Guest zone not able to reach pi hole in lan zone

CanisUrsa · February 14, 2024, 2:29am

I have a pihole on the lan zone that I want the guest zone to utilize (devices in lan have no issues connecting to the pihole). I read posts from the "Your topic is similar to..." (referenced below) but have been unable to get it to work. As a side note I am not interested in trying to hijack the DNS requests to other servers.

Here is my guest zone

config zone 'guest'                            
        option name 'guest'                  
        option input 'REJECT'                   
        option output 'ACCEPT' 
        option forward 'REJECT'
        list network 'guest'

Here is my dhcp for the guest zone

config dhcp 'guest'                      
        option interface 'guest'         
        option start '100'               
        option limit '150'               
        option leasetime '1h'            
        option netmask '255.255.255.0'   
        list dhcp_option '6,192.168.1.50'   
        list ra_flags 'none'

Note that 192.168.1.50 is the pihole.

The rule for DHCP on guest works without a problem.

config rule                                     
        option name 'Allow-DHCP-Guest'
        option src 'guest'            
        option dest_port '67-68'       
        option target 'ACCEPT'        
        list proto 'tcp'              
        list proto 'udp'

The rule for DNS however isn't working. This rule follows this Use Pi-Hole in different subnet solution. Everything appears to be identical.

config rule                                 
        option name 'Allow-DNS-Guest'          
        option src 'guest'                   
        option dest_port '53'                   
        option target 'ACCEPT'        
        option family 'ipv4'          
        list proto 'udp'               
        option dest 'lan'             
        list dest_ip '192.168.1.50'

Outside of this I have a DNS forwarding configured for 192.168.1.50 as it was recommended by the pihole instructions found here https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245 approach #2. My understanding is this makes it so if someone uses the router for DNS it will forward it to the pihole automatically.

What am I doing wrong / missing?

Thank you for any help you can provide.

psherman · February 14, 2024, 3:02am

Did you set your PiHole to accept the traffic?

On the PiHole:

Settings > DNS > Interface Settings > Permit All Origins (under the "potentially dangerous options")

CanisUrsa · February 14, 2024, 3:12am

I do not have that setting applied.

For the warning under that setting, is it referring to having port 53 of my router forward to port 53 of the pihole (I believe that could expose the pihole to WAN)? I ask because I do technically have rules for port 53 but those are between zones.

psherman · February 14, 2024, 3:15am

I'd have to see your complete firewall config, but by default, unsolicited ingress traffic from the wan is blocked.

Unless you've setup port forwarding from the wan to your PiHole, the wan will not be able to reach the PiHole. You can change the setting safely in most cases.

CanisUrsa · February 14, 2024, 3:22am

Here is the firewall config.

config defaults                    
        option input 'ACCEPT'      
        option output 'ACCEPT'     
        option forward 'REJECT'    
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone                        
        option name 'lan'          
        option input 'ACCEPT'      
        option output 'ACCEPT'     
        option forward 'ACCEPT'
        list network 'lan'

config forwarding              
        option src 'lan'       
        option dest 'wan'

config zone 'guest'                             
        option name 'guest'                     
        option input 'REJECT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        list network 'guest' 

config forwarding 'guest_wan'                   
        option src 'guest'                      
        option dest 'wan'

config rule                                     
        option name 'Allow-DHCP-Guest'          
        option src 'guest'                      
        option dest_port '67-68'                
        option target 'ACCEPT'                  
        list proto 'tcp'                        
        list proto 'udp' 

config rule                                     
        option name 'Allow-DNS-Guest'           
        option src 'guest'                      
        option dest_port '53'                   
        option target 'ACCEPT'                  
        option family 'ipv4'                    
        list proto 'udp'                        
        option dest 'lan'                       
        list dest_ip '192.168.1.50'

I believe the WAN section is indicating unsolicited input is rejected so the pihole should be safe. The lan does have input as accept and lan forwards to wan but I think that is ok?

Thank you for your help btw.

psherman · February 14, 2024, 3:25am

Yup, all looks good. Safe to change the setting on the PiHole. Everything looks fine on your firewall.

CanisUrsa · February 14, 2024, 3:30am

Thank you for your help! I'll mark your answer as the solution.

system · February 24, 2024, 3:32am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.