Challenges using PiHole

Using a new MK3 SOHO on v8.0.0, I’m having a lot of trouble getting PiHole configured.

tl;dr Want to use a single PiHole on my network without opening a hole across all VLANs.

What I’m trying to do:
Multiple VLANs use the same PiHole for DNS, without punching a hole across all VLANs. One VLAN should have access to the special isolated PiHole VLAN, but the others do not (and cannot access each other).

I thought that using the DNS Proxy would do the job, but I’m encountering a few problems

• This only seems to work when the PiHole is on the non-VLAN subnet – that is, it DOES NOT work if the PiHole is set up inside a VLAN, even if the VLAN routing isn’t limited in any way.
• It doesn’t seem to work at all unless DNS Service Forwarding is enabled (Advanced->Service Forwarding)
• When the lookup is blacklisted on the PiHole (it returns 0.0.0.0 or its own IP) the DNS Proxy seems to fail over to an external DNS, mooting the point of the PiHole!

What does work:
This scenario causes the PiHole to see traffic (but the blocking function doesn’t work):

• PiHole is on non-VLAN subnet
• DNS Proxy is enabled and the PiHole IP address is in the “Internal” field. “Internal” is checked, nothing else is.
• DNS Service Forwarding is enabled

This scenario allows the PiHole to work, but doesn’t fulfill the requirements:

• PiHole is in the VLAN/subnet with its users
• The DNS server of the VLAN DHCP is manually set to the IP of the PiHole.

Unfortunately neither of these scenarios quite works the way I would like.

There seem to be two gaps to get what I want:

• Being able to specify a DNS Proxy device that lives on a VLAN
• Being able to tell the SOHO DNS Proxy to give up on the lookup if it gets 0.0.0.0 from the internal PiHole.

@3-D

We have user successful integrate Pi-hole with Balance device and i believe it should be the same with the SOHO device.

Please check the forum post below:

It’s worth to give it a try

Thanks, I saw that post while I was trying to get it working. I have tried similar configurations, but my results don’t seem to match his success.

Maybe I should try it with v7.x firmware?

3-D
I’m not sure if this will completely fulfill what you are trying to get at, but I think it might help. I am running dual Pi-hole’s on their own VLAN, with static IP addresses. On the other VLAN’s, I then point the DNS to the IP address of the Pi-hole’s. In the first picture “inter-VLAN routing” is checked, this is the only way for this method to work. You can then adjust the internal firewall rules as needed to block internal access.

I also wouldn’t recommend downgrading your firmware.

-Jeff

Thanks @Cable171 / Jeff,

Yes, I think this would work in my application. My qualm is that I do not want to enable “Inter-VLAN routing” for some of the VLANs. (I’ll take a belt and suspenders any day!)

I think what I’m trying to do should be possible, it doesn’t seem that crazy, but it seems like there’s a bug or some kind of quirky implementation standing in the way…

My guest VLAN does not have “Inter-VLAN Routing” active, but still utilizes my DNS VLAN to browse the internet with no issues. It is not able to access any other devices on the network, including the Pi-hole admin websites. I would uncheck the box and adjust the internal firewall rules accordingly. Here is what my guest VLAN/firewall look like. Hope this helps.

This does not match my experience: I have to have “Inter-VLAN routing” checked on both nets to have access from one to the other. The checkbox seems to block inter-VLAN traffic in both directions for me.