See real LAN IP from WAN device


My situation is as follows:
My box manages the main network, wired, which includes a VM PiHole that manages the DNS.
I have an OpenWRT router that distributes a subnetwork on three Cisco APs.

In the PiHole logs, for each DNS request made by a device over WiFi, I see the router's IP instead of the device's. How could I get the real IP of the device making the request? (knowing, therefore, that it is on a different subnetwork)

Thank you in advance for your attention and answers !

The problem is that you have NAT inside your network, i.e. double NAT (or tripple in case CGNAT is used).

The best solution is to remove the NAT/IP masquerade on OpenWrt. But it may not be possible since it requires that you configure a static route on the main router to your OpenWrt LAN subnet and that the main router forwards traffic from the OpenWrt LAN to the Internet using NAT.

Another solution is to add a custom iptables rule which excludes the PiHole IP address from IP masquerade. It requires that you instead add a static route on the PiHole to the OpenWrt LAN subnet with the OpenWrt WAN address as gateway.

The iptables rule you need to add to /etc/firewall.user (Custom Rules) on OpenWrt is:

iptables -t nat -A postrouting_wan_rule -d <PiHole IP address> -j ACCEPT

ACCEPT means that the rule that enables IP masquerade later in the chain will be skipped.

1 Like

OK, and how does PiHole understand, where to send response packet?

The static route is used when routing responses.

1 Like

OK, and where should it send response packet according to "static route"?

I don't think, there is a static route involved here. He has main Network L2, which incudes the PIhole VM. The Wan-Port of the OpenWrt device is also connected to this L2.

If he were to use one of the LAN(and not WAN) ports on the Openwrt device, then the subnet with the 3 cisco APs will be bridged into the same subnet as the Pihole VM, and thus the pihole will see the real IPs, and not the Openwrt "WAN" IP.


If this is the only role of your OpenWrt router, then you can simply convert it to a switch:

1 Like

I suppose the OpenWrt router is also DHCP server for the segment of the APs.
Have you configured the DHCP to advertise the Pihole as nameserver or have you left it with default setting?
If the latter, then all hosts will query the OpenWrt, which will forward the DNS query to the Pihole and this is why you see its IP in the logs.

When using the iptables rule I posted traffic between the OpenWrt LAN and PiHole will use the original IP addresses without NAT. I.e. the request to PiHole will contain a source address in the OpenWrt LAN subnet, and response packets from PiHole will use the same address as usuall. When PiHole looks up that address in its routing table it will find the static route which says destinations within the OpenWrt LAN subnet should use the OpenWrt WAN IP address as gateway.