Clean pfsense install needing pihole dns
-
So im new to pfsense so bear with me here. I have just installed pfsense on a VM that has 2 nics assigned to it. One being for the WAN interface and one being for the LAN interface. The WAN interface gets its ip via DHCP from my ATT fiber router. Its ip is 192.168.1.110/24 and the LAN interface is a static ip of 192.168.100.1/24
I have pihole and some other docker containers on a VM at 192.168.1.152. Pihole is obviously the DNS provider for my custom cnames that i have in my homelab. Previously i just manually set my network connection in windows to point to the pihole dns and all would work as expected. Now i want to have pfsense do all the router/firewall/proxy/etc so i wanted to get this working as before.
pfsense setup right now is pretty stock. I have just changed some small things ui wise. Outside of that i have added haproxy and acme. HaProxy is enabled but nothing is setup in there yet, ill get to that later. Acme is setup and i have <website.com> and <*.website.com> certs setup and active, ill get back to these later as well.
So now to my issues with DNS. I have tried to just add 192.168.1.152 to my DHCP server for the LAN. My LAN clients will then get the pihole dns server address issued but i still cant ping any of the cnames from pihole. Ive also tried to add that pihole address to the pfsense System > General Setup > DNS Servers section. Both of those dont work form when trying to ping the pihole cnames. I feel like its probably something simple but im not seeing it. Could anyone advise what im doing wrong or what to check?
-
@chachew
Is the issue even DNS related? Check out with dig or nslookup if your devices are able to resolve host names.@chachew said in Clean pfsense install needing pihole dns:
The WAN interface gets its ip via DHCP from my ATT fiber router. Its ip is 192.168.1.110/24 and the LAN interface is a static ip of 192.168.100.1/24
I have pihole and some other docker containers on a VM at 192.168.1.152.
It's not clear, how this VM is connected to pfSense, since its IP is not in either of its subnets.
I have tried to just add 192.168.1.152 to my DHCP server for the LAN.
What is your DHCP server?
-
@chachew couple of things off the top of my head that you could run into in such a setup. I run pihole myself, but just as ad filter - all my local resources I want to resolve I just added to unbound on pfsense.
First thing that comes to mind is pihole pretty sure out of the box does not like answering queries from IPs that are not on its local network..
2nd thing that comes to mind if you setup pfsense to forward to your pihole, that returns rfc1918 that would be a rebind.. So if you want rfc1918 address to be returned you would want to set your domain as private
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections
-
@viragomann The WAN interface is connected to the ATT router
The DHCP server is the LAN interface at 192.168.100.1
Should i create/move pihole from 192.168.1.152 to the LAN network(192.168.100.x) so the are on the same subnet?
-
@chachew How you skin the cat is up to you, there are many ways to skin it.. It would depend which one you feel best using.
You could move all your local dns to unbound on pfsense is one way. If you still wanted to use pihole for adblock I would put it behind pfsense and have clients ask it, then have it forward to unbound on pfsense for unbound to resolve. You could also leverage pfblocker for more dns filtering, etc.
If you do move pihole behind pfsense, and have your clients ask it, if you have more than one network you would still need to worry about that setting I showed.
-
@johnpoz honestly i dont use really any of the add blocking on pihole, i was just using it for DNS. I dont see unbound in the package manager for pfsense. How do i get that installed?
-
@chachew you don't need to install it - its built in.. There are 2 dns options builtin, unbound (resolver) and forwarder (dnsmasq).. Also a 3rd option you could install Bind.
But out of the box pfsense would use unbound and resolve..
-
@johnpoz Ok, so i enabled DNS resolver and pointed it to my server an can now resolve the custom url! So would i just now go to haproxy to further refine my services? So i can now point a url to a custom dns name with the port that it belongs to?
-
@chachew said in Clean pfsense install needing pihole dns:
and pointed it to my server
You setup forwarding? Out of the box unbound resolves, it does not forward. If you setup forwarding - and the answer your getting back is rfc1918, you would have to either set that domain as private or turn off rebind protection.
Is your server returning public IPs? Or rfc1918.. 10.x.x.x, 192.168.x.x or 172.16-31.x.x?
How exactly did you check that this worked - if pfsense directly asked your server, ie you set it up in dns general - then that wouldn't be a forward.
-
@johnpoz I created a Host Overrides entry in DNS Resolver as: internal.domain.com and pointed it to 192.168.100.54. This '192.168.100.54' server host multiple services in docker.
So now i want to be able to go to service1.domain.com and it point to internal.domain.com:8081, service2.domain.com and it point to internal.domain.com:9000, etc, etc.
I can successfully hit internal.domain.com:8081 or internal.domain.com:9000 and i can get to my services just fine. So now i just want to be able to proxy to the service via service1.domain.com, service2.domain.com, etc. Hopefully that makes sense.
I create a backend in HaProxy that point to internal.domain.com at port 8081 and no SSL. I then created a frontend that points to LAN port 80 with ACL with 'host matches' service1.domain.com with an action that points to that backend service and the ACL name from above.
Only other thing I haven't done is create a firewall rule that is noted in the external address section. I'm not sure what to create here.
'NOTE: You must add a firewall rules permitting access to the listen ports above.
If you want this rule to apply to another IP address than the IP address of the interface chosen above, select it here (you need to define Virtual IP addresses on the first). Also note that if you are trying to redirect connections on the LAN select the "any" option. In the port to listen to, if you want to specify multiple ports, separate them with a comma (,). EXAMPLE: 80,8000 Or to listen on both 80 and 443 create 2 rows in the table where for the 443 you would likely want to check the SSL-offloading checkbox.' -
@chachew a host override - oh ok yet that is another way to skin your cat..
So you really have no need of your pihole any more if all it was doing was resolving some fqdn nternal.domain.com to an IP.
-
@johnpoz Yes i removed pihole from the equation since i want using it for ad-blocking, just dns. Seems easier to just do that in pfsense with the previous suggestions.