deHakkelaar is right about taking this one step at a time.
Let's briefly return to what we already had established:
jfb's analysis of your debug log has shown your Pi-hole to be fully operational.
However, nslookups and traceroutes as suggested by jfb and deHakkelaar have revealed connectivity issues. Those types of issues are most likely related to your router's configuration.
As you are trying to setup Pi-hole in a single VLAN only, it's unlikely that this is related to routing, as you would not need to cross subnet boundaries in that scenario.
This leaves firewalling or port-forwarding as possible causes, as well as issues with handling DNS traffic itself (like a possible DNS loop I mentioned before).
We're all willing to help you on your way, but with regards to your router, you'll have to find out for yourself. I, for once, have never heard of or dealt with a Pepwave device before, so am not aware of your router's capabilities, its limitations and restrictions. We can point you into a general direction, but you'd have to go the last mile (or a few more) by yourself. That's why I suggest you to also consider using additional sources of support with your router.
So, when following the steps from your other topic, do not set Pi-hole as your DNS server yet.
Let's first try to establish that your devices are indeed on the same subnetwork by running ip address show
from your Pi-hole machine as well as from your Macbook, both connected to your IoT-VLAN.
And try to ping each device from the other by their respective IP address, e.g. ping -c 3 10.241.71.<x>
where <x> is replaced by the correct number.
Good advice - I'll check connectivity before enabling Pi-Hole as DNS. Before seeing your previous advice I re-flashed my card, so I'll be starting over, and this time I'll try covering all of the VLANs using Pi-Hole as DNS, and the router as DHCP, with the RPi on my main LAN in order to make it easier to reach. This config appears more popular and thus I can find more instructions.
WRT to the router, the Pepwave Surf SOHO is a low-end business router, with good support and frequent firmware updates. It's being discovered by people who want better than mass market router security but who don't feel up to open source routers.
It's set up with Pi-Hole as the DNS and the router as HDCP, covering all the VLANs. I'm still having trouble with the DNS:
the Pi-Hole is using the proper DNS IP, while the devices are all using the main LAN's default gateway for DNS, even though I changed them on each VLAN page. I'll talk to the router folks about this.
I'm making progress on this and thought I'd report my findings so far. Starting simply, on the router's main untagged LAN I haven't had to change anything on the router itself.
The most important change I did make has been to the ufw firewall. On all previous installations Pi-Hole said it detected a firewall and would I like it to open the default ports - I said okay. It turns out there were no ports opened by the installer, so I added two:
"sudo ufw allow from 10.xxx.xxx.0/24 to any port 53" (and then "80").
On installation I agreed to the keeping the Pi's current IP as static, then went into the router and gave that IP as Reservation.
The Mac laptop still didn't point to the Pi-Hole as DNS, even after renewing leases, so I added the Pi manually as DNS.
That seems to work, a little. On the Mac terminal "grep nameserver <(scutil --dns)" shows the Pi's IP. Using dig instead of nslookup, for "dig flurry.com" it does resolve it. The Mac now shows in green in the Pi's Network tab.
Also, the Pi-Hole Query Log shows Flurry.com as Blocked (gravity). The only problem is that is the only thing it has blocked out of 146 queries from several news sites.
Thanks for the update - a new debug token may help us to better assess your current Pi-hole configuration.
That firewall rule seems a bit tight if you want to expand providing Pi-hole to other subnets as well some time later, and it would also lack IPv6 specifics if you'd plan on using IPv6.
I assume that ufw is running on your Pi-hole machine, so you may want to consult corresponding Pi-hole's documentation.
Do you still intend your router to distribute Pi-hole via DHCP for IoT devices on a VLAN?
Then that would imply a configuration problem in your router.
Even if manual override works on your Mac, you may run into IoT devices that do not allow manual DNS configuration.
flurry.com should be resolved to 0.0.0.0 if you run that DNS request through a standard Pi-hole with default blocklists.
What does it resolve to on your Mