[Solved] Openwrt Fritzbox 4040 and Pihole, Clients not displayed

I have a problem with Fritzbox 7560 and OpenWrt (Fritzbox 4040) and Pihole. The Fritzbox has static routes to the Openwrt router, in the Openwrt there are 2 subnets, one for Lan and one for Wifi. The clients in the subnets get the DNS IP from the Pihole via DHCP option 6.
This also works, but Pihole cannot resolve the clients, the WAN interface of Openwrt is always shown in the Pihole.

Fritzbox 192.168.11.1 (connection to provider)
Pihole 192.168.11.100 (2 upstream servers via unbound)
CIDR is 192.168.0.0/16 Notation, Ip of the DHCP is 192.168.11.1 and the Domain is Motorbike in Pihole

Fritzbox static route 192.168.150.0 to 192.168.11.50 Openwrt Wanport
Fritzbox static route 192.168.200.0 to 192.168.11.50 Openwrt Wanport
Openwrt Wanport 192.168.11.50

Two subnets in Openwrt
Lan 192.168.200.1 (DHCP Option: 6,192.168.11.100)
Wifi 192.168.150.1 (DHCP Option: 6,192.168.11.100)

Internet only works but the clients are not displayed in the Pihole, only "motorbike.fritz.box". Motorbike is the openwrt.
I suspect that it is due to the firewall in Openwrt that the clients are not passed through. What do I have to do that the Clients name are displayed in Pihole?

pihole491×587 78.8 KB

Sorry for my bad english, it's a long time ago

It is called NAT, like normal people connect their home full of smart toasters to the internet.
Is there any gain isolating wifi and eth in different subnets?

yes, I want to isolate IOT and Wifi and Lan, I want to see which clients request what and do a block if i want

Use DHCP option 6 to advertise the PiHole's IP address as the DNS server. Then add a firewall rule that accepts:

• TCP and UDP destination port port 53
• source < other networks/zones >
• destination zone < that contains the PiHole >
• destination address < of the pihole> .

On the pihole, you then need to "permit all origins" so that it will accept traffic from different subnets.

This doesn't guarantee that all client devices will use the PiHole, since the devices themselves might use hardcoded or user-override values for the DNS server. You can also hijack DNS to prevent them from successfuly using other DNS servers, but that only works for traditional DNS (not DoH/DoT).

Thank you for your help. Unfortunately, it looks like it doesn't work

fw571×695 52.2 KB

I did this rule also to "any destination zone" but same result

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Ok, here take a look:

{
        "kernel": "5.15.162",
        "hostname": "Motorbike",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 4040",
        "board_name": "avm,fritzbox-4040",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd*****::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option gateway '192.168.11.50'
	option broadcast '192.168.200.255'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option delegate '0'
	option sourcefilter '0'
	option auto '0'
	option disabled '1'

config interface 'wlan'
	option proto 'static'
	option ipaddr '192.168.150.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option gateway '192.168.11.1'
	option broadcast '192.168.150.255'
	option device 'phy0-ap0'



cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '20'
	option limit '50'
	option leasetime '96h'
	option dhcpv4 'server'
	option force '1'
	list dhcp_option '6,192.168.11.100'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '120'
	option leasetime '96h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wlan'
	option interface 'wlan'
	option start '20'
	option limit '20'
	option leasetime '96h'
	option force '1'
	list dhcp_option '6,192.168.11.100'

config host
	option name 'Notebook'
	option ip '192.168.150.38'
	option mac '*******'

config host
	option name 'Pixel'
	list mac '*******'
	option ip '192.168.150.31'

config host
	option name 'Note-8'
	list mac '*******'
	option ip '192.168.150.36'

config host
	option name 'GS5'
	list mac '*******'
	option ip '192.168.150.33'

config host
	list mac '*******'
	option ip '192.168.150.30'
	option name 'HP-250'
	option dns '1'

config host
	option name 'HP-250LAN'
	list mac '*******'
	option ip '192.168.200.30'
	option leasetime 'infinite'

config host
	option name 'Notebook-Lan'
	list mac '*******'
	option ip '192.168.200.39'

config host
	list mac '*******'
	option ip '192.168.200.35'
	option name 'Diskstation718'

config host
	list mac '*******'
	option ip '192.168.200.50'
	option leasetime 'infinite'
	option name 'libreELEC'

config host
	option name 'Brother-MFC2710DW'
	list mac '*******'
	option ip '192.168.150.37'

config host
	option name 'Shield'
	list mac '*******'
	option ip '192.168.200.40'
	option leasetime 'infinite'

config host
	option name 'WaipuStick'
	list mac '*******'
	option ip '192.168.150.39'

config domain
	option name 'HP-250'
	option ip '192.168.150.30'


cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'br-lan'
	list network 'lan'

config zone
	option name 'wlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'phy0-ap0'
	option family 'ipv4'
	list network 'wlan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'HTTP, HTTPS'
	option src 'wlan'
	option dest 'wan'
	option dest_port '80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config rule
	option name 'EMAIL, POP, IMAP'
	option src 'wlan'
	option dest 'wan'
	option dest_port '25 465 993 587'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Wlan-DHCP'
	option src 'wlan'
	option dest_port '67 68'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'DNS Forward'
	option src '*'
	option src_port '53'
	option dest 'wan'
	list dest_ip '192.168.11.100'
	option dest_port ' 53'
	option target 'ACCEPT'

config rule
	option name 'Wlan-Lan-DNS'
	option src 'wlan'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'lan'
	option src_port '53'

config rule
	option name 'Lan-Wlan-DNS'
	option dest 'wlan'
	option dest_port '53'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'lan'
	option src_port '53'

config rule
	option name 'SSH'
	option src 'wlan'
	option dest 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'NTP'
	option src 'wlan'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'REJECT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list src_ip '192.168.11.1'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'wlan'
	option dest 'wan'

config rule
	option name 'HTTP, HTTPS LAN'
	option src 'lan'
	option dest 'wan'
	option dest_port '80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

The config raises a bunch of questions, but also I see a few things that need to be addressed:

• Is the gateway of 192.168.11.50 correct on the upstream network? It is inconsistent with the wlan network which uses 192.168.11.1.
• Typically, the gateway is omitted since it is upstream. Are both networks functioning properly?
• Remove the boradcast line. It's not necessary as it is automatically calculated.

• Same comments as above.
• Remove the device line. the radios should never be included in this file.

• Remove the device line. Only the network should be there.

• Same here, the device line should not be here.

If you have masquerading enabled here, that will cause all clients on this router's lan and wlan network to appear as the router's wan address. Disable this (but keep in mind, the static routes upstream must be working properly).

I see a bunch of rules that should be removed (unless there is some specific reason they are there; if so, please explain):

remove these:

And remove these:

And also remove this:

Then reboot and test again.

I've made all the changes and it looks like it's all working correctly. Thank you very much!!!
In Wlan i set the Gateway also to 192.168.11.50
I had created some rules for testing, but they didn't help and they were also switched off and now deleted.
One more question: If I disable masquerading, will the firewall still work properly?

Yes. The firewall still has the ability to allow/deny traffic, even though masquerading is disabled.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Firewall will work more or less like ip6 firewall works - allows connections originating at home while denies unsolicited connections from outside.

Yes, thank you. I have to tackle IPv6 next, so far I have been able to ignore it well

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.