Can only see the same 6 clients

I can’t find anything about iptables, but doing a search on google, I can see that is has something called DNSfilter, which could do the same - but I don’t know anything about that.

DNSfilter screenshot
Imgur

Could you try putting Pi-hole’s IP address in there? Again, there are different ways to integrate Pi-hole into your network, such as:

  • Pi-hole → Router → External DNS (Turn conditional forwarding on and for client hostnames, push out Pi-hole via DHCP)/This is my configuration
  • Router → Pi-hole → External DNS (All clients should theoretically use Pi-hole, however, all requests will originate from the IP address of the router)
  • Use Pi-hole as the DHCP server, the only downside to this is that you can only use it for one network from my experience.
  • Can Pi-hole sit in between the networks, with two interfaces? I have one Pi-hole sitting on different VLANs… It would still be Pi-hole, just with different IP addresses so that each network can still be separated, but still access it.

I know that with most routers that have a parental control option, they usually force the DNS servers via DNAT, or they allow port 53 only to a specified name server… I am unsure how this will work with the ASUS router if you have separated networks…

This may seem kind of odd, but I think you can use the ethernet and wifi on the raspberry pi simultaneously. What if you wired the Pi into one network, and then Wi-Fi onto the other where the clients are not showing up?

@MikeWatson Can you give me a briefing of your network setup/topology? This will better help us all come to a solution. Screenshot(s) would be nice…

I have not delt with Merlin iptables not ever actually used the firmware. It appears they are in fact supported.


Does Merlin have any support forums? You can solve this by forwarding port 53 to the pi on the main network with iptables. Hope this helps point you in the right direction.

Upon further inspection they may be limited in comparison to other third party fw’s.

You may be able to forward the port from the normal gui menu?

https://www.snbforums.com/threads/asus-rt-ac86u-running-merlin-guest-network-setup-with-local-dns-pihole.55734/

@jaykepeters Thers nothing much to say about my network settings. But I have setup a guest-network and main-network. Pi-hole is on the main-network, and separated from the guest-network and can’t see this network. I think that most routers can create a guest-network, and that’s what I have done.

1 Like

@drewski Should I think of port 53 as a connection between my main-network and guest-network ?

Yes, there is a supportforum. Will take a look at it.

@DanSchaper Thanks.

Yes this is what would allow pi-hole on both networks without any other communications. Have you tried setting pi-hole to listen on all interfaces like suggested on the other forum?

@drewski

How do you add my question, to your post ? I can only add your name.

No, I have not tried it yet, but will soon. On SNBforums it seems to be possibly to do it with DNSfilter

Highlight the text and click quote.

1 Like

I just tried the DNS-filter option and it seems to do the job, letting both Guest- and main-network use Pi-hole…but in the Pi-hole log, every traffic seems to come from my router now. Before I was able to see which devices that was blocked or asking for queries. Now it all comes from the router.

I’ll try to see if port 53 does the same

You may need ports 67/68 also.

https://www.juniper.net/documentation/en_US/junos/topics/concept/dhcp-extended-firewall-filter-overview.html

These are my guest network firewall rules/iptables on dd-wrt.

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -p tcp --dport 53 -j REJECT
iptables -I FORWARD -i br1 -p udp --dport 53 -j REJECT
iptables -I FORWARD -i br1 -p tcp -d ip.of.pi --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -d ip.of.pi --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to ip.of.pi
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to ip.of.pi
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

I just tried the port 53 forward, and it does not seem to work. Pi-hole can’t see both network, only main-network

So far the best solution is to use DNS filter, which allows Pi-hole to see both network, but makes all traffic looks like it comes from my router

Sounds good. Fortunately I see all of my clients individually.

This is the rule that allows individual clients in the dashboard on a wired pi. Once again dd-wrt.

iptables -t nat -I POSTROUTING -o vlan1 -j MASQUERADE

Have you thought about trying alternate firmwares?

I would really like to run dd-wrt, but my asus router can’t. I can only run Merlin or the stock firmware on it.

I have an old Linksys router somewhere that can run dd-wrt, maybe I should try to install dd-wrt on it some day.

Do you run vlans on your dd-wrt ? Instead of guest-network, I would like to separate my network uising vlans.

But it seems to be possible to use Pi-hole one separate networks and still be able to see the name on each device.

Just found out that dd-wrt was released a few months ago for my router :slight_smile:

My networks are on separate bridges br0 br1. The first rule isolates the guest network on br1 from the main network on br0 no vlans necessary. The bridge br0 can acctually still talk to the devices on br1. If one wanted to block comuncation both ways this rule needs to go after the first.

iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j REJECT