Combining Pi-Hole with Circle on Netgear

michaeldavie · April 6, 2019, 12:29am

I recently got Circle and Pi-Hole playing nicely together, and I wanted to document the gotchas here in case it could help anyone else.

Background

Circle is parental control software that works at the network level. It's available in a standalone device (that uses ARP poisoning...), and is also included as a feature on some Netgear routers. In a nutshell, it allows you to assign devices to users, and to set individual restrictions for each of those users. The restrictions are enforced by DNS.

https://meetcircle.com/netgear

Network Layout

My network is a bit complicated, with 3 routers between my LAN and the internet:

LAN <---> Netgear R7000 <---> Ubiquiti ER-X <---> ISP Modem <---> Internet
          (with Circle)            |
                                   |
                                Pi-Hole

The DNS setup is also a bit complicated and looks like this:

LAN <---> Circle <---> Pi-Hole <---> Cloudflare / Quad 9

First Issue - The IP Conflict that Wasn't

With the Netgear in router mode and Circle enabled, it sets itself as the DNS server for downstream (LAN) devices. It also forces you to set its WAN IP address and its upstream DNS servers via DHCP rather than manually.

When I tried to set the Netgear's upstream DNS server to a LAN address via DHCP, the Netgear software concluded that my LAN address space must be in conflict with my ISP's WAN address space, and automatically flipped the LAN address space over to 10.0.0.0/0.

To get around this, I moved the Pi-Hole server to the WAN side of the Netgear. In my case this is the LAN side of the Ubiquti EdgeRouter X, but it could just as easily be my ISP's modem.

Second Issue - Pi-Hole Blocking Mode

The Circle software did not respond well to the Pi-Hole's default blocking mode. From the client perspective a blocked query would hang, with the browser displaying Resolving host... but never getting anywhere.

This appeared to be resolved by switching the Pi-Hole's blocking mode to NODATA as described at Blocking mode - Pi-hole documentation.

However, some errors persisted, and appeared to be associated with specific TLDs, e.g. .ca, .org. This was resolved by disabling DNSSEC on the Pi-Hole. This setting is located in the GUI at Settings --> DNS --> Advanced DNS settings --> Use DNSSEC.

Conclusion

That's it! Everything seems to running smoothly now, so we'll see how it goes. Hopefully this post can help folks in a similar situation.

Sam_K · May 19, 2019, 9:24pm

I've found your article while looking up Pi-Hole with R7000 and Disney. I don't have Ubiquiti in my setup.
However, I'm new to Pi-Hole and have limited networking knowledge. Can you please help me with the configurations I need in my setup?
I don't have anything custom configured in my router except for enabling Disney under Parental controls. And I'm using Disney app not the device.

Thanks for your time and help!

michaeldavie · May 20, 2019, 12:18am

Sure, no problem. Can you tell me:

What hardware are you running the Pi-Hole service on?
Is your Netgear router connected to a modem from your ISP?

With that info we should be able to work it out.

Sam_K · May 20, 2019, 12:21pm

Pi-hole is on Raspberry Pi Zero W.
Yes, R7000 is connected to a modem.

Thanks!

michaeldavie · May 20, 2019, 1:31pm

Okay, great. This should work:

Assuming that the modem is also a wireless router, turn the wireless on (securely).
Join the Pi Zero W to the modem's wireless, and give it a static IP (or DHCP reservation).
Adjust the modem's DHCP server settings to use the Pi Zero W as the LAN-side DNS server.
Restart the R7000 to get the new DHCP settings from the modem.

On the R7000, you should see something like this, with the Pi-Hole IP address listed as the Primary DNS, and similar to the modem's address under Gateway IP Address:

With that, you should be all set. DNS requests from your devices will go to the R7000 where they'll be filtered (or not) by Circle, and those not filtered will go to the Pi-Hole, and then to your upstream DNS providers.

Just one other note: I found that having a Secondary DNS server configured on the modem would cause the Pi-Hole to be bypassed in some cases, presumably because they could respond faster. So I've stuck with just the Pi-Hole, which remains a single point of failure.

Let me know if you have any trouble.

Sam_K · May 21, 2019, 2:24pm

I'll try this and let you know. Meanwhile, while installing Pi-Hole, it prompts for upstream DNS servers. What selection you recommend there?
Thanks.

jfb · May 21, 2019, 3:09pm

Each has its own merits. This page has some information that may help you decide what is best for you.

https://docs.pi-hole.net/guides/upstream-dns-providers/

Sam_K · May 21, 2019, 4:08pm

Got it. Is this something which can be configured later post-install? Or the decision made during install is immutable? Thanks.

jfb · May 21, 2019, 4:10pm

This can be changed at any time after install. Look at Admin GUI > Settings > DNS. You can select any of the pre-populated servers, or put your own in the custom entries.

Sam_K · May 21, 2019, 4:12pm

Thanks! Will give a try.

Sam_K · May 21, 2019, 11:27pm

It's not letting me update the DNS address to PiHole IP in router screen. Error: The DNS server setup will not take effect due to parental control is enabled. If you need to configure DNS manually, please disable parental controls.
Disabling parental controls will disable the Circle too.

michaeldavie · May 22, 2019, 12:49am

Yes, you need to set the DNS server in the DHCP settings on the modem, which will then push it down to the router. It should be in modem's settings somewhere, maybe under something like LAN.

Sam_K · May 22, 2019, 9:20am

When I try to enter DNS, it stops me with this error.

michaeldavie · May 22, 2019, 5:02pm

Yes, you need to set it up in the DHCP settings on the modem, rather than the router. The settings should look something like this:

Sam_K · May 22, 2019, 5:29pm

Ah! Let me try to logon to my Motorola Docsis 3.0 modem.
Will let you know.
Thanks.

RamSet · May 22, 2019, 5:39pm

Let my throw my 2 cents into this (as I have the R8000 and I've been down this rabbit hole myself).

It won't work.

The way circle is embedded within the netgear firmware, prevents you from using it, combined with Pi-hole.
Why ?

Because, at it's root, it's tied to the Netgear DHCP server.

So, If you use the router's DHCP server, you can only use Circle and no Pi-hole as the Disney DNS servers get broadcasted at DHCP level, for the connecting clients.

A logical way would be a setup like this:

Router gets the DHCP ip from the ISP. When Circle is enabled, it uses the DISNEY DNS' as it's UPSTREAM, and leaves the LAN DHCp server untouched.

It doesn't happen quite like that ...
It's actually:

Router gets IP from ISP and doesn't touch/bypass the ISP DNS servers. Instead, it forces all the :LAN traffic via the Disney DNS servers (intercepting and taking over everything that's on port 53).

So long story short, you can't do it as everything is handled/managed by the router.

If you disable the DHCP within the Netgear, well... Circle disables itself too ...

So no circle BUT, you can use OpenDNS' parental controls ... And they are pretty powerful too ...

Give them a look at:

Here are some of the options:

With some more options:

I personally gave up on the Circle path as this was a lot easier for me to set-up, assign and manage the OpenDNS option.

Sam_K · May 22, 2019, 6:27pm

@RamSet - thanks for your detailed explanation.
But, now I'm more confused. @michaeldavie has his setup working with Circle. So, what is different in his configuration than yours?

RamSet · May 22, 2019, 6:37pm

My setup has the Netgear receiving the IP straight from the ISP on the WAN port.

His setup seems to have a DHCP server in front of it (I think that's the router with the main internet pipe).

My setup is like this:

ISP DHCP-NETGEAR-rest of the network
his is ISP DHCP--> ISP LAN DHCP --> Netgear --> rest of the network

in my case Netgear is the core of the network and i could install another device in front of it that would enable a more complex setup in which the Circle setup would be possible.

I decided to opt out of as many as possible failure/management points as possible and even so, sometimes i feel like my busy home network (>40 devices) is sometime tedious to manage ...

One thing to keep in mind, regardless whether you use Circle or OpenDNS .. unless you do selective DNS assignment, where adults devices get only Pi-hole and surf unrestricted and kids devices get Circle, everything will fall under the parental controls of Circle ...

michaeldavie · May 22, 2019, 6:49pm

@RamSet, what you've described is accurate; if you are using a modem in bridge mode rather than as an IP router it won't work. However, that's not the standard configuration for most ISP modems, which typically do NAT themselves, and in @Sam_K's case it should work fine.

I've complicated things further in my case by adding an additional router between the modem and the Netgear, but that's because I wanted a box that I trust more than either of them to be exposed to the internet (and to handle some other stuff).

The Circle filtering is per-device, so I'm not sure what you mean by your last point. I currently have Circle enabled, but with no filters set for any devices and everything is running fine.

RamSet · May 22, 2019, 6:57pm

Ah yes .. I stand corrected ...

I remember not getting that far into my attempt/setup.

On top of the network Layout (that i have), which din't quite allow it to work as intended, the $4.99/mo for the good stuff, threw me off