[OpenWrt 21.02 + PiHole] Cannot access internet after set DNS to PiHole

Hi guys,
I'm new on OpenWrt, I was able following online tutorial here to setup my router and connect to internet through my fiber ONTm but now I'm stuck on setup of PiHole

On my previous router (not OpenWrt) I set:

• the DNS server to PiHole IP
• PiHole upstream DNS to cloudflare

and everything worked fine, each device in my network successfully pass throug the PiHole filters

Now I tried to follow some guides and posts here but I still cannot access to any website.
I tried:

• disable 'Use DNS servers advertised by peer' on WAN and LAN
• set the PiHole IP in WAN > Custom DNS
• set the PiHole IP in LAN > Custom DNS
• set the PiHole IP in Network > DHCP > DNS forwardings

but nothing...
In the PiHole query logs when I set the IP in WAN seems that I can see the requests (eg. www.openwrt.org) but:

• the results from OpenWrt device (and not from my PC for example)
• seems like the DNS response sent back from PiHole to router but not passed by the router to my PC

Can someone please help me?

Shouldn't touch the WAN DNS IPs, in reality only the clients need to get the piholes DNS IP, ideally via DHCP.

Use dhcp option 6 to advertise to the lan host the pihole as nameserver.
After you do that, the lan hosts need to do a dhcp renewal.

Ok I tried with

uci -q delete dhcp.lan.dhcp_option
uci add_list dhcp.lan.dhcp_option="6,192.168.1.100"
uci commit dhcp
/etc/init.d/dnsmasq restart

# then i perfomed a
uci show dhcp

# results
dhcp.@dnsmasq[0].server='192.168.1.100'
...
dhcp.lan.dhcp_option='6,192.168.1.100'

the dnsmasq[0].server is probably there due to previous try/error experiment, can I remove?

Shouldn't touch the WAN DNS IPs, in reality only the clients need to get the piholes DNS IP, ideally via DHCP.

So you mean in the WAN I should keep the ISP DNS because clients will use the DNS advertised by the DHCP? Or should I set Custom DNS (eg. 1.1.1.1) there too?
I want to be 100% sure to avoid using my ISP DNS due to they are very slow sometimes

Correct.

The piholes IP, if that's the DNS they should use. The pihole should use 1.1.1.1 (or some other upstream DNS).

Also force your clients use your pihole.

Ah yeah! U're great!
I was just searching for that in the mean time, 'cause I remember I did this on my previous router firewall to force clients to use PiHole.
Thanks a lot

Based on the guide u linked I set the firewall rule like this, is correct?

Protocol: TCP, UDP
Source zone: lan
External port: 53
Destination zone: lan
Internal IP address: 192.168.1.100
Internal port: 53

# Advanced
Source IP address: !192.168.1.100

That is correct. Be aware that all hijacked requests will be visible on Pihole with the IP of the OpenWrt though.

You can leave it there to make OpenWrt query the Pihole as well. Or you can remove it and the the Pihole IP in Custom DNS of LAN interface.

Are you sure about that? I have mine set-up this way, and when I force a device to use a foreign DNS, pihole records the attempt as originating from the device, not from the router.

Depends on if the client requests bounce off the router, or if it gives up, and actually starts using the DNS IP you've provided.

Very much sure about it.
If you only do a DNAT, then Pihole will receive the packet with original source IP of lan host and will reply directly to it. Lan host will complain about receiving the reply from a different server than the one it queried with unexpected results. For that a SNAT is also applied to change the source IP of the dns query to the one of the router.
There are a couple of workarounds. First to assign the Pihole in a different interface, so SNAT is no longer needed and the Pihole will still reply via the router, so the original destination IP is restored. Second is to use edns.

a question: where can I find this setting in Luci UI?
I'm a noob of OpenWrt but seems like some settings have no a matching with any UI field, is it?

It's a little buried.
Interfaces>YOURINTERFACE>DHCP Server>Advanced Settings>DHCP-Options

85.ok1306×732 57.9 KB

There's something weird with my Home Assistant instance on a RPi4:
when I try to install an update it says "host has no connection" , so seems like it does cannot get any response from DNS server?
On my PC I can browse on any site without problem and on connection info it says
DNS Server IPv4 192.168.1.100 (the PiHole one)

Have you any ideas?

Static IP on the pi, no dns and/or gateway defined, on OS level, outside of the pihole?

Sorry I don't understand what u mean....
The router is configured to use DHCP, so both my PC and HomeAssistant have no static IP defined on device-level. I performed a static-lease definition on OpenWrt DHCP.
Searching in Home Assistant network page seems it correctly get the DHCP advertised DNS, but then seems like it cannot use or receive a bad response and then raise 'no internet on host' error

ok,

can you ping or nslookup something from the PI/Home Assistant using cli ?

seems my fault, I found a firewall rule (probably added while I'm testing) that blocks some requests on 53. I removed it and leave only the port forwarding to redirect and now seems working

I have another issue (I try to explain here but if is too offtopic I'll open another thread)
On the same Pi where I installed PiHole, I also installed Wireguard to connect to my LAN (long story short: pihole provide a out-of-the-box settings for wireguard so I choose to install on same device).
With the old router I opened the port and everything worked correctly

Now, I added a Port Forward rule on OpenWrt and I can connect to wireguard (eg. from my smartphone using LTE network instead of WiFi) but I can only access to the device where pihole+wireguard are installed.
Any other device of the lan is not reachable and I cannot browse websites too.

Any idea?