Configure first router to reach pi-hole behind second router

Ok so the setup simplefied is this

Router 1 - home Network

Router 2 - Lab and other stuff (pi-hole vm)

Im currently using pi-hole for dns content filtering on the lab side behind router 2. What I'm trying to do, is also set up router 1 to use the pi-hole as primary dns.

This setup is of course a bit reverse as pi-hole is more often set up as an endpoint.

But should still be doable for now I hope. But the question is, on my ER (second router) what needs to be configured and allowed in the wan in/local/out side of things to allow Router 1 to utilize pi-hole as forwarded target?

So far I tried allowing a statefull rule, allowing port 53, but so far I have been unsuccessful in getting it to work. Is it possible or have I gotten it all wrong and need to put the pie in the router 1 network instead?

Please make a sketch of your network setup and post it here. That will help us understand your configuration.

Here is the basic cleaned up network diagram of what i have. The problem being that anything connected to Router 1 does not make use of Pi-Hole, while everything behind router 2 does.
Ping connectivity exists between the two routers and their respective networks

Ports 53 TCP & UDP for DNS.
Port 80 TCP for the HTTP admin page.

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:80 '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      9651/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      579/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      9651/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      579/lighttpd
udp        0      0 0.0.0.0:53              0.0.0.0:*                           9651/pihole-FTL
udp6       0      0 :::53                   :::*                                9651/pihole-FTL

On Router2, These need to be port forwarded to the IP of Pi-hole.
Everything in the Router1 LAN segment will need to address the Router2 WAN IP on relevant ports to get to Pi-hole.
Ps. you wont see individual stats for the Router1 WiFi clients as from Pi-hole point of view, all queries originate from the Router2 LAN IP.

1 Like

Worked like a charm. I totally neglected that it would require port forwarding. But forwarding them to the PI-hole IP and then setting Router 1 Lan DNS to point to the Wan interface of router 2 did the trick.

And yeh, its to bad DNS works that way that you will not see the individual devices, same goes for my lab where all is pointing to the Domain Controller. But then again, blocking is the important part. As for syslogging, splunking and all that, thats a topic for another day :slight_smile:

Either way thank you, works for what its intended for now

1 Like

If you also connect the Pi-hole box to the Router1 WiFi segment (multihomed), configure Router1 DHCP-DNS to that of Pi-hole, you have individual stats back :wink:
But if considered an unsafe network, the Pi-hole box would require proper firewall etc.

Yeh that's one solution to consider. For now Router 1 is my variant of iot light where all home stuff (TV, chromecast, family stuff) is connected, and therefore considered unsafe. The synology, good as it is, dosnt have all the advanced features so atm. The edgerouter deals with dhcp. Dns is forwarded to public dns on both routers. At some point I will probably replace the synology with a pfsense.

Everything behind the edgerouter is "important stuff". For now the goal was just to intercept all outgoing and throw it down the hole.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.