Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant access Home Assistant while local if PiHole enabled

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 257 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Burnski666
      last edited by Burnski666

      I've been running Home Assistant for years (using DuckDNS for my Dynamic DNS & NGiNX reverse proxy add-ons). I also have a PiHole running in docker on a RPI5, and an Asus router.

      But like most of us and our need to tinker; i replaced my Asus router with pfSense and can now no longer access HA locally via my name.duckdns.org if my pfSense route is using my PiHole for DNS.

      Externally I can connect using my duckdns domain just fine (so I assume that means I have the port forwarding correct)?
      port forward
      https://imgur.com/SQqwkBf

      Internally I can connect by using the local IP address. But internally I CANT connect via the duckdns domain.

      How should I have DNS setup on the pfSense? I enabled the host override and pointed it to the HA server:
      host override
      https://imgur.com/RUH7ask

      And I added a firewall rule:
      firewall
      https://imgur.com/XyPtH1X

      But its still not working as long as I have my DNS pointed to my PiHole server. What am I doing wrong? Thanks everyone.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Is the host override actually working? Are clients resolving it to the internal address?

        If not then you will probably want to enable NAT reflection:
        https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html#method-1-nat-reflection

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Burnski666
          last edited by johnpoz

          @Burnski666 said in Cant access Home Assistant while local if PiHole enabled:

          long as I have my DNS pointed to my PiHole server

          Where does the pihole go to lookup something? If its not forwarding to pfsense - then no your host override would not work.

          Most of my clients on the network point to my pihole, which in turn forwards to pfsense, which then resolves public stuff. I can resolve any local resource that pfsense knows about..

          $ dig nas.home.arpa                                                        
                                                                                     
          ; <<>> DiG 9.16.50 <<>> nas.home.arpa                                      
          ;; global options: +cmd                                                    
          ;; Got answer:                                                             
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3436                   
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1       
                                                                                     
          ;; OPT PSEUDOSECTION:                                                      
          ; EDNS: version: 0, flags:; udp: 1232                                      
          ;; QUESTION SECTION:                                                       
          ;nas.home.arpa.                 IN      A                                  
                                                                                     
          ;; ANSWER SECTION:                                                         
          nas.home.arpa.          3411    IN      A       192.168.9.10               
                                                                                     
          ;; Query time: 3 msec                                                      
          ;; SERVER: 192.168.3.10#53(192.168.3.10)                                   
          ;; WHEN: Fri Apr 25 07:36:29 Central Daylight Time 2025                    
          ;; MSG SIZE  rcvd: 58                                                      
          

          192.168.3.10 is my pihole.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          B 1 Reply Last reply Reply Quote 0
          • B
            Burnski666 @johnpoz
            last edited by

            @johnpoz well i never thought about it like that lol. im going to have a poke around and see if i can not bork things

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              You can try using pfSense as DNS for the clients but forwarding to the PiHole. Overrides in pfSense would work then. But you'd probably want pfSense itself to have a fallback server in case it needs to resolve something before the piHole has connectivity for example.

              Or just put the overrides in the PiHole.

              Or just enable NAT reflection. 😉 But split DNS is generally preferable IMO.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @stephenw10
                last edited by

                @stephenw10 yeah there are a few different ways to skin the cat for sure.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                B 1 Reply Last reply Reply Quote 0
                • B
                  Burnski666 @johnpoz
                  last edited by Burnski666

                  @johnpoz @stephenw10

                  ok, does this all seem to make sense:

                  System > General > DNS Server Settings - just left everything as default
                  Services > DNS Resolver - enabled, defaults, nothing in the host overrides
                  Services > DHCP Server > DNS Servers - set to the IP of my PiHole (192.168.1.149)

                  Then in my PiHole: Settings > DNS > Upstream DNS Servers - pointed back to my router (192.168.1.1)
                  Also in PiHole: Settings > Local DNS Settings > List of Local DNS Records: I have my duckdns.org domain pointed to my HA server's IP (192.168.1.246)

                  Only thing that seems to be missing (but i can live without it) is the Conditional Forwarding in PiHole. Its supposed to loop back to the router to get the names of the clients. Its still the same as when I was on my Asus router ( true,192.168.1.0/24,192.168.1.1 ) but its only pulling in the IP's of the clients; not their names from my static DHCP Mappings in pfSense.

                  Am I missing anything? Everything seems to be working; do I need to worry about double-NAT or hairpinning?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    That should work. Double NAT shouldn't be an issue there. Clients are hitting the pihole directly from the same subnet so not a routing issue either.

                    1 Reply Last reply Reply Quote 0
                    • B
                      Burnski666
                      last edited by

                      ok, further digging, looks like with the Kea DHCP; forwarding of hostnames is ignored: https://www.netgate.com/blog/netgate-adds-kea-dhcp-to-pfsense-plus-software-version-23.09-1

                      guess all my issues are solved then. thanks!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.