Posted: Sat Jul 29, 2023 21:04 Post subject: PiHole HA with 3 subnet setting help
I dont know if this is advanced netrworking issue sorry if this is the wrong location. I searched the forums and the interweb I cant find or what I do find is senseless to me.
Everything is Static Lease on each router meaning the MAC address is in the lease is on each one if it is necessary to use that path out to the intenet.
AT&T gateway BGW 210 passthrough to main router
I have 3 subnets
Main 10.0.20.0/24 (255.255.255.0)
VPN 10.0.21.0/24 (255.255.255.0) from 10.0.20.253 to wan
IoT 10.0.22.0/24 (255.255.255.0) from 10.0.20.252 to wan
Image of network and DD-WRT firmware attached.
I have 2 Raspberry Pi 4B 8gb set up with PiHole Hi Availability @
10.0.20.249
10.0.20.250
with Virtual IP
10.0.20.20
Issue is how to set up the firewalls to let all 3 subnets use the virtual PiHole. I believe it should be
Main 20 network
# DNS to PiHole
iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.20 -p tcp --dport 53 -j DNAT --to 10.0.21.1
iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.20 -p udp --dport 53 -j DNAT --to 10.0.21.1
iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.20 -p tcp --dport 53 -j DNAT --to 10.0.22.1
iptables -t nat -I PREROUTING -i br0 -s ! 10.0.20.20 -p udp --dport 53 -j DNAT --to 10.0.22.1
This is if I attach the PiHole to the Main 20 network I believe it is better to use the VPN 21 network to take advantage of the NordVPN DNS servers
I did not set up Vlans or routing tables I would imagine they would go on the Main 20 network to point to the Virtual Pi Hole.
For some reason this is very confusing to me I would need a detailed outline to follow. I dont want to use the Main as the DHCP for the entire network each machine having its own DHCP / Static leas works well but I don't know if this is the beat practice
As this set up works with dedicated PiHoles in each network I want to update to take advantage of the HA application and actually reduce the Raspberry Pi's to 2 from 3
All my Firesticks (with Kodi) and other more private hardware/applicatons are on the VPN
TVs and IoT Cameras, Power Outlets, Echo and other Chinese listening crap are on the IoT Network
Most of the family PC's are on the Primary network but are capable to jump on the VPN network Via Static leases set up on the 2 networks
This will redirect everything which is connected to the main router (including all the other routers/subnets) to the PiHole except traffic from the PiHole itself (as that should go out via the WAN )
BTW very good drawings, makes it easy to see what is going on, kudos!
Posted: Wed Aug 02, 2023 17:57 Post subject: Resloved
I have them configured with the Main 20 however I am having an issue with PiHole the HA set up works but I cant get gravity to update. Not your issue just scratching my head at this point.
I believe the original issue and response should close this issue.
BTW thanks for the Kudos I did not expect that. Perhaps you can use that as a template example for others...
Posted: Thu Aug 03, 2023 15:48 Post subject: Resolved -- epilogue -- Bonus PIHole with HA
Last point for those contemplating this update.
I have PiHole with Unbound, Stubby, Netlog, as my base image. I had log2ram but that is a bit buggy for me.
I don't static IP any config files in the PiHole I have static leases in the DD-WRT routers there are no issues and I can move or add a Mac address and change the hardware in the service tab.
As the /etc/host and /etc/pihole/custom.list files are identical in both they are easy to maintain I pull the list out of DD-WRT WOL tables.
Each router hands out its own IP range the Static Lease MAC is in their Service Tab which is easily updated loading it through nvram commands
I did tweak some things but I can't say you should follow me just made it fit my landscape.
Any specific issues that I had to change in the write up I made a txt document with each command step by step then updated it for each mistake along the way.
One for Primary and one for Back Up as there are specific elements in each.
trust me the original txt is different than the final.
Use the smallest SD card helps speed up the process cycle, 10 minutes to write 15 to read/capture.
I created an image on one pi then copied it with diskimager then once compete and functional on both I made another copy of each to have and look at files should one get corrupt.
Best news I now have 3 extra RaspberryPi 4B+ 8Gb. Maybe 3 in sync is the next bold adventure....
The bonus is with 2 synced you can update gravity on the one that is idle and it pushes the update to the other. It is way faster to use the idle PiHole and do experiments. You can take down one and not effect anybody unless you are real wild and they both go down.
I am no expert and at my age (60+) I can hack with most and end up with something nobody else will recognize... Then I beg for help!
Again thanks for the support. This is a very helpful community and the experts are top drawer.