Looking for advice on configuring a Peplink B One with a Pi-hole DNS server.
I’ve introduced a Pi-hole DNS server on my management VLAN (10.0.0.2/24) to block advertisements. Now, I’m setting up my guest VLAN (172.20.51.0/24) with the following requirements:
- Inter-VLAN routing: Disabled
- SSID Layer 2 isolation: Enabled
- DNS server for the guest VLAN: Set to 10.0.0.2 (Pi-hole)
Given that Inter-VLAN routing is disabled, what firewall rules do I need to ensure that guest devices can use 10.0.0.2 for DNS while maintaining isolation from the rest of the network?
Hi…
I never try this…
Create at Internal Network Firewall Rules.
1 Like
I would recommend not putting your pihole on the management VLAN, i would create a separate services VLAN and create firewall rules allowing traffic to this services VLAN on specific ports (DNS, DoH, etc.). At this level I wouldn’t rely on Inter-VLAN routing blocks.
cool, is this a Internal Network Firewall Rules or one of the others? Also, do I need to allow TCP, also?
Christopher,
I totally hear you and see the wisdom of that, but for right now I would like to just try to figure out the right firewall rules. Once that is working then I will look at moving things to better vlans. Any feedback on the firewall rules?
Hi…
Internal Firewall…
Classic DNS just need UDP_53 …
But… You need to check your Pi Hole settings.
1 Like
Thank you, what exactly am I looking for in the Pi Hole settings? I only have Clouflare and Quad9 (unfiltered) checked, part of my objective is to get away from folks like Google that have a business of data mining.
I just discovered something interesting on the Peplink B One:
I went to Network > DNS Proxy Settings and clicked (?) to view advanced options.
From there, I set the DNS server for the Untagged LAN to the Pi-hole, checked the box to make it preferred, then clicked Save and Apply.
And just like that—BANG—all VLANs are now using the Pi-hole!
Even though the guest network’s DNS is set to 172.20.51.1, the B One is redirecting it to the Pi-hole. So simple!
2 Likes
@scarleton - thanks for this, I hadn’t realized there were custom settings for this (I was looking on the WAN page, not on the DNS Proxy page).
FYI, there is definitely some sort of bug using VLANs with DNS as described here: Outbound Policy + VLAN bug in 8.5 and 8.4.1 so if your setup stops working abruptly, this may be why. The bug seems to require one to be using an Outbound Policy on the VLAN.
Are you using Outbound Policy?
Oh, it is my pleasure. I am not using any outbound policy at the moment, so I think I am good.
1 Like