VLAN, Pi-Hole and DNS

hedzwillroll · January 5, 2024, 5:03pm

Hi,

I did search before asking this question, but couldn't find a conclusive answer.

I have 3 VLANs in FriendlyWRT (OpenWrt 22.03) and I have Pi-Hole running on a Raspberry Pi with DietPi.

VLAN1 (LAN) is subnet 192.168.26.0/24
VLAN3 (GUEST) is subnet 192.168.27.0/24
VLAN4 (IoT) is subnet 192.168.28.0/24

The Pi-Hole is serving DNS on 192.168.26.2
FriendlyWRT is serving DHCP requests.

LAN is Accept, Accept, Accept with forwardings to WAN and IoT.
GUEST is Reject, Accept, Reject with a forwarding to WAN.
IoT is Accept, Accept, Reject with no forwardings.

I have firewall rules to allow GUEST and IoT access to DHCP and DNS on FriendlyWRT and also rules to allow DNS to 192.168.26.2

I am assigning DNS servers using DHCP options on each VLAN as 6,192.168.26.2,192.168.26.1 (192.168.26.1 is FriendlyWRT).

I did have FriendlyWRT set up to forward DNS requests to the Pi-Hole, but this results in all requests being shown as originating from FriendlyWRT in the Pi-Hole Query Log.

How can I allow all VLANs to use Pi-Hole for DNS requests directly?
At the moment, with the configuration as outlined above, the IoT and GUEST VLANs are not using the Pi-Hole. I suspect that, despite firewall rules being present, it's something to do with forwarding between zones, but I can't quite put my finger on it.

Other suggestions I have seen, are to give the Pi-Hole IP addresses in each subnet, or to lower the security of the Pi-Hole by allowing requests in a less restrictive manner which I would rather avoid.

What am I missing here?

Thanks

trendy · January 5, 2024, 6:15pm

FriendlyWRT is not OpenWrt.
OpenWrt-wise your configuration sounds correct. There is a setting in Pihole though to accept queries from all origins and not only from local networks, which sounds like your case.

hedzwillroll · January 6, 2024, 1:10pm

I mean FriendlyWRT might not be OpenWrt, but the inner workings must be all but identical when it comes to routing, VLANs etc.? The config files are identical.

I am aware of the options in PiHole as noted in the last paragraph, but I'm also aware of the possible security issue arising from that approach which is why I'd rather avoid that.

Would you perhaps mind explaining how it could be done in OpenWrt and I'll translate that for use in FriendlyWRT? (As in why aren't clients in other subnets able to see the PiHole)

Thanks

trendy · January 6, 2024, 4:34pm

If you have not allowed queries from all origins in Pihole it won't work on any system, neither OpenWrt nor FriendlyWRT.

hedzwillroll · January 6, 2024, 4:39pm

Ahh, so PiHole is specifically blocking other subnets, so regardless of whether FriendlyWRT is routing requests, the PiHole won't respond?

If I add an IP address for each subnet on the PiHole host (DietPi), would this overcome that do you know?

Thanks

trendy · January 6, 2024, 11:24pm

I haven't tried it, but I guess it would work.

LilRedDog · January 6, 2024, 11:37pm

Since your DHCP is forwarding DNS requests to Pi-hole, all requests look like they are coming from the router.

From pi-hole's settings page:
"If not configured as your DHCP server, Pi-hole typically won't be able to determine the names of devices on your local network. As a result, tables such as Top Clients will only show IP addresses."

This is really a question for the pi-hole community.

trendy · January 7, 2024, 1:44pm

If there is plain routing of dns queries and not forwarding via dnsmasq it can work as desired, however the Pihole must accept queries from all origins. Then it is up to the firewall settings to deny queries from wan.