Discussion Thread Pi-Hole Sticky

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Nov 01, 2022 16:59    Post subject: Reply with quote
it's all in the sticky thread

quote

Example 2 <-- the rule is to be applied to example 2

    ## filter on br0 (usually includes LAN and WLAN)
    iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
    iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53

    192.168.1.110 = IP address of the Pi-Hole

Example 2 --> https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256876#1256876

unbound for Example 2 --> https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256878#1256878

your configuration is nonsensical (why is also described in the sticky)
you don't need to enable options in the GUI if you end up overwriting it manually with "additional options".

But as a hint since your clients communicate directly with the Pi-Hole

Clients <--> Pi-Hole <--> .....

you can use the rules for example 1

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256879#1256879

how to configure example 1 properly

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1256875#1256875




i recommend example 2
Sponsor
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 49

PostPosted: Tue Nov 01, 2022 19:19    Post subject: Reply with quote
It's just my very limited knowledge. Appreciate your response.
Quote:
your configuration is nonsensical (why is also described in the sticky)
you don't need to enable options in the GUI if you end up overwriting it manually with "additional options".

I have this fixed now and others as per example 2. I have the Custom 1 (IPv4) as 127.0.0.1#5335.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Nov 01, 2022 19:40    Post subject: Reply with quote
I meant your "additional dnsmasq options"

Quote:
Aditional Options:
domain-needed
log-async=5
dhcp-option=br0,6,192.168.1.80
no-negcache
server=192.168.1.80
expand-hosts



They are not needed because you can (actually) set everything in the GUI.

If you have adapted everything then everything should work?
Jay461
DD-WRT Novice


Joined: 18 Jul 2018
Posts: 49

PostPosted: Tue Nov 01, 2022 19:54    Post subject: Reply with quote
Quote:
I meant the "additional dnsmasq options"
They are not needed because you can (actually) set everything in the GUI.

Yes. I have done that.
Quote:
If you have adapted everything then everything should work?

Yes. Everything works. I'll monitor and if something comes up I'll post back. Thanks again.
Edit: I have not implemented the iptables yet- will do that in a couple of days.
CRAZYFRAMES
DD-WRT Novice


Joined: 03 Mar 2023
Posts: 1

PostPosted: Fri Mar 03, 2023 23:51    Post subject: This thread is so good I had to create an account. Reply with quote
My main question, is if the example 2 iptables could be modified to get this working on my goofy config (see notes below). Would love some advice before I waste the entire weekend on this. Laughing

Topology:
BR0 (Main): VLAN4, wlan0, wlan1, /24
BR1 (Guest): VLAN1, wlan1.1(VAP), /24
BR2 (IOT): VLAN3, wlan0.1(VAP), /24
BR3 (MGMT): VLAN5, /30 - pi-hole lives here
WAN: VLAN2, ETH0 - Direct Ethernet from ISP.

Each bridge has it's own subnet assigned; Main, IOT and Guest are all isolated with iptables allowing one-way communication between BR0 -> BR2. BR3 set to permit traffic from all the other bridges: static assignment set on the PI for MGMT LAN.

Issues:
1. So far I've had trouble just accessing the pi-hole from BR0 via SSH. I suspect this is a configuration setting on the pi-hole, the unbound guide seems to provide steps for solving this issue via ACL. Potentially maybe a static route/iptable entry for ssh? pi-hole doesn't respond to ping, but other devices do when plugged in and statically assigned.

2. DNS queries only seem to be resolving on BR0, not BR1-2. Hoping the IP tables mentioned + example 2 should fix this.

Ideally, I'd like to only permit SSH from BRO to BR3, while allowing BR1-2 access to DNS. If I can get this working with Unbound, may try to incorporate their additional settings for DoH.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Mar 04, 2023 11:04    Post subject: Re: This thread is so good I had to create an account. Reply with quote
No configuration details no help.

CRAZYFRAMES wrote:
Issues:
1. So far I've had trouble just accessing the pi-hole from BR0 via SSH. I suspect this is a configuration setting on the pi-hole, the unbound guide seems to provide steps for solving this issue via ACL. Potentially maybe a static route/iptable entry for ssh? pi-hole doesn't respond to ping, but other devices do when plugged in and statically assigned.

This works here without any problems.
If the problem occurs only with your Pi-Hole but not with other devices then it is probably the configuration of your Pi-Hole (network setup, firewall).
I just configured mine via DHCP and switched to VLAN5 - I can ping the Pi-Hole or connect via ssh without problems.

frome Main LAN:
Code:
:~# ssh user@192.168.5.111

Host '192.168.5.111' is not in the trusted hosts file.
(ssh-ed25519 fingerprint SHA256:+d6d36723e8bf4da106ee08eaf2c6a654673ba493d)
Do you want to continue connecting? (y/n)

frome IOT LAN:
Code:
:~$ ssh user@192.168.5.111
ssh: connect to host 192.168.5.111 port 22: Connection refused

CRAZYFRAMES wrote:
2. DNS queries only seem to be resolving on BR0, not BR1-2. Hoping the IP tables mentioned + example 2 should fix this.

this also works here without problems (without extra dns iptable rules for br1+br2)
frome IOT LAN (192.168.6.1 is the address of br2):
Code:
:~$ dig google.com @192.168.6.1

; <<>> DiG 9.16.1-Ubuntu <<>> google.com @192.168.6.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60144
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.         IN   A

;; ANSWER SECTION:
google.com.      300   IN   A   172.217.23.110

;; Query time: 31 msec
;; SERVER: 192.168.6.1#53(192.168.6.1)
;; WHEN: Sa Mär 04 11:53:46 CET 2023
;; MSG SIZE  rcvd: 55

So no idea what you're doing wrong, everything works for me as it should.
NoGool4g
DD-WRT Novice


Joined: 12 Nov 2021
Posts: 13

PostPosted: Fri Apr 14, 2023 23:58    Post subject: Reply with quote
Hi guys,

I have a WRT3200ACM with DD-WRT v3.0-r51741 std (02/18/23) with a Raspberry Pi with Pi-hole connected and all works fine. On the Pi-hole, I am able to see which client has requested which DNS records.


On a WRT1900ACS with DD-WRT v3.0-r47618 std (11/05/21) also with a Raspberry Pi with Pi-hole connected, I had for some time the Pi-hole able to display statistics per client. But now, for some reason, only the DD-WRT router is shown as client. I was comparing the different settings between the WRT3200ACM and WRT1900ACS, except the subnets, all was similar. I wanted to give a try to the configuration I found in the thread (3rd option), but it is still the WRT1900ACS router showing as client. Both router and Raspberry Pi have been restarted.

Any clue?

Here is the configuration from the one which does not work.



Thanks for your help.

Cheers.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Apr 15, 2023 5:59    Post subject: Reply with quote
@NoGool4g several times in this thread there is a reference to the documentation ( a sticky in this forum )

For starters blurring private ip addresses is useless because well they are private.

The Gateway is the address of the next hop, DDWRT will set that automatically if you keep it at its default 0.0.0.0 setting, setting this as the routers own address is wrong.
Local DNS should also be kept at its default 0.0.0.0.

Just see the sticky how you have to setup and what are the pro's and cons

Furthermore you are running an old and outdated build and lots of things have changed, so for a good comparison you have to use a recent build. Current build 52306.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Apr 15, 2023 7:42    Post subject: Reply with quote
Also your additional dnsmasq options seem to be wrong, looks like there is a space in the line
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sun Apr 30, 2023 15:20    Post subject: DDWRT with 2 Pihole, how does DNS failover work? Reply with quote
Hi,

I hope this is the right thread to post this question. If this should be separated in an independent thread, please let me know.

I am learning to use PiHole with DDWRT. PiHole v5.16.2 on Debian 11 stable. Router is Netgear R7000 with firmware: DD-WRT v3.0-r52095 std (03/23/23)

Thanks a lot to @ho1Aetoo's guide use Pi-Hole as simple DNS-Server with DD-WRT. I use the method described in "Example2: Client <--> DD-WRT <--> Pi-Hole <--> Public DNS" which works perfectly. Now I would like to add the "High Availability" capacity by using two PiHole. There are two different ways.

Method 1. Pi-hole failover using Gravity Sync and Keepalived. The failover mechanism used here is the Keepalived service, installed on both PiHoles, exposing both Phihole's DNS service through a virtual IP address.

Method 2. Configure the router with two local IP addresses of the two Pihole instances. This approach is also described in ho1Aetoo's guide, example #2, mentioned above.

I would like to have a better understanding of Method 2

Question 1: The main critics of the "Method 2" by the proponents of the Keepalived cluster solution is that DNS failover is long and unreliable at client side (eg. DNS servers configured in the client, not router). But in the "Method 2" approach, the DNS client is the DDWRT router itself. How fast does DDWRT failover between "Static DNS 1 and 2" if one of them becomes unresponsive?

Question 2: How does DDWRT use DNSmasq service? ho1Aetoo's guide recommends to empty any DNSmasq "Additional Options". While another DDWRT forum post Redundant PiHole settings shows the usage of DNSmasq options.

And please forgive me here. I should probably learn some networking concepts by my own. But I would appreciate a lot if you can help me for some pointers in the context of DDWRT.

Question 3: What is the "Ignore WAN DNS" option in DDWRT "WAN Connection Type"? Does it override (or conflict?) with the various "Static DNS 1,2,3" set in the "Dynamic Host Configuration Protocol (DHCP)" section?

Question 4: What is "DNS Rebind"? ho1Aetoo's guide shows how to disable it in the Linux config of the PiHole host (/etc/dnsmasq.d/99-stop-dns-rebind.conf), while enabling it in DDWRT (ie. DDWRT, Dnsmasq Infrastructure, set "No DNS Rebind" = disabled).
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sun Apr 30, 2023 15:46    Post subject: Re: DDWRT with 2 Pihole, how does DNS failover work? Reply with quote
Tectonic Plates wrote:
Question 1: ... How fast does DDWRT failover between "Static DNS 1 and 2" if one of them becomes unresponsive?


