I have a network consisting of the following :
Router AX53U running openwrt with 2 wifi networks :
- Wifi main 192.168.1.1
- Wifi iot 192.168.10.1 ( client isolation is on )
They both should send DNS requests to a pihole server at 192.168.1.124 over wlan0.
The pi is also connected to a subnet on 192.168.2.x over eth0 just to configure the pi over ssh.
The problem :
- Dns requests from the the main wifi are handled correctly by the pi (pihole)
- Dns requests from iot devices seem to be handled by the pi , but the responses are not received by guest wifi on the router.
( I checked with tcpdump on the AX53U router )
I already tried messing with the guest zone and traffic rules but without result.
I hope someone can help me fixing this , but keep my device secure.
Below is the firewall config :
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'lan'
option dest 'guest'
config rule
option name 'Guest DNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
option dest 'lan'
list dest_ip '192.168.1.124'
option proto 'tcp udp'
config rule
option name 'Guest DHCP'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
By default, Pi-hole is set to only reply to requests originating from its own subnet(s).
Did you change it?
I have it on “permit from all origins” so that cant be te problem.
1 Like
Does the Pi-hole use the router as a default gateway?
Just for testing, temporarily enable masquerading on the lan zone to see if it makes a difference.
No the pihole only function is to fullfil dns requests coming from the the 2 wifi networks on the AX53U router
Did you set DHCP option 6 to advertise the pihole's address for DNS to the clients on the guest network? You've got a rule that allows port 53 from the guest network to the pi on the main lan, but it isn't a force-redirect, so the traffic from the guest devices is likely bound for the router itself (which is not allowed per your config), not for the PiHole.
If you want a forced-redirect (aka DNS hijacking), you should look at this:
Option 6 is recommended regardless, though, as many (but not all) hosts will use it for the preferred DNS server.
Let's see the rest of the configs:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
/// NETWORK
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5f:****:bc39::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
# option device 'phy0-ap1'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
/// WIRELESS
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OW-53U'
option encryption 'sae-mixed'
option key '**************'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'OW-IOT'
option encryption 'sae-mixed'
option key '*******************'
option network 'guest'
option isolate '1'
/// DHCP
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.1.124'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.1.124'
config host // I dont know why that is here maybe from the previous pi setup
option name 'raspberrypi' // I dont know why that is here
option ip '192.168.1.232' // I dont know why that is here
option mac 'E8:4E:06:**:**:**' // I dont know why that is here
config host
option ip '192.168.1.124'
option mac '24:05:0F:**:**:**'
On the Pi-hole host you need to set a static route for 192.168.10.0/24 via 192.168.1.1
1 Like
Ive posted the configs as requested , can you take a look?
@tubos please show the output of ip r from your Pi-hole host.
1 Like
default via 192.168.2.1 dev eth0 proto dhcp src 192.168.2.9 metric 200
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.124 metric 100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.9 metric 200
You forgot to add a static route as suggested by @pavelgl earlier.
1 Like
The config of the DHCP server for your guest network looks fine, although it does make sense to verify the IP address of the Pihole since you have that static lease that is not pointing to the same address (you might be best served by simply deleting that).
As multiple people have stated, your Pihole host must have a static route to the router in question if that (the router) is not the default route for Pihole egress traffic.
Are the commands below correct to do this ?
sudo nmcli con mod "preconfigured" +ipv4.routes "192.168.10.0/24 192.168.1.1"
sudo nmcli con up "preconfigured"
“preconfigured” is the connection with wlan0 on the pi.
I assumed that fulfilling dns requests from a device on 10.x to my pihole at 192.168.1.124 and responding back , did not require a static route.
How is your pihole host configured (network)?
What is it using for a gateway?
pi : eth0 is connected to another router for configuring / updating the pi over ssh 192.168.2.x
pi : wlan0 is only for handling dns requests (pihole) from my other router wifi networks.
Could you show us a system topology diagram?
Does the other router (192.168.2.0/24) support static routes?
And is there any particular reason you have setup this bifurcated network topology with the ethernet port being used for the upstream while the wlan is used just for local on a different subnet?
My main PC and PI are close to the router (192.168.2.0/24) both over ethernet. and i prefer to use this PC for configuring the PI and showing the pihole dashboard.
Its probably not ideal but it works for me 
I did following commands to fix the guest issue , but i still dont understand why it was needed.
sudo nmcli con mod "preconfigured" +ipv4.routes "192.168.10.0/24 192.168.1.1"
sudo nmcli con up "preconfigured"
It works because you've now told the PiHole host how it can find the guest network (192.168.10.0/24).
Previously, if a request came in from the 192.168.10.0/24 network to the Pi, the Pi would attempt to respond but it wouldn't know where to send that response. So, it would send it upstream with the gateway that it knew about -- specifically 192.168.2.1. That router, though, didn't know where to send the traffic, so it would have either just dropped it or it might have sent it to its upstream (where it would be dropped or otherwise lost).
Now, you've told the PiHole host that "you can send traffic that is destined for 192.168.10.0/24 via the gateway at 192.168.1.1" -- the latter is on a network that the host already knows about, but the former was unknown prior to adding that route. Now that the route is there, the host can send response traffic to the 192.168.1.1 router and then that router handles the rest of the routing to the guest network.