Surf SOHO and Pi-Hole, is my understanding correct?


I’ve got a Surf SOHO Mk3, and a Pi-Hole (hosted on a Pi 4), I think I know what I have to do achieve the set up I want, but there seem to be some conflicting solutions in some of the threads on this topic. I might also be trying achieve something that I don’t quite need to do.

I’ve got 3 VLANs, and an untagged LAN, roughly:
Untagged (Machine that can access router)
Vlan1 (Other home machines)
Vlan2 (IOT/Guests)
Vlan3 (Pi-Hole), just created.
Layer 2 Isolation is on all of the above (am I right in assuming this does not affect ethernet devices)?

My goal was to leave Inter-Vlan routing off for everything, but still forward DNS requests through the Pi-Hole on the separate Vlan. My current understanding is that this is not possible, and Inter-Vlan routing must be enabled, is that correct?

I currently have it working with Inter-Vlan routing enabled, so the question is more, is it possible to keep it disabled somehow? The answer in Pi-hole with multiple VLANs - #2 by MartinLangmaid didn’t seem to work for me, and the answers in Challenges using PiHole - #4 by Cable171 suggests the routing must be enabled (which makes sense).

I’ve tried forwarding the DNS requests using the DNS proxy and “DNS Forwarding Setup”, but that didn’t seem to help. It sounds like another alternative might just be to leave the Inter-Vlan routing enables but beef up the firewall rules. I like the idea of keeping the Vlans entirely separated (but the value of this might be a misunderstanding on my part.


I have not fought this fight. But, part of the confusion may come from ignoring the fact that DNS can work in two modes (that I know of). In the polite mode (my term), each VLAN can have its own DNS servers. In the insistent mode (my terminology) every device connected to the router uses the DNS servers the router is configured for. Every device means all devices in all VLANs.

Insistent mode: the router must first be set up as the DNS proxy, then, you have to enable DNS forwarding, which is off by default.

I use insistent mode, but I have only specified IP addresses on the public Internet for the DNS servers. Not sure how it will react to a LAN side IP address.

Maybe a static route could fudge things such that a public IP address ends up LAN side? Dunno.

1 Like

Hello @Jayce,
Keep you InterVLAN routing on and create firewalls to allow/block traffic between them within the router.

(image is taken from a Peplink Balance ONE router with FW 8.1.0b4)
You appear to be on track with everything else, how to set all of this up can be found with a little bit of searching here in the Peplink Comunity Forum.
Happy to Help,
Marcus :slight_smile:


Hi, thanks for the reply.

I think I’ve tried the “insistent mode” (I quite like that term) approach (in fact if I’m not mistaken I was using the excellent guide on your website!); I couldn’t quite figure out why I couldn’t get my connection working using this method with an internal IP, but now I think about it, it might make sense. I think this might also capture the DNS requests made by the Pi-Hole, sending them back…to the Pi-Hole so they won’t resolve.

It might be worth investigating if I can use that method, and use an alternative external IP as secondary address. Now I think about it, maybe I can configure the Pi-Hole to use DoT or DoH, which I think would stop the router being able to intercept the DNS requests for the Pi-Hole only. I think I’ve got some more reading to do! I’ll also have a look at static routes, thanks again.

Hi Marcus, thanks also for the response

This will probably be the route I go down; I notice by default that when interVLAN routing is enabled, the default is for the firewall to allow all, so presumably I’m right in thinking need to start with a “Deny All” rule and work from there?

I probably need to read a little further on the topic, but presumably there is a slight difference between a Firewall which denies everything between two clients on separate VLANS, and actually disabling inter VLAN routing entirely? I might have to and read further about packet tagging to get a better understanding of the VLAN isolation =D


Taking a step back:

Long term, Peplink and all routers will let us specify a DoT or DoH hostname rather than an IP v4 address for the DNS server. Someday.

Currently the router is only involved in legacy DNS (UDP, port 53, no encryption). Clients that use DoH and DoT today bypass the router entirely. Android 9 and 10 can use encrypted DNS system-wide, its built into the OS. Eventually, that should come to other OSs too. Desktop versions of Firefox and Chrome can also be configured now to use encrypted DNS and also bypass the router. I assume these would also bypass PiHole, but I have not used PiHole.

Taking a sideways step:

Maybe use NextDNS instead of PiHole. Its cloud based and seems like a really great product.


Hi again, thanks for the additional thoughts, that all makes sense, and gives me a little more reading to do, which is always welcome =D