Noob: Checking Setup (TPL C7 + piHole)... forcing DNS

Just installed OpenWrt on a TPLink AC1750 C7 and things are running ok... I'd like to check my setup for advice.

My Hitron CODA-4582 is a cable modem that serves as the point of entry for the Internet. It is connected to the above router (along with piHole) and a PC ALL using the same 'yellow' LAN ports (should the modem come out of the blue 'Internet' port)?

PiHole is serving as the DHCP server and I've disabled it in OpenWRT in Network -> Interfaces -> LAN -> General: 'Ignore Interface'. I also gave OpenWRT a static IP on this page and specified the gateway.

I'm at the point where I'm trying to force all devices to use piHole DNS and having trouble... I have the following Port Forward rule in place, but devices can still manually circumvent the DNS. Why is this?

portForward1432×178 26.6 KB

DoH and DoT.
Make sure there's an exception for the pi's upstream dns, or you'll create a loop.

Thanks for the pointer. At the bottom of this article, it references:

"Avoid using Dnsmasq. Configure firewall to redirect the intercepted DNS traffic to your local DNS server."

Do I need this as well?

yes, plus the exclusion IP for the PI.

Thanks. Should I have the Modem in bridge mode? And should the TPL be connected to the modem from the sending 'Internet' port on the TPL?

If it's an option, yes you should, or at least could.

Yes, it should be connected through the WAN port.

I must be doing something wrong... Every time I throw the modem/router into bridge mode, I lose the internet connection to the TPL. The LAN works fine, but I can't connect to the web (and yes, I changed the ethernet cable to the WAN port with no dice). Is there something in OpenWRT I should be changing?

Does the TPL even get a wan side IP ?

Yes, OpenWRT shows a WAN side IP on eth0.2. No solution yet.

I've continued reading and still can't find an answer. Interesingly, the Diagnostics shows that I can ping, trcrt and nslookup successfully, I just can't reach the internet from any connected device. To I need to setup some kind of NAT for WAN traffic to/from the LAN?

Are you sure the fw exception rule for the pi works ?
Does the pi still have the same IP address ?

I assume pinging internet from the clients work, as long as you use IPs ?

you're right. Pinging IP addresses worked just fine.

So, after pulling my hair out, I decided to reset openWRT and start from scratch. I re-added the Firewall and Nat rule above and thought things were good (I was resolving domains in a browser!) till I realized:

• no device was using piHole as the DNS
• no new device was getting an IP (existing devices that were on and connected kept working)

I set piHole as the DNS in Interfaces -> LAN -> custom DNS servers and in Interfaces -> LAN -> DHCP -> checked 'Ignore interface'. Shouldn't this force openWRT to use the pi as it's DNS and DHCP server?

So it is/was a DNS issue.

Then you could have skipped the Pi DNS IP, it won't be distributed by openwrts DHCP, since it's disabled.
You could let openwrt act as DHCP, and provide the Pi DNS IP, but then you need to disable the
DHCP on the Pi .

It doesn't force openwrt to do anything, it got a static IP, it doesn't need any DHCP.

By disabling the DHCP in openwrt, you are (hopefully) forcing the clients to use the
Pi as the DHCP.

But why then is the Pi not being used at all (i.e. no device is getting an IP or using piHole as its DNS)?

If the devices are already connected, they won't know you've disabled the routers DHCP, until you temp disconnect them, or the IP lease expires.

The Pi might also have a protection mechanism built in, it disabled the DHCP, if it discoveres another one on the same LAN.