Posted: Mon May 31, 2021 21:13 Post subject: DD-WRT and pi-hole plus guest network (Guide)
1. Introduction
The question comes up from time to time; how to set up a pi-hole server with DD-WRT; especially when it comes to guest networks. In this thread, a few aspects of the setup will be addressed in hopes of covering the most common scenarios.
1.1 Assumptions
The instructions assume that the pi-hole is installed on a Raspberry Pi.
The router is used as the DHCP server. It is possible to run the pi-hole as a DHCP server, and that is not covered in this tutorial.
If a guest network is set up, it is associated with a VLAN on the router.
1.2 Network
The networks addresses for this guide will follow the definition below:
Main network
192.168.0.0/24 br0 vlan1
192.168.0.1 our DD-WRT router
192.168.0.2 Raspberry Pi running pi-hole, hostname pihole2
192.168.0.3 Optional secondary Raspberry Pi running pi-hole, hostname pihole3
192.168.0.4 Optional high availability IP address for the pi-holes, pihole4
Guest network (If you do not have a guest network, you can ignore this)
192.168.3.0/24 br3 vlan3
192.168.3.1 our DD-WRT router with its address on the guest network
192.168.3.2 pihole2 on the guest network
192.168.3.3 pihole3 on the guest network
192.168.3.4 pihole4 on the guest network
1.3 DNS provider
The DNS provider used in the guide is Quad 9 with malware filtering. I use it based on the results of the tests done in the Youtube videos linked. Use whatever provider you prefer; it's a matter of personal preference.
The pi-hole installation should be pretty straightforward. Install Raspbian and then pi-hole.
Follow the instructions to install Raspbian https://www.raspberrypi.org/software/ Note: For ease of use when setting up VLANs, please run "sudo raspi-config" and disable "Network Interface Names" under Advanced Options. If you do not intend to use a guest network, then you can ignore this step.
2.1 Automatic updates (recommendation, not required)
For good measures, you can set up automatic updates on the pi-hole server. The following cron entries will keep the Raspberry Pi and pi-hole up-to-date.
On the router, some changes should be made to ensure the network clients are connecting to the pi-hole, and make it possible to see those clients in the pi-hole web interface. In the Services - Services tab, the following additional configuration options are added to the dnsmasq section.
# DD-WRT will use pihole2 as DNS server
server=192.168.0.2
# DD-WRT will provide pihole2 as the DNS server to DHCP clients. This allows to see where the requests are coming from on the pi-hole server.
dhcp-option=br0,6,192.168.0.2
2.4 Conditional forwarding
Conditional forwarding makes it possible for the pi-hole to do reverse lookups on the router to define the DHCP clients. On the pi-hole, the settings for a configuration without a guest network.
Local network in CIDR notation: 192.168.0.0/24
IP address of your DHCP server (router): 192.168.0.1
local domain name (optional): local
Note: It is currently only possible to add /8, /16, or /24 networks to the configuration in pi-hole. If reverse lookups for guest network clients should be possible, it must be added as a /16 network.
2.4.1 Router settings
Under Setup - Basic Setup - Optional settings - The Domain Name value must match the value entered in the pi-hole settings above. We are going to use "local" here as well. Further down the page Use DNSMasq for DNS must be enabled to make the router respond to DNS requests.
It is possible to include definitions for other hosts not connected to the router on the router if that is needed. This should be defined in the additional dnsmasq settings
host-record=hostname,192.168.255.2
----
3. Install dnscrypt on pi-hole (optional)
dnscrypt-proxy can be installed so the pi-hole will do secure DNS lookups.
Once dnscrypt-proxy has been configured and verified it works, an update script can be installed to ensure dnscrypt-proxy also automatically updates. With the script from the Reference link installed, the following cron job will run it daily and automatically update dnscrypt-proxy if needed.
Now it is time to set up the guest network. To make it possible for the pi-hole to treat queries on the guest network differently, a VLAN is added on both the router and the pi-hole server.
4.1 Router configuration
Details about setting up a guest network are described elsewhere. Follow those instructions
A VLAN must be added to the bridge associated with the guest network. In our case, the bridge is br0 and VLAN is 3. Adding a VLAN on a DD-WRT router varies from router to router. If you have problems with this, please ask your question in the Advanced Network Forum.
Once VLAN3 has been created it should be added to the Guest network under Settings - Networking. And the router's DHCP server should hand out the IP address of the pihole2 on the guest network. Go to Services - Services and add the following to the dnsmasq additional options field.
dhcp-option=br3,6,192.168.3.2
4.3 VLAN on pi-hole
Installing the VLAN support on the pi-hole is done with the following command:
sudo apt-get install vlan
Once installed, the VLANs can now be defined. Edit the configuration with:
sudo nano /etc/network/interfaces.d/vlans
And add the following to the file. VLAN3 is defined by the 3 in eth0.3
auto eth0.3
iface eth0.3 inet manual
vlan-raw-device eth0
The pi-hole should already be running with an assigned IP address on the main network. It also needs to have an IP address for the guest network. Edit this configuration with
sudo nano /etc/dhcpcd.conf
Towards the bottom of the file, find the details related to the main network:
In the pi-hole Admin user interface under Settings - DNS, "Interface listening behavior" should be set to "Listen on all interfaces". After clicking Save, the "Restart DNS Resolver" on the System tab should be run.
4.4 Groups pi-hole (optional)
If you want to have different filters on the guest network, then you need to define groups and clients. If the filter should be the same, this step can be ignored.
Navigate to http://192.168.0.2/admin/
Login, and go to Group Management - Groups. Add a group called Guest.
Go to Clients. In Known Clients and Comments add the following two entries.
192.168.0.0/24 Main
192.168.3.0/24 Guest
In Adlists, it is now possible to assign the groups to the various lists.
Remember to run Update Gravity under Tools (or pihole -g from the command line) when done to update the database to the selection.
----
5. Simple dual pi-hole (optional)
If there is a need to run two pi-holes to have a fallback server, there are a few minor changes to be done. Follow the same steps for a second pi-hole and add its IP address to the dnsmasq settings.
# DD-WRT will use pihole2 and pihole3 as DNS server
server=192.168.0.2
server=192.168.0.3
# DD-WRT will provide pihole2 and pihole3 as the DNS server to DHCP clients. This allows to see where the requests are coming from on the pi-hole servers.
dhcp-option=br0,6,192.168.0.2,192.168.0.3
# Guest network
dhcp-option=br3,6,192.168.3.2,192.168.3.3
If you want to have the same web interface password for the second pi-hole, simply enter
pihole -a -p
5.1 Automatic pi-hole synchronization
Using the Teleporter in the pi-hole web interface is an easy (but also manual) way to synchronize the blocklists, clients, etc. If you want this synchronization to happen automatically, the gravity sync script can be installed. It is not covered in detail here.
Reference: https://github.com/vmstan/gravity-sync
For these instructions, it would require an update to the dnsmasq settings:
# DD-WRT will use pihole3 as the high availability DNS server
server=192.168.0.4
# DD-WRT will provide pihole4 as the DNS server to DHCP clients.
dhcp-option=br0,6,192.168.0.4
# Guest network
dhcp-option=br3,6,192.168.3.4
----
7. PADD to show status (optional)
If a screen is connected to the pi-hole, then PADD is able to share some status details on the screen.
I will try to keep this guide up to date as much as possible. I am running with two pi-holes at home. Since I rarely ever make list updates myself, I have not implemented the sync nor the high availability setup.
Please provide comments to address typos, issues, etc.
Joined: 16 Nov 2015 Posts: 6407 Location: UK, London, just across the river..
Posted: Mon May 31, 2021 21:36 Post subject:
Excellent guide, great job...bookmarked
In fact there are few already, that come and go...
Good attention to the details...and structure..
Those links for guest network are a bit outdated, but suppose to work...kind of...
More up to date guide here 3rd post down created by
SurprisedItWorks https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070
This Pi-hole guide, helps to those with lower grade routers to be able to take advantage of more advanced DNS...with logs and graphs...
Personally im curious, but it feels too sketchy for my needs...may be one day....so, far I prefer all in one unit... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
At the discretion of the author, the section "3. Install dnscrypt on pi-hole (optional)" can be supplemented with another option to encrypt DNS requests for those who use SmartDNS Resolver via TLS.
The Pi-hole can be set to 192.168.1.1#6053 as the only upstream server.
My Pi-hole runs in this mode on an Orange Pi PC+
_________________ Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.