Raspberry Pi Pi-hole setup with Banip - is this correct?

Hi there,

I just set up a Raspberry Pi running Pi-hole (and Unbound) and plugged it into the first LAN port (Archer C7 v2). I put the IP of the Pi into OpenWrt->Network->Interfaces->DHCP Server->Advanced Settings under DHCP-Options in order to advertise the DNS server to clients. The devices appear to be using the Pi-hole as I see traffic in the Pi-hole GUI.

I also want to be able to ban IP addresses directly in case any surreptitious outbound connections trying to connect directly to IP addresses, so I installed the Banip package and UI on my OpenWrt router.

Everything seems to be working okay, but I wanted to confirm that this is an appropriate setup for such a scenario? Is there anything I missed?

It is okay that the Pi-hole (with Unbound) is on different machine (the Pi) than the router and the firewall (banip) is on the OpenWrt router device, correct?

Thanks.

One thing I noticed already is that on the OpenWrt main page (Status->Overview) it still lists the DNS servers that I was previously using before setting up the Raspberry Pi and Pi-hole. I have restarted OpenWrt since making the changes.

Under the section Network->IPv4 Upstream it lists:

Protocol: DHCP client
Address: 192.168.0.10/24
Gateway: 192.168.0.1
DNS 1: 9.9.9.9
DNS 2: 149.112.112.112

I can't find where those DNS servers still might be set. I took them out of where I had them set as custom DNS servers under the Network Interfaces. Why are these showing up here? Did I miss somewhere they are still set? Or is this a bug? I'm on 21.02.5.

Sure, it's ok.

If you have the interface as DHCP client, they come from the DHCP providing the IP lease.

Well, on the Interfaces->LAN page, the 'devices' dropdown shows br-lan. I think that is just default. Is that correct?

On that same page, under the Advanced Settings tab, "Use custom DNS servers" is blank (where I removed them from earlier).

On the DHCP Server tab-> General Settings "Ignore Interface" is unchecked (suggesting that DHCP is running on this interface, I assume). Then on the Advanced Tab "Dynamic DHCP is checked".

But using online DNS checking tools to determine my DNS server, they all show the DNS server as my IP address (WAN address), which is what would be expected if the Pi-hole (and Unbound) is working as the DNS server. So, this seems to suggest that everything is working as expected and this is perhaps a bug.

Also, on my computer (linux), this command: nmcli device show wlp3s0 | grep IP4.DNS (wlp3s0 is my network interface) says that the DNS is the IP of the Pi, which is expected. So this is rather mysterious that OpenWrt insists on displaying my old DNS servers... Why might this be?

Like I said, those IPs would probably come from your ISP via DHCP.

Oh, you didn't say ISP. And they aren't from my ISP anyway as they are Quad9, ISP would supply ones in their own network range. These were the ones I was using manually before setting up the Pi. It seems to be a bug or something.

I upgraded to the most recent OpenWrt and still see those DNS entries there.

grep -H 112 /etc/config/*

Any hits? What about ifstatus wan

Seems like you’re in double NAT behind an ISP router (192.168.0.1)? That router might be configured to provide Quad9 DNS servers.

Yes:
/etc/config/network: list dns '149.112.112.112'

Ok, so it’s probably configured on your WAN interface.

uci show network | grep 112

Aha, you are correct, sir. Seems I forgot that I set the cable modem up this way. Thank you for pointing that out! At least I turned off the wifi on it.

Well, after talking with my ISP we set the modem/router device to Bridge mode. That solved the problem of the double NAT.

And, yes, you're right, those DNS servers were set in the WAN interface (Interfaces -> Wan -> Advanced Settings). I had found them and removed them earlier. Thanks for pointing that out, though, as it was correct.

However, now the internet is much slower. Speedtest.net went from 210 to 85Mbps and overall web browsing is sluggish. I'm guessing it's an OpenWrt setting I might need to change? I have software offloading and packet steering both turned on. Maybe I should try turning one of those off? Or perhaps it has something to do with my DNS (Pi/Unbound)?

Well, after a long day of wrestling with this, I got the speed fixed (back to 200-220Mbps).

After setting the modem to bridge mode and then back again to be a router, the speed was still around 60-80Mbps, in both cases. No idea why this happened.

A hard wired connection to the modem yields around 330Mbp (our internet ISP plan is a 300Mbps connection, so this really good). Wifi from the OpenWrt Archer was still 60-80Mbps at that point, which is terrible... It should be around 210, which is what it was just last night.

I had downgraded to OpenWrt v21.02.5 (because someone told me 22.03.4 might have issues on the Archer C7), but since then, out of curiosity, and since that report cited PPoE and I'm not using PPoE, I thought I'd go back to 22.03.4 and test the speeds. They remained a decent 210, so I stuck with 22.03.4. But then, today, switching the modem to bridge mode and back seems to have messed something up and I saw the slower speeds.

So I downgraded back to 21.02.5. Wifi speeds were still 60-90... Hard wired ethernet to the OpenWrt router gets around 320. So it has something to do with the wifi.

Then I reset the router config (stayed on 21.02.5) which allowed me to go through and re-set the settings and test as I went. I tested again and got around 150. Then I enabled software offloading on the firewall page and got 220, so I'm back to where I started. Wow, what an ordeal. I guess double NAT doesn't really matter, after all, at least in terms of speed, or I did something wrong in the process.

Hopefully this is helpful for someone. But the Pi does appear to be working well, as does Unbound and Banip.

Thanks again for all your guys' help.

One last question, though:
Now I see this on the main status page:
Protocol: DHCP client
Address: 192.168.0.11/24
Gateway: 192.168.0.1
DNS 1: 192.168.0.1

The network is announcing the DNS server (the Raspberry Pi IP address) to clients via the Interface -> LAN -> DHCP Server -> Advanced Settings, but should I also set the Pi IP address somewhere else so it sets DNS for the router itself - in order to change that "DNS 1: 192.168.0.1" entry to be the Raspbery Pi IP address? 192.168.0.1 suggests the router is using the modem/router's DNS, which is set to use our ISP's DNS, which I'd rather not use.

I probably wouldn't bother trying to force the router to use the Pi-Hole, but if you want to, you can edit the WAN interface to uncheck "Use DNS servers advertised by peer" on the Advanced Settings tab, then add the Pi-Hole IP under "Use custom DNS servers". Just make sure you don't create any DNS loop between the OpenWrt router and the Pi-Hole.

Ok, well I used this guide to set up the Pi with OpenWrt, where he suggests setting up DHCP to announce DNS servers to clients. What is the benefit of using this method? Is it to allow the OpenWrt router to use a different DNS server than what it announces to its clients? Not sure if I need that, if that's what it does. But it seems to be working fine this way. Is there a benefit in setting the Custom DNS Servers instead, however?

Also, what exactly is "Use DNS servers advertised by peer"? The note says "If unchecked, the advertised DNS server addresses are ignored". And this is on the WAN side. In my case, that would only be DNS servers advertised from the ISP, I assume? Since I don't think my WAN is getting DNS servers advertised to it from my LAN, is it?

But, either way, I unchecked "Use DNS servers advertised by peer" on the WAN Interface page (but did not add custom DNS servers, I just left it announcing them via DHCP the way I had it) and that "DNS 1: 192.168.0.1" entry on the main status page of OpenWrt went away. So that seems like it fixed that, so, thank you, @dave14305.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.