Pihole with Routed Client

Hi Experts,
I tried this configuration using routing.
So far so good.
Now i want to set the DHCP DNS Server to my Raspberry PIHOLE.
I set in interface "lan" the DHCP options to 6,192.168.1.100.
The DNS Server is propageted to clients, but the clients are unable to resolve any domains.
I only get:

C:\Users\Name>nslookup google.de
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.100

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfd:e032:22bc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.100'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 4 5 6'
	option vid '1'

config interface 'wwan'
	option proto 'static'
	option device 'phy0-sta0'
	option ipaddr '192.168.1.4'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option delegate '0'

firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option log '1'

config zone
	option name 'wwan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wwan'
	option log '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wwan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'Allow-Ping'
	option src 'wwan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wwan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wwan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wwan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wwan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wwan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wwan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wwan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config forwarding
	option src 'lan'
	option dest 'wwan'

config forwarding
	option src 'wwan'
	option dest 'lan'


What is wrong ?

I suspect that the problem is actually on the pihole itself -- check the settings.

Settings > DNS > Interface Settings > Permit all origins

Permit all origins will allow it to respond to requests from a different subnet.

You saved my day ==> Thanks

1 Like

This can be very dangerous.

Go here click proceed, let the next page load and click 'All Service Ports' and let it scan. If port 53 is open you need a different solution.

From Pi-hole:

Permit all origins¶

This truly allows any traffic to be replied to and is a dangerous thing to do as your Pi-hole could become an open resolver. You should always ask yourself if the first option doesn't work for you as well.

This goes into much more detail about it.

OK, here is the result..

GRC Port Authority Report created on UTC: 2024-03-14 at 09:32:45

Results from scan of ports: 0-1055

    0 Ports Open
    1 Ports Closed
 1055 Ports Stealth
---------------------
 1056 Ports Tested

NO PORTS were found to be OPEN.

The port found to be CLOSED was: 113

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

I think it is ok, isnt it ?

It looks good.
I'm not an authority but If port 53 was green and not blue, I would not worry about it. Port 113 is typically used if you want remote access and have some software in the network listening on that port.

It says 'FAILED' because it wants pings to be dropped as opposed to rejected and port 113 is closed.
It wants everything dropped.

The reason it is safe in this situation is because the pihole is not exposed to incoming requests from the internet. It is already on a trusted LAN (and the upstream firewall prevents unsolicited traffic from ingress). We are simply telling the Pihole to accept traffic from other subnets.

Ultimately, the pihole is responding to trusted networks (i.e. not the internet at large).

That's why I had them do a port test.

I needed to be sure.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.