Posted: Mon Sep 11, 2023 19:46 Post subject: Access Pihole from outside of subnetwork.
I have my home server set up in a subnetwork, with the subnetwork router using Client mode to connect to the rest of the network.
I would like to set up pihole on my home server. Configuring the subnetwork router to use the pihole for DNS seems simple enough, but is there a way with this configuration to access the pihole for DNS resolution from outside the network? Normally I just use port forwarding on the subnetwork router, but I can't seem to forward 53 through the subnetwork router (reasonably understandable), and I also don't seem to be allowed to query the subnetwork router for DNS resolution from outside (from a computer on the wider home network) (running `nslookup example.com <subrouter's ip>" just hangs)
The other option looks like to change my networking mode from "Client" to "Client bridge" but all the DD-WRT documentation says that "Client Bridge" is unstable and shouldn't be used if possible.
I am uncertain what you are trying to achieve.
Are you trying to set a pi-hole up to act as your DNS server when your out of your LAN?
if that's the case the safest way i would recommend is: Configure a VLAN on router, isolate this VLAN from LAN, then setup NGINX on Pi connected to your Vlan via Ethernet, open ports 80, 81, 443 on main router pointing to your pi running NGINX, configure NGINX config to reach your pi-hole, generate SSL for this so your can safely reach your pi over 443. I would also run unbound on the pi if you are planning on doing this rather than upstream DNS providers. This setup is reliant on your WAN IP not changing and you being able to set up subdomain's for a domain name. i suspect you could use a free dynamic DNS service to resolve your WAN IP.
If you don't want to open ports etc you can set up pi, and reach you home network over VPN.
If you just trying to use and reach your pi from another internal subnet you should be able to do this with some router firewall rules depending on your setup.
hopefully I am not barking up the wrong tree and this may help you.
Added, Thinking about it, Sorry I don't think this would work for DNS server anyway. This would get you to the PI UI. Glad egc sorted you out! _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Last edited by foz111 on Tue Sep 12, 2023 16:24; edited 2 times in total
@foz111 You're close! I do technically want to access the pihole outside of LAN, from the perspective of the pihole. However that LAN is a subnet connected to my much greater LAN.
I posted a network diagram above ^^^^
I can access the pihole web interface just fine, I have the port exposed through router 2. I don't need to worry about SSL or dynamic DNS as neither of these things are exposed to the outside internet.
What I can't seem to figure out is how to deal with port 53, the DNS lookup port. There seem to be specifications keeping it at port 53, meaning I can't do a port mapping and then forwarding it. Keeping it at 53 seems to have it's own set of problems though, as router 2 won't expose that port to the 192.168.11.x network...presumably it's some combination of "security rules" and the fact that the router itself is asked to do dns lookups. For example, if I `nslookup www.google.com 192.168.12.1` from the 192.168.12.x network, I get results. If I run `nslookup www.google.com 192.168.11.69` from the 192.168.11.x network, I get nothing).
Joined: 18 Mar 2014 Posts: 12499 Location: Netherlands
Posted: Tue Sep 12, 2023 13:33 Post subject:
OK what probably the best way to deal with this is to just connect both networks so that you can connect from upstream to downstream network simply by IP address.
In short set a static route on the upstream router:
Code:
ip route add 192.168.12.0/24 via 192.168.11.69
And
Open up the firewall of the down stream router for traffic from 192.168.11.0/24
See attached doc
Note that LAN clients on the downstream network can have their own firewall and if you want to reach those make sure those LAN clients (e.g. your Pi) allow traffic form 192.168.11.0/24
(alternatively you can MASQUERADE traffic of 192.168.11.0/24 via br0 of the downstream router:
iptables --t nat -I POSTROUTING -s 192.168.11.0/24 -o br0 -j MASQUERADE) _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
That certainly sounds like it simplifies things! I'm not a networking expert so I'm only about 70% on understanding your answer, but it sounds like there's enough information there for me to understand with some google searching and I'll let you know if there's any confusion, thanks!
Joined: 18 Mar 2014 Posts: 12499 Location: Netherlands
Posted: Tue Sep 12, 2023 14:20 Post subject:
Houndie wrote:
That certainly sounds like it simplifies things! I'm not a networking expert so I'm only about 70% on understanding your answer, but it sounds like there's enough information there for me to understand with some google searching and I'll let you know if there's any confusion, thanks!
Router 2's network is now accessable from router 1's network without all the port forwarding fuss. Hooray!
Still currently having trouble connecting to pihole after 30 seconds of trying, but I can `nmap` the machine now and it shows port 53 open so it seems to be an unrelated issue.
Right idea, but the error was in the pihole settings (which may use iptables on the backend I don't know).
By default, pihole is set to "Allow only local requests: Allows only queries from devices that are at most one hop away (local devices)" Loosening that allows me to access the pihole from the 192.168.11.0 network.
(For clarity, I'm using the docker version of pihole, not the raspberry-pi version)
