Im currently using pi-hole for dns content filtering on the lab side behind router 2. What I'm trying to do, is also set up router 1 to use the pi-hole as primary dns.
This setup is of course a bit reverse as pi-hole is more often set up as an endpoint.
But should still be doable for now I hope. But the question is, on my ER (second router) what needs to be configured and allowed in the wan in/local/out side of things to allow Router 1 to utilize pi-hole as forwarded target?
So far I tried allowing a statefull rule, allowing port 53, but so far I have been unsuccessful in getting it to work. Is it possible or have I gotten it all wrong and need to put the pie in the router 1 network instead?
Here is the basic cleaned up network diagram of what i have. The problem being that anything connected to Router 1 does not make use of Pi-Hole, while everything behind router 2 does.
Ping connectivity exists between the two routers and their respective networks
On Router2, These need to be port forwarded to the IP of Pi-hole.
Everything in the Router1 LAN segment will need to address the Router2 WAN IP on relevant ports to get to Pi-hole.
Ps. you wont see individual stats for the Router1 WiFi clients as from Pi-hole point of view, all queries originate from the Router2 LAN IP.
Worked like a charm. I totally neglected that it would require port forwarding. But forwarding them to the PI-hole IP and then setting Router 1 Lan DNS to point to the Wan interface of router 2 did the trick.
And yeh, its to bad DNS works that way that you will not see the individual devices, same goes for my lab where all is pointing to the Domain Controller. But then again, blocking is the important part. As for syslogging, splunking and all that, thats a topic for another day
Either way thank you, works for what its intended for now
If you also connect the Pi-hole box to the Router1 WiFi segment (multihomed), configure Router1 DHCP-DNS to that of Pi-hole, you have individual stats back
But if considered an unsafe network, the Pi-hole box would require proper firewall etc.
Yeh that's one solution to consider. For now Router 1 is my variant of iot light where all home stuff (TV, chromecast, family stuff) is connected, and therefore considered unsafe. The synology, good as it is, dosnt have all the advanced features so atm. The edgerouter deals with dhcp. Dns is forwarded to public dns on both routers. At some point I will probably replace the synology with a pfsense.
Everything behind the edgerouter is "important stuff". For now the goal was just to intercept all outgoing and throw it down the hole.