Cant access Home Assistant while local if PiHole enabled

Burnski666

I've been running Home Assistant for years (using DuckDNS for my Dynamic DNS & NGiNX reverse proxy add-ons). I also have a PiHole running in docker on a RPI5, and an Asus router.

But like most of us and our need to tinker; i replaced my Asus router with pfSense and can now no longer access HA locally via my name.duckdns.org if my pfSense route is using my PiHole for DNS.

Externally I can connect using my duckdns domain just fine (so I assume that means I have the port forwarding correct)?

https://imgur.com/SQqwkBf

Internally I can connect by using the local IP address. But internally I CANT connect via the duckdns domain.

How should I have DNS setup on the pfSense? I enabled the host override and pointed it to the HA server:

https://imgur.com/RUH7ask

And I added a firewall rule:

https://imgur.com/XyPtH1X

But its still not working as long as I have my DNS pointed to my PiHole server. What am I doing wrong? Thanks everyone.

stephenw10

Is the host override actually working? Are clients resolving it to the internal address?

If not then you will probably want to enable NAT reflection:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html#method-1-nat-reflection

johnpoz

@Burnski666 said in Cant access Home Assistant while local if PiHole enabled:

long as I have my DNS pointed to my PiHole server

Where does the pihole go to lookup something? If its not forwarding to pfsense - then no your host override would not work.

Most of my clients on the network point to my pihole, which in turn forwards to pfsense, which then resolves public stuff. I can resolve any local resource that pfsense knows about..

$ dig nas.home.arpa                                                        
                                                                           
; <<>> DiG 9.16.50 <<>> nas.home.arpa                                      
;; global options: +cmd                                                    
;; Got answer:                                                             
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3436                   
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1       
                                                                           
;; OPT PSEUDOSECTION:                                                      
; EDNS: version: 0, flags:; udp: 1232                                      
;; QUESTION SECTION:                                                       
;nas.home.arpa.                 IN      A                                  
                                                                           
;; ANSWER SECTION:                                                         
nas.home.arpa.          3411    IN      A       192.168.9.10               
                                                                           
;; Query time: 3 msec                                                      
;; SERVER: 192.168.3.10#53(192.168.3.10)                                   
;; WHEN: Fri Apr 25 07:36:29 Central Daylight Time 2025                    
;; MSG SIZE  rcvd: 58                                                      

192.168.3.10 is my pihole.

Burnski666

@johnpoz well i never thought about it like that lol. im going to have a poke around and see if i can not bork things

stephenw10

You can try using pfSense as DNS for the clients but forwarding to the PiHole. Overrides in pfSense would work then. But you'd probably want pfSense itself to have a fallback server in case it needs to resolve something before the piHole has connectivity for example.

Or just put the overrides in the PiHole.

Or just enable NAT reflection. But split DNS is generally preferable IMO.

johnpoz

@stephenw10 yeah there are a few different ways to skin the cat for sure.

Burnski666

@johnpoz @stephenw10

ok, does this all seem to make sense:

System > General > DNS Server Settings - just left everything as default
Services > DNS Resolver - enabled, defaults, nothing in the host overrides
Services > DHCP Server > DNS Servers - set to the IP of my PiHole (192.168.1.149)

Then in my PiHole: Settings > DNS > Upstream DNS Servers - pointed back to my router (192.168.1.1)
Also in PiHole: Settings > Local DNS Settings > List of Local DNS Records: I have my duckdns.org domain pointed to my HA server's IP (192.168.1.246)

Only thing that seems to be missing (but i can live without it) is the Conditional Forwarding in PiHole. Its supposed to loop back to the router to get the names of the clients. Its still the same as when I was on my Asus router ( true,192.168.1.0/24,192.168.1.1 ) but its only pulling in the IP's of the clients; not their names from my static DHCP Mappings in pfSense.

Am I missing anything? Everything seems to be working; do I need to worry about double-NAT or hairpinning?

stephenw10

That should work. Double NAT shouldn't be an issue there. Clients are hitting the pihole directly from the same subnet so not a routing issue either.

Burnski666

ok, further digging, looks like with the Kea DHCP; forwarding of hostnames is ignored: https://www.netgate.com/blog/netgate-adds-kea-dhcp-to-pfsense-plus-software-version-23.09-1

guess all my issues are solved then. thanks!