Not sure if this is accurate. I asked ChatGPT. And here is it answer

QUESTION: What is the default DNS timeout in DD-WRT, DNSMasq option?

(copied from ChatGPT's answer) wrote:
The default DNS timeout value in DD-WRT's DNSMasq option is 5 seconds.

This means that if a DNS query is sent to a DNS server, and the server does not respond within 5 seconds, DD-WRT will consider the server unresponsive and will try the next DNS server in the list, if available.

However, it's important to note that the DNS timeout value can be customized in DD-WRT's DNSMasq configuration, as I explained in the previous answer (example: dhcp-option=6,timeout:5). So, if the DNSMasq Custom configuration field is used to set a different value for the timeout period, the default value of 5 seconds will be overridden.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sun Apr 30, 2023 16:16    Post subject: Re: DDWRT with 2 Pihole, how does DNS failover work? Reply with quote
Tectonic Plates wrote:
Question 1: The main critics of the "Method 2" by the proponents of the Keepalived cluster solution is that DNS failover is long and unreliable at client side (eg. DNS servers configured in the client, not router). But in the "Method 2" approach, the DNS client is the DDWRT router itself. How fast does DDWRT failover between "Static DNS 1 and 2" if one of them becomes unresponsive?


why not try it out?

static DNS 1 = an IP address from your network on which no DNS server is running
static DNS 2 = Pi-Hole

and then see if internet works and DNS requests are resolved.......

Tectonic Plates wrote:
Question 2: How does DDWRT use DNSmasq service? ho1Aetoo's guide recommends to empty any DNSmasq "Additional Options". While another DDWRT forum post Redundant PiHole settings shows the usage of DNSmasq options.

And please forgive me here. I should probably learn some networking concepts by my own. But I would appreciate a lot if you can help me for some pointers in the context of DDWRT.


The vast majority of options can be set in the GUI.
And if there are GUI settings then I will not post command line voodoo howtos...
Because many users do not understand the options and like to create infinity loops.

Tectonic Plates wrote:
Question 3: What is the "Ignore WAN DNS" option in DDWRT "WAN Connection Type"? Does it override (or conflict?) with the various "Static DNS 1,2,3" set in the "Dynamic Host Configuration Protocol (DHCP)" section?


The WAN interface is usually configured automatically via DHCP / PPPoE.
and Internet providers also send DNS servers in addition to the IP and the gateway.
"Ignore WAN DNS" ignores these DNS servers.

Tectonic Plates wrote:
Question 4: What is "DNS Rebind"? ho1Aetoo's guide shows how to disable it in the Linux config of the PiHole host (/etc/dnsmasq.d/99-stop-dns-rebind.conf), while enabling it in DDWRT (ie. DDWRT, Dnsmasq Infrastructure, set "No DNS Rebind" = disabled).


Your Pi-Hole does "DNS rebind" ...
If you request a blocked domain then your Pi-Hole answers the request with another IP address 0.0.0.0 (instead of the real one)

If you enable "stop DNS rebind" on the router then dnsmasq will spam your syslog.
The protection detects a "dns rebind" with every blocked advertisement.
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sun Apr 30, 2023 17:15    Post subject: Re: DDWRT with 2 Pihole, how does DNS failover work? Reply with quote
ho1Aetoo wrote:
The vast majority of options can be set in the GUI.
And if there are GUI settings then I will not post command line voodoo howtos...
Because many users do not understand the options and like to create infinity loops.


Can you please elaborate on "infinity loops", maybe with an example?

From you answer, I guess certain DNS functions could be set from GUI _and_ DNSmasq options. What if those options conflict with each other? Which one would take precedence? Maybe this is the case of "infinity loops" you mentioned in case a novice messed up with those overlaping settings?
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sun Apr 30, 2023 17:53    Post subject: Reply with quote
Yes exactly, of course you don't mix several configuration examples - that leads to unpredictable results...

We had here in the forum and also in the thread already often users who have built infinite loops ...

Then the router asks the Pi-Hole for an address and the Pi-Hole the router ... I think I do not need to explain further ...
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sun Apr 30, 2023 18:19    Post subject: Reply with quote
ho1Aetoo wrote:
Then the router asks the Pi-Hole for an address and the Pi-Hole the router ... I think I do not need to explain further ...


Maybe this is the case of beginner luck. I don't know how that infinite loop could be done in DDWRT. In my case, I set the PiHole host to use itself as DNS resolver. Here is the setting for Debian, and how to block the OS from reverting /etc/resolv.conf back to using the router as nameserver at each reboot. In my config, the PiHole host uses DHCP, acquires its local static IP 192.168.1.x from the router through DHCP reservation.

Code:
cat > /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate << EOF
#!/bin/sh
make_resolv_conf(){
  :
}
EOF

chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate

sed -Ei 's/^nameserver .+$/nameserver 127.0.0.1/' /etc/resolv.conf

# then restart network or reboot
systemctl restart networking
ifdown enp1s0 && ifup enp1s0


Guides used:

- Linux Make Sure /etc/resolv.conf Never Get Updated By DHCP Client

- Installing Pi-hole On Debian / Ubuntu Servers
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 6 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum