your configuration is nonsensical (why is also described in the sticky)
you don't need to enable options in the GUI if you end up overwriting it manually with "additional options".
But as a hint since your clients communicate directly with the Pi-Hole
It's just my very limited knowledge. Appreciate your response.
Quote:
your configuration is nonsensical (why is also described in the sticky)
you don't need to enable options in the GUI if you end up overwriting it manually with "additional options".
I have this fixed now and others as per example 2. I have the Custom 1 (IPv4) as 127.0.0.1#5335.
I meant the "additional dnsmasq options"
They are not needed because you can (actually) set everything in the GUI.
Yes. I have done that.
Quote:
If you have adapted everything then everything should work?
Yes. Everything works. I'll monitor and if something comes up I'll post back. Thanks again.
Edit: I have not implemented the iptables yet- will do that in a couple of days.
Posted: Fri Mar 03, 2023 23:51 Post subject: This thread is so good I had to create an account.
My main question, is if the example 2 iptables could be modified to get this working on my goofy config (see notes below). Would love some advice before I waste the entire weekend on this.
Each bridge has it's own subnet assigned; Main, IOT and Guest are all isolated with iptables allowing one-way communication between BR0 -> BR2. BR3 set to permit traffic from all the other bridges: static assignment set on the PI for MGMT LAN.
Issues:
1. So far I've had trouble just accessing the pi-hole from BR0 via SSH. I suspect this is a configuration setting on the pi-hole, the unbound guide seems to provide steps for solving this issue via ACL. Potentially maybe a static route/iptable entry for ssh? pi-hole doesn't respond to ping, but other devices do when plugged in and statically assigned.
2. DNS queries only seem to be resolving on BR0, not BR1-2. Hoping the IP tables mentioned + example 2 should fix this.
Ideally, I'd like to only permit SSH from BRO to BR3, while allowing BR1-2 access to DNS. If I can get this working with Unbound, may try to incorporate their additional settings for DoH.
Posted: Sat Mar 04, 2023 11:04 Post subject: Re: This thread is so good I had to create an account.
No configuration details no help.
CRAZYFRAMES wrote:
Issues:
1. So far I've had trouble just accessing the pi-hole from BR0 via SSH. I suspect this is a configuration setting on the pi-hole, the unbound guide seems to provide steps for solving this issue via ACL. Potentially maybe a static route/iptable entry for ssh? pi-hole doesn't respond to ping, but other devices do when plugged in and statically assigned.
This works here without any problems.
If the problem occurs only with your Pi-Hole but not with other devices then it is probably the configuration of your Pi-Hole (network setup, firewall).
I just configured mine via DHCP and switched to VLAN5 - I can ping the Pi-Hole or connect via ssh without problems.
Host '192.168.5.111' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:+d6d36723e8bf4da106ee08eaf2c6a654673ba493d)
Do you want to continue connecting? (y/n)
frome IOT LAN:
Code:
:~$ ssh user@192.168.5.111
ssh: connect to host 192.168.5.111 port 22: Connection refused
CRAZYFRAMES wrote:
2. DNS queries only seem to be resolving on BR0, not BR1-2. Hoping the IP tables mentioned + example 2 should fix this.
this also works here without problems (without extra dns iptable rules for br1+br2)
frome IOT LAN (192.168.6.1 is the address of br2):
I have a WRT3200ACM with DD-WRT v3.0-r51741 std (02/18/23) with a Raspberry Pi with Pi-hole connected and all works fine. On the Pi-hole, I am able to see which client has requested which DNS records.
On a WRT1900ACS with DD-WRT v3.0-r47618 std (11/05/21) also with a Raspberry Pi with Pi-hole connected, I had for some time the Pi-hole able to display statistics per client. But now, for some reason, only the DD-WRT router is shown as client. I was comparing the different settings between the WRT3200ACM and WRT1900ACS, except the subnets, all was similar. I wanted to give a try to the configuration I found in the thread (3rd option), but it is still the WRT1900ACS router showing as client. Both router and Raspberry Pi have been restarted.
Any clue?
Here is the configuration from the one which does not work.
Joined: 18 Mar 2014 Posts: 12921 Location: Netherlands
Posted: Sat Apr 15, 2023 5:59 Post subject:
@NoGool4g several times in this thread there is a reference to the documentation ( a sticky in this forum )
For starters blurring private ip addresses is useless because well they are private.
The Gateway is the address of the next hop, DDWRT will set that automatically if you keep it at its default 0.0.0.0 setting, setting this as the routers own address is wrong.
Local DNS should also be kept at its default 0.0.0.0.
Just see the sticky how you have to setup and what are the pro's and cons
Posted: Sun Apr 30, 2023 15:20 Post subject: DDWRT with 2 Pihole, how does DNS failover work?
Hi,
I hope this is the right thread to post this question. If this should be separated in an independent thread, please let me know.
I am learning to use PiHole with DDWRT. PiHole v5.16.2 on Debian 11 stable. Router is Netgear R7000 with firmware: DD-WRT v3.0-r52095 std (03/23/23)
Thanks a lot to @ho1Aetoo's guide use Pi-Hole as simple DNS-Server with DD-WRT. I use the method described in "Example2: Client <--> DD-WRT <--> Pi-Hole <--> Public DNS" which works perfectly. Now I would like to add the "High Availability" capacity by using two PiHole. There are two different ways.
Method 1.Pi-hole failover using Gravity Sync and Keepalived. The failover mechanism used here is the Keepalived service, installed on both PiHoles, exposing both Phihole's DNS service through a virtual IP address.
Method 2. Configure the router with two local IP addresses of the two Pihole instances. This approach is also described in ho1Aetoo's guide, example #2, mentioned above.
I would like to have a better understanding of Method 2
Question 1: The main critics of the "Method 2" by the proponents of the Keepalived cluster solution is that DNS failover is long and unreliable at client side (eg. DNS servers configured in the client, not router). But in the "Method 2" approach, the DNS client is the DDWRT router itself. How fast does DDWRT failover between "Static DNS 1 and 2" if one of them becomes unresponsive?
Question 2: How does DDWRT use DNSmasq service? ho1Aetoo's guide recommends to empty any DNSmasq "Additional Options". While another DDWRT forum post Redundant PiHole settings shows the usage of DNSmasq options.
And please forgive me here. I should probably learn some networking concepts by my own. But I would appreciate a lot if you can help me for some pointers in the context of DDWRT.
Question 3: What is the "Ignore WAN DNS" option in DDWRT "WAN Connection Type"? Does it override (or conflict?) with the various "Static DNS 1,2,3" set in the "Dynamic Host Configuration Protocol (DHCP)" section?
Question 4: What is "DNS Rebind"? ho1Aetoo's guide shows how to disable it in the Linux config of the PiHole host (/etc/dnsmasq.d/99-stop-dns-rebind.conf), while enabling it in DDWRT (ie. DDWRT, Dnsmasq Infrastructure, set "No DNS Rebind" = disabled).
Posted: Sun Apr 30, 2023 15:46 Post subject: Re: DDWRT with 2 Pihole, how does DNS failover work?
Tectonic Plates wrote:
Question 1: ... How fast does DDWRT failover between "Static DNS 1 and 2" if one of them becomes unresponsive?
Not sure if this is accurate. I asked ChatGPT. And here is it answer
QUESTION: What is the default DNS timeout in DD-WRT, DNSMasq option?
(copied from ChatGPT's answer) wrote:
The default DNS timeout value in DD-WRT's DNSMasq option is 5 seconds.
This means that if a DNS query is sent to a DNS server, and the server does not respond within 5 seconds, DD-WRT will consider the server unresponsive and will try the next DNS server in the list, if available.
However, it's important to note that the DNS timeout value can be customized in DD-WRT's DNSMasq configuration, as I explained in the previous answer (example: dhcp-option=6,timeout:5). So, if the DNSMasq Custom configuration field is used to set a different value for the timeout period, the default value of 5 seconds will be overridden.
Posted: Sun Apr 30, 2023 16:16 Post subject: Re: DDWRT with 2 Pihole, how does DNS failover work?
Tectonic Plates wrote:
Question 1: The main critics of the "Method 2" by the proponents of the Keepalived cluster solution is that DNS failover is long and unreliable at client side (eg. DNS servers configured in the client, not router). But in the "Method 2" approach, the DNS client is the DDWRT router itself. How fast does DDWRT failover between "Static DNS 1 and 2" if one of them becomes unresponsive?
why not try it out?
static DNS 1 = an IP address from your network on which no DNS server is running
static DNS 2 = Pi-Hole
and then see if internet works and DNS requests are resolved.......
Tectonic Plates wrote:
Question 2: How does DDWRT use DNSmasq service? ho1Aetoo's guide recommends to empty any DNSmasq "Additional Options". While another DDWRT forum post Redundant PiHole settings shows the usage of DNSmasq options.
And please forgive me here. I should probably learn some networking concepts by my own. But I would appreciate a lot if you can help me for some pointers in the context of DDWRT.
The vast majority of options can be set in the GUI.
And if there are GUI settings then I will not post command line voodoo howtos...
Because many users do not understand the options and like to create infinity loops.
Tectonic Plates wrote:
Question 3: What is the "Ignore WAN DNS" option in DDWRT "WAN Connection Type"? Does it override (or conflict?) with the various "Static DNS 1,2,3" set in the "Dynamic Host Configuration Protocol (DHCP)" section?
The WAN interface is usually configured automatically via DHCP / PPPoE.
and Internet providers also send DNS servers in addition to the IP and the gateway.
"Ignore WAN DNS" ignores these DNS servers.
Tectonic Plates wrote:
Question 4: What is "DNS Rebind"? ho1Aetoo's guide shows how to disable it in the Linux config of the PiHole host (/etc/dnsmasq.d/99-stop-dns-rebind.conf), while enabling it in DDWRT (ie. DDWRT, Dnsmasq Infrastructure, set "No DNS Rebind" = disabled).
Your Pi-Hole does "DNS rebind" ...
If you request a blocked domain then your Pi-Hole answers the request with another IP address 0.0.0.0 (instead of the real one)
If you enable "stop DNS rebind" on the router then dnsmasq will spam your syslog.
The protection detects a "dns rebind" with every blocked advertisement.
Posted: Sun Apr 30, 2023 17:15 Post subject: Re: DDWRT with 2 Pihole, how does DNS failover work?
ho1Aetoo wrote:
The vast majority of options can be set in the GUI.
And if there are GUI settings then I will not post command line voodoo howtos...
Because many users do not understand the options and like to create infinity loops.
Can you please elaborate on "infinity loops", maybe with an example?
From you answer, I guess certain DNS functions could be set from GUI _and_ DNSmasq options. What if those options conflict with each other? Which one would take precedence? Maybe this is the case of "infinity loops" you mentioned in case a novice messed up with those overlaping settings?
Then the router asks the Pi-Hole for an address and the Pi-Hole the router ... I think I do not need to explain further ...
Maybe this is the case of beginner luck. I don't know how that infinite loop could be done in DDWRT. In my case, I set the PiHole host to use itself as DNS resolver. Here is the setting for Debian, and how to block the OS from reverting /etc/resolv.conf back to using the router as nameserver at each reboot. In my config, the PiHole host uses DHCP, acquires its local static IP 192.168.1.x from the router through DHCP reservation.