Posted: Tue Aug 06, 2019 12:05 Post subject: Adding a pi-hole to guest network on two R7000s (SOLVED)
Hi,
I would like to add a pi hole as DNS server to my guest network, which consists of 4 virtual interfaces on two R7000s:
Primary device wl0.1 (10.0.10.1/255.255.255.0)
Primary device wl1.1 (10.0.20.1/255.255.255.0)
Secundary device wl0.1 (10.0.30.1/255.255.255.0)
Secundary device wl1.1 (10.0.40.1/255.255.255.0)
These four subnets do no need to be isolated from each other, as long as they are isolated from the private network.
How do i get these (isolated) subnets to talk to a single pi-hole device?
I already have a pi-hole running on the private network as DHCP and DNS server. From what I understand it is not possible to also use this device as an DNS server on the guest network at the same time. So I am looking to run a secondary pi-hole for the guest network.
My current working setup is described below.
So far, I've tried to assign wl0.1 and wl1.1 on the secondary router to a bridge (br1) together with the free WAN-port (vlan2). With the idea to connect the pi-hole (10.0.0.3) on this WAN-port.
wl0.1/wl1.1/vlan2 are all set as "Bridge Assignment = Default".
Br1 is unbridged, IP = 10.0.0.1 and I have assigned DHCPD to br1.
Furthermore I have changed the firewall rules (see below) to match br1 instead of wl0.1/wl1.1:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
However, this resulted in not being able to connect to the guest network on the secondary R7000.
All ports on the primary R7000 are in use, that's why I opted to use a free port on the secondary R7000.
-----------------------
My current working setup is as follows:
• two R7000s connected LAN-LAN
• both devices are running the DD-WRT v3.0-r39960M kongac (06/08/19) firmware.
• the primary R7000 (1st floor) functions as a router, WAN-port is connected to modem.
• the secondary R7000 (3rd floor) functions as access point.
• Private wireless network (wl0 & wl1) on both R7000s
• Guest wireless network (wl0.1 & wl1.1) on both R7000s, traffic is routed through a VPN (Open VPN client in DD-WRT). I had help with getting the guest network operational on the secondary R7000 here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1166356#1166356
Primary R7000:
• IP is 192.168.178.1
• DHCP is OFF
• VPN setup in the Open VPN Client: https://www.privateinternetaccess.com/helpdesk/guides/routers/dd-wrt-3/dd-wrt-openvpn-setup-2 step 13 and further.
• Guest networks setup as described here: https://medium.com/@libertylocked/dd-wrt-tricks-dedicated-wireless-virtual-access-point-for-openvpn-the-easy-way-6399fca14916 (no kill switch yet)
Interface wl0.1: IP 10.0.10.1/255.255.255.0
Interface wl1.1: IP 10.0.20.1/255.255.255.0
• With Policy based Routing (within Open VPN Client) wl0.1/wl1.1 traffic is routed through the VPN:
10.0.10.128/25
10.0.20.128/25
• Firewall rules:
# not sure with which purpose I added the next three lines
iptables -I FORWARD 1 –source 192.168.178.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
# to prevent android devices to bypass the pi-hole
iptables -I FORWARD -d 8.8.8.8 -j DROP
iptables -I FORWARD -d 8.8.4.4 -j DROP
Secondary R7000:
• IP of device is 192.168.178.2
• DHCP is OFF
• VPN setup in the Open VPN Client: https://www.privateinternetaccess.com/helpdesk/guides/routers/dd-wrt-3/dd-wrt-openvpn-setup-2 step 13 and further.
• Guest networks setup as described here: https://medium.com/@libertylocked/dd-wrt-tricks-dedicated-wireless-virtual-access-point-for-openvpn-the-easy-way-6399fca14916 (no kill switch yet)
Interface wl0.1: IP 10.0.30.1/255.255.255.0
Interface wl1.1: IP 10.0.40.1/255.255.255.0
• With Policy based Routing (within Open VPN Client) wl0.1/wl1.1 traffic is routed through the VPN:
10.0.30.128/25
10.0.40.128/25
• Firewall rules:
# to secure the private network and give the guest network internet access
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i wl1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
# not sure with which purpose I added the next four lines
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl1.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I INPUT -i wl1.1 -p udp -m multiport --dports 53,67 -j ACCEPT
Pi-hole (192.168.178.3) acts as DHCP and DNS server on the private network
Last edited by Mozzy77 on Sat Aug 10, 2019 10:02; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Aug 06, 2019 12:57 Post subject:
Wow a complicated setup
I see no obstacles at first glance why you can not use the pi as DNS server for the unbridged VAP's
You are blocking local access for the VAP's at the moment but just punch a hole for the Pi.
The most common mistake is over configuration, i.e adding to much rules.
All the rules on your primary router seem redundant to me and I would start ditching them.
the tun rules are not necessary if you are using default VPN setup (which is recommended)
The android DNS rules should be done with forced DNS redirection, i.e forcing all DNS queries through your Pi with the following rule:
The last step is indicating your unbridged VAP's to use the Pi as DNS server.
On the Wl0.1 virtual interface (and all other unbridged interfaces) enable "Forced DNS redirection" and enter the IP address of the Pi 192.168.178.3
Thanks for helping me clean up my firewall rules on the primary R7000.
In now reduced it to:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.178.3 -p tcp --dport 53 -j DNAT --to 192.168.178.3:53
iptables -I FORWARD –d 192.168.178.3 -p tcp --dport 53 -j ACCEPT
and everything seems to be working just fine.
No luck with using the pi-hole (192.168.178.3) on the unbridged VAPs however.
I am a noob with iptables commands, I just reuse code from others.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Aug 06, 2019 14:32 Post subject:
Mozzy77 wrote:
Thanks for helping me clean up my firewall rules on the primary R7000.
In now reduced it to:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.178.3 -p tcp --dport 53 -j DNAT --to 192.168.178.3:53
iptables -I FORWARD –d 192.168.178.3 -p tcp --dport 53 -j ACCEPT
and everything seems to be working just fine.
No luck with using the pi-hole (192.168.178.3) on the unbridged VAPs however.
I am a noob with iptables commands, I just reuse code from others.
Well it is not strange that it is not working
I only allowed tcp traffic, you should also allow udp traffic so also add:
Turning DNAmasq OFF in the Service tab does not seem to change anything.
wl0.1 on the primary R7000 (Forced DNS redirection to 192.168.178.3, pi-hole) has no internet connection,
while wl1.1 (Forced DNS redirection to 208.67.222.123, OpenDNS) does have internet via the VPN.
Have you enabled Forced DNS redirection on setup page?.
This is not what you want because this forces your DNS queries to your router and not to your Pi which is 192.168.178.3 (if I am not mistaken).
So if you enabled that disable it
You are forcing wl0.1 to the PI but have not openend up the firewall with the rules I send you so it can not work.
Enable the rules I send and then show again the output of
iptables -vnL FORWARD
iptables -vnL -t nat
I did enter the firewall rules you suggested, saved changes and rebooted the R7000.
However, Forced DNS redirection was indeed enabled on setup page. Turned this OFF, also DNSmasq is OFF on service tab. Ones more rebooted the R7000.
Still no internet connection on wl0.1, but still working on wl1.1
To be clear, the only rules in the firewall are now:
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.178.3 -p tcp --dport 53 -j DNAT --to 192.168.178.3:53
iptables -t nat -I PREROUTING -i br0 –s ! 192.168.178.3 -p udp --dport 53 -j DNAT --to 192.168.178.3:53
iptables -I FORWARD –d 192.168.178.3 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD –d 192.168.178.3 -p udp --dport 53 -j ACCEPT
On a second note, connecting to wl0.1 now takes way longer than it should. And is sometimes even unsuccesful, getting an IP address seems to be the problem.
The pi hole also doubles as DHCP server on the private network, could that be the problem here?
Disabling net isolation on wl0.1 did not give me internet connection on this VAP, but it did give me access to the R7000 dd-wrt GUI on 192.168.178.1. So at least disabling net isolation worked.
Also, my android phone now also is having connection problems with wl1.1. My laptop does not really seem to care much.
I retyped all hyphens, just to be sure.
On (Basic)Setup tab "Use DNSMasq for DNS" is enabled and "Forced DNS Redirection" is disabled.
Net isolation is enbaled.
On Services tab "Dnsmasq" is enabled
The fire wall on the primary R7000 now looks like (copy-paste):
iptables -t nat -I PREROUTING -i br0 -s ! 192.168.178.3 -p tcp --dport 53 -j DNAT --to 192.168.178.3:53
iptables -t nat -I PREROUTING -i br0 -s ! 192.168.178.3 -p udp --dport 53 -j DNAT --to 192.168.178.3:53
iptables -I FORWARD -d 192.168.178.3 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -d 192.168.178.3 -p udp --dport 53 -j ACCEPT
It now works, but only when I do NOT route the wl0.1 IP-range through the VPN.
Enabling "Local DNS" under Services tab "Dnsmasq" does not change anything. And also still allows internet connection when not using VPN.
Same for the secondary R7000, guest network is working with pi-hole as long as traffic is not routed through VPN.
So routing the guest network through the VPN is the problem. Any idea's on how to solve this?
Routing traffic from the private network and using pi-hole at the same time is not a problem.