptop)

My setup is quite generic otherwise. I am just learning. I did my due diligence with copying the LAN firewall to the STAFF VLAN, I set up the VLANS in the switch, I'm getting the DHCP to cooperate correctly, and I even tackled the Interfaces > Switches section which is often missed.

DHCP Servers for VLANS all say 192.168.3.20 grayed out... (default under General Setup)

After 2 days reading mastering pdf and searching 20 videos and 50 forums posts (about half you commented on...), I'm left without a solution except to just install a pfsense package for DNS... but I prefer to use my raspberry pi pi-hole setup.

I also just want to understand what I'm doing wrong.

My ultimate aim is to maximise functionality with a dusty old netgate box and three tp-link wifi6 routers (AX5400) that can create an EasyMesh setup (so I can't really make the wifi-routers into APs). EasyMesh is a firmware upgrade from OneMesh.

I seem to be stuck at this VLAN... Following other tutorials internet "just works" if I'm not using a wireless router and I'm not using a pi-hole sinkhole.

That's it. I don't want to be verbose.

Gblenn

@vf1954 PiHole has a setting that will block requests from any other networks than "local" = the subnet it is on. Try unchecking that and see if it works... It should be under Settings > DNS > Interface settings

vf1954

@Gblenn you sir, are a blessing!

I see now there was a diagnostic report in pi-hole that I missed ...

Too hyper-focused on the pfsense side of things.

Thank you <3