Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clean pfsense install needing pihole dns

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 3 Posters 598 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chachew
      last edited by

      So im new to pfsense so bear with me here. I have just installed pfsense on a VM that has 2 nics assigned to it. One being for the WAN interface and one being for the LAN interface. The WAN interface gets its ip via DHCP from my ATT fiber router. Its ip is 192.168.1.110/24 and the LAN interface is a static ip of 192.168.100.1/24

      I have pihole and some other docker containers on a VM at 192.168.1.152. Pihole is obviously the DNS provider for my custom cnames that i have in my homelab. Previously i just manually set my network connection in windows to point to the pihole dns and all would work as expected. Now i want to have pfsense do all the router/firewall/proxy/etc so i wanted to get this working as before.

      pfsense setup right now is pretty stock. I have just changed some small things ui wise. Outside of that i have added haproxy and acme. HaProxy is enabled but nothing is setup in there yet, ill get to that later. Acme is setup and i have <website.com> and <*.website.com> certs setup and active, ill get back to these later as well.

      So now to my issues with DNS. I have tried to just add 192.168.1.152 to my DHCP server for the LAN. My LAN clients will then get the pihole dns server address issued but i still cant ping any of the cnames from pihole. Ive also tried to add that pihole address to the pfsense System > General Setup > DNS Servers section. Both of those dont work form when trying to ping the pihole cnames. I feel like its probably something simple but im not seeing it. Could anyone advise what im doing wrong or what to check?

      V johnpozJ 2 Replies Last reply Reply Quote 0
      • V
        viragomann @chachew
        last edited by

        @chachew
        Is the issue even DNS related? Check out with dig or nslookup if your devices are able to resolve host names.

        @chachew said in Clean pfsense install needing pihole dns:

        The WAN interface gets its ip via DHCP from my ATT fiber router. Its ip is 192.168.1.110/24 and the LAN interface is a static ip of 192.168.100.1/24

        I have pihole and some other docker containers on a VM at 192.168.1.152.

        It's not clear, how this VM is connected to pfSense, since its IP is not in either of its subnets.

        I have tried to just add 192.168.1.152 to my DHCP server for the LAN.

        What is your DHCP server?

        C 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @chachew
          last edited by

          @chachew couple of things off the top of my head that you could run into in such a setup. I run pihole myself, but just as ad filter - all my local resources I want to resolve I just added to unbound on pfsense.

          First thing that comes to mind is pihole pretty sure out of the box does not like answering queries from IPs that are not on its local network..

          pihole.jpg

          2nd thing that comes to mind if you setup pfsense to forward to your pihole, that returns rfc1918 that would be a rebind.. So if you want rfc1918 address to be returned you would want to set your domain as private

          https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • C
            chachew @viragomann
            last edited by

            @viragomann The WAN interface is connected to the ATT router

            The DHCP server is the LAN interface at 192.168.100.1

            Should i create/move pihole from 192.168.1.152 to the LAN network(192.168.100.x) so the are on the same subnet?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @chachew
              last edited by

              @chachew How you skin the cat is up to you, there are many ways to skin it.. It would depend which one you feel best using.

              You could move all your local dns to unbound on pfsense is one way. If you still wanted to use pihole for adblock I would put it behind pfsense and have clients ask it, then have it forward to unbound on pfsense for unbound to resolve. You could also leverage pfblocker for more dns filtering, etc.

              If you do move pihole behind pfsense, and have your clients ask it, if you have more than one network you would still need to worry about that setting I showed.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              C 1 Reply Last reply Reply Quote 0
              • C
                chachew @johnpoz
                last edited by

                @johnpoz honestly i dont use really any of the add blocking on pihole, i was just using it for DNS. I dont see unbound in the package manager for pfsense. How do i get that installed?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @chachew
                  last edited by johnpoz

                  @chachew you don't need to install it - its built in.. There are 2 dns options builtin, unbound (resolver) and forwarder (dnsmasq).. Also a 3rd option you could install Bind.

                  But out of the box pfsense would use unbound and resolve..

                  dns.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    chachew @johnpoz
                    last edited by

                    @johnpoz Ok, so i enabled DNS resolver and pointed it to my server an can now resolve the custom url! So would i just now go to haproxy to further refine my services? So i can now point a url to a custom dns name with the port that it belongs to?

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @chachew
                      last edited by johnpoz

                      @chachew said in Clean pfsense install needing pihole dns:

                      and pointed it to my server

                      You setup forwarding? Out of the box unbound resolves, it does not forward. If you setup forwarding - and the answer your getting back is rfc1918, you would have to either set that domain as private or turn off rebind protection.

                      Is your server returning public IPs? Or rfc1918.. 10.x.x.x, 192.168.x.x or 172.16-31.x.x?

                      How exactly did you check that this worked - if pfsense directly asked your server, ie you set it up in dns general - then that wouldn't be a forward.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      C 1 Reply Last reply Reply Quote 0
                      • C
                        chachew @johnpoz
                        last edited by chachew

                        @johnpoz I created a Host Overrides entry in DNS Resolver as: internal.domain.com and pointed it to 192.168.100.54. This '192.168.100.54' server host multiple services in docker.

                        So now i want to be able to go to service1.domain.com and it point to internal.domain.com:8081, service2.domain.com and it point to internal.domain.com:9000, etc, etc.

                        I can successfully hit internal.domain.com:8081 or internal.domain.com:9000 and i can get to my services just fine. So now i just want to be able to proxy to the service via service1.domain.com, service2.domain.com, etc. Hopefully that makes sense.

                        I create a backend in HaProxy that point to internal.domain.com at port 8081 and no SSL. I then created a frontend that points to LAN port 80 with ACL with 'host matches' service1.domain.com with an action that points to that backend service and the ACL name from above.

                        Only other thing I haven't done is create a firewall rule that is noted in the external address section. I'm not sure what to create here.

                        'NOTE: You must add a firewall rules permitting access to the listen ports above.
                        If you want this rule to apply to another IP address than the IP address of the interface chosen above, select it here (you need to define Virtual IP addresses on the first). Also note that if you are trying to redirect connections on the LAN select the "any" option. In the port to listen to, if you want to specify multiple ports, separate them with a comma (,). EXAMPLE: 80,8000 Or to listen on both 80 and 443 create 2 rows in the table where for the 443 you would likely want to check the SSL-offloading checkbox.'

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @chachew
                          last edited by

                          @chachew a host override - oh ok yet that is another way to skin your cat..

                          So you really have no need of your pihole any more if all it was doing was resolving some fqdn nternal.domain.com to an IP.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          C 1 Reply Last reply Reply Quote 0
                          • C
                            chachew @johnpoz
                            last edited by

                            @johnpoz Yes i removed pihole from the equation since i want using it for ad-blocking, just dns. Seems easier to just do that in pfsense with the previous suggestions.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.