DD-WRT and pi-hole plus guest network (Guide)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
plawer
DD-WRT User


Joined: 11 Aug 2019
Posts: 156

PostPosted: Mon May 31, 2021 21:13    Post subject: DD-WRT and pi-hole plus guest network (Guide) Reply with quote
1. Introduction

The question comes up from time to time; how to set up a pi-hole server with DD-WRT; especially when it comes to guest networks. In this thread, a few aspects of the setup will be addressed in hopes of covering the most common scenarios.

1.1 Assumptions

    The instructions assume that the pi-hole is installed on a Raspberry Pi.
    The router is used as the DHCP server. It is possible to run the pi-hole as a DHCP server, and that is not covered in this tutorial.
    If a guest network is set up, it is associated with a VLAN on the router.

1.2 Network

The networks addresses for this guide will follow the definition below:

Main network
    192.168.0.0/24 br0 vlan1
    192.168.0.1 our DD-WRT router
    192.168.0.2 Raspberry Pi running pi-hole, hostname pihole2
    192.168.0.3 Optional secondary Raspberry Pi running pi-hole, hostname pihole3
    192.168.0.4 Optional high availability IP address for the pi-holes, pihole4

Guest network (If you do not have a guest network, you can ignore this)
    192.168.3.0/24 br3 vlan3
    192.168.3.1 our DD-WRT router with its address on the guest network
    192.168.3.2 pihole2 on the guest network
    192.168.3.3 pihole3 on the guest network
    192.168.3.4 pihole4 on the guest network

1.3 DNS provider

The DNS provider used in the guide is Quad 9 with malware filtering. I use it based on the results of the tests done in the Youtube videos linked. Use whatever provider you prefer; it's a matter of personal preference.

https://www.youtube.com/watch?v=imlFubYv8YY
https://www.youtube.com/watch?v=sDuhxCWd3wU
https://www.youtube.com/watch?v=XTeZMrVnRRI

----

2. Install pi-hole

The pi-hole installation should be pretty straightforward. Install Raspbian and then pi-hole.

    Follow the instructions to install Raspbian https://www.raspberrypi.org/software/ Note: For ease of use when setting up VLANs, please run "sudo raspi-config" and disable "Network Interface Names" under Advanced Options. If you do not intend to use a guest network, then you can ignore this step.


2.1 Automatic updates (recommendation, not required)

For good measures, you can set up automatic updates on the pi-hole server. The following cron entries will keep the Raspberry Pi and pi-hole up-to-date.
    0 6 * * * sudo apt update
    5 6 * * * sudo apt full-upgrade -y
    0 7 * * * pihole -up

Reference: https://discourse.pi-hole.net/t/auto-update-pi-hole/481

2.2 pi-hole blocklists

A starting point for a number of blocklists https://blocklistproject.github.io/Lists/

2.3 Router configuration

On the router, some changes should be made to ensure the network clients are connecting to the pi-hole, and make it possible to see those clients in the pi-hole web interface. In the Services - Services tab, the following additional configuration options are added to the dnsmasq section.
    # DD-WRT will use pihole2 as DNS server
    server=192.168.0.2
    # DD-WRT will provide pihole2 as the DNS server to DHCP clients. This allows to see where the requests are coming from on the pi-hole server.
    dhcp-option=br0,6,192.168.0.2

2.4 Conditional forwarding

Conditional forwarding makes it possible for the pi-hole to do reverse lookups on the router to define the DHCP clients. On the pi-hole, the settings for a configuration without a guest network.
    Local network in CIDR notation: 192.168.0.0/24
    IP address of your DHCP server (router): 192.168.0.1
    local domain name (optional): local

Note: It is currently only possible to add /8, /16, or /24 networks to the configuration in pi-hole. If reverse lookups for guest network clients should be possible, it must be added as a /16 network.

2.4.1 Router settings

Under Setup - Basic Setup - Optional settings - The Domain Name value must match the value entered in the pi-hole settings above. We are going to use "local" here as well. Further down the page Use DNSMasq for DNS must be enabled to make the router respond to DNS requests.

It is possible to include definitions for other hosts not connected to the router on the router if that is needed. This should be defined in the additional dnsmasq settings
    host-record=hostname,192.168.255.2

----

3. Install dnscrypt on pi-hole (optional)

dnscrypt-proxy can be installed so the pi-hole will do secure DNS lookups.

https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0
https://github.com/DNSCrypt/dnscrypt-proxy/releases/
https://dnscrypt.info/

3.1 Automatic updates

Once dnscrypt-proxy has been configured and verified it works, an update script can be installed to ensure dnscrypt-proxy also automatically updates. With the script from the Reference link installed, the following cron job will run it daily and automatically update dnscrypt-proxy if needed.

    0 8 * * * /opt/dnscrypt-proxy/dnscrypt-proxy-update.sh

Reference: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Updates

No actions on the router related to this.

----

4. Pi-hole with DD-WRT guest network

Now it is time to set up the guest network. To make it possible for the pi-hole to treat queries on the guest network differently, a VLAN is added on both the router and the pi-hole server.

4.1 Router configuration

Details about setting up a guest network are described elsewhere. Follow those instructions

4.2 VLAN on DD-WRT

A VLAN must be added to the bridge associated with the guest network. In our case, the bridge is br0 and VLAN is 3. Adding a VLAN on a DD-WRT router varies from router to router. If you have problems with this, please ask your question in the Advanced Network Forum.


Once VLAN3 has been created it should be added to the Guest network under Settings - Networking. And the router's DHCP server should hand out the IP address of the pihole2 on the guest network. Go to Services - Services and add the following to the dnsmasq additional options field.
    dhcp-option=br3,6,192.168.3.2

4.3 VLAN on pi-hole

Installing the VLAN support on the pi-hole is done with the following command:
    sudo apt-get install vlan

Once installed, the VLANs can now be defined. Edit the configuration with:
    sudo nano /etc/network/interfaces.d/vlans

And add the following to the file. VLAN3 is defined by the 3 in eth0.3
    auto eth0.3
    iface eth0.3 inet manual
    vlan-raw-device eth0

The pi-hole should already be running with an assigned IP address on the main network. It also needs to have an IP address for the guest network. Edit this configuration with
    sudo nano /etc/dhcpcd.conf

Towards the bottom of the file, find the details related to the main network:
    interface eth0
    static ip_address=192.168.0.1/24
    static routers=192.168.0.1
    static domain_name_servers=9.9.9.9

Add the definition below for VLAN3:
    interface eth0.3
    static ip_address=192.168.3.1/24
    static routers=192.168.3.1
    static domain_name_servers=9.9.9.9

Then restart the network on the pi:
    sudo systemctl restart networking

And verify the changes with
    hostname -I

The result should look something like this:
    192.168.0.2 192.168.3.2

Reference: https://www.sbprojects.net/projects/raspberrypi/vlan.php

In the pi-hole Admin user interface under Settings - DNS, "Interface listening behavior" should be set to "Listen on all interfaces". After clicking Save, the "Restart DNS Resolver" on the System tab should be run.

4.4 Groups pi-hole (optional)

If you want to have different filters on the guest network, then you need to define groups and clients. If the filter should be the same, this step can be ignored.

Navigate to http://192.168.0.2/admin/
Login, and go to Group Management - Groups. Add a group called Guest.

Go to Clients. In Known Clients and Comments add the following two entries.
192.168.0.0/24 Main
192.168.3.0/24 Guest

In Adlists, it is now possible to assign the groups to the various lists.

Remember to run Update Gravity under Tools (or pihole -g from the command line) when done to update the database to the selection.

----

5. Simple dual pi-hole (optional)

If there is a need to run two pi-holes to have a fallback server, there are a few minor changes to be done. Follow the same steps for a second pi-hole and add its IP address to the dnsmasq settings.

    # DD-WRT will use pihole2 and pihole3 as DNS server
    server=192.168.0.2
    server=192.168.0.3
    # DD-WRT will provide pihole2 and pihole3 as the DNS server to DHCP clients. This allows to see where the requests are coming from on the pi-hole servers.
    dhcp-option=br0,6,192.168.0.2,192.168.0.3
    # Guest network
    dhcp-option=br3,6,192.168.3.2,192.168.3.3

If you want to have the same web interface password for the second pi-hole, simply enter
    pihole -a -p

5.1 Automatic pi-hole synchronization

Using the Teleporter in the pi-hole web interface is an easy (but also manual) way to synchronize the blocklists, clients, etc. If you want this synchronization to happen automatically, the gravity sync script can be installed. It is not covered in detail here.
Reference: https://github.com/vmstan/gravity-sync

----

6. Dual pi-hole high availability (very optional)

If you want to configure the two pi-holes in high availability mode, then there's a thread on reddit describing how to set it up:
https://www.reddit.com/r/pihole/comments/d5056q/tutorial_v2_how_to_run_2_pihole_servers_in_ha/

For these instructions, it would require an update to the dnsmasq settings:
    # DD-WRT will use pihole3 as the high availability DNS server
    server=192.168.0.4
    # DD-WRT will provide pihole4 as the DNS server to DHCP clients.
    dhcp-option=br0,6,192.168.0.4
    # Guest network
    dhcp-option=br3,6,192.168.3.4

----

7. PADD to show status (optional)

If a screen is connected to the pi-hole, then PADD is able to share some status details on the screen.

https://github.com/pi-hole/PADD

To keep PADD up-to-date, the following is added to the cron jobs.

----

8. Final words

I will try to keep this guide up to date as much as possible. I am running with two pi-holes at home. Since I rarely ever make list updates myself, I have not implemented the sync nor the high availability setup.

Please provide comments to address typos, issues, etc.

Thanks.

_________________
Linksys: Several WRTxx00AC variations | Netgear: 4x WNDR4500v2, 7x WNDR4300, R6400v1 | Asus: 2x RT-AC66U | Gl.inet: 3x GL-AR150


Last edited by plawer on Mon May 31, 2021 21:41; edited 1 time in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Mon May 31, 2021 21:36    Post subject: Reply with quote
Excellent guide, great job...bookmarked Laughing

In fact there are few already, that come and go... Cool

Good attention to the details...and structure..
Those links for guest network are a bit outdated, but suppose to work...kind of...
More up to date guide here 3rd post down created by
SurprisedItWorks
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070

This Pi-hole guide, helps to those with lower grade routers to be able to take advantage of more advanced DNS...with logs and graphs...

Personally im curious, but it feels too sketchy for my needs...may be one day....so, far I prefer all in one unit...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
plawer
DD-WRT User


Joined: 11 Aug 2019
Posts: 156

PostPosted: Mon May 31, 2021 21:43    Post subject: Reply with quote
Thanks. Updated link to guest network instructions.
_________________
Linksys: Several WRTxx00AC variations | Netgear: 4x WNDR4500v2, 7x WNDR4300, R6400v1 | Asus: 2x RT-AC66U | Gl.inet: 3x GL-AR150
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon May 31, 2021 23:06    Post subject: Reply with quote
Switched Ports Wiki, and several others, which are pre-swconfig on Broadcom, is going to be irrelevant. Everything will be configurable from the webUI.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 109

PostPosted: Tue Jun 01, 2021 20:45    Post subject: Reply with quote
At the discretion of the author, the section "3. Install dnscrypt on pi-hole (optional)" can be supplemented with another option to encrypt DNS requests for those who use SmartDNS Resolver via TLS.
The Pi-hole can be set to 192.168.1.1#6053 as the only upstream server.
My Pi-hole runs in this mode on an Orange Pi PC+

_________________
Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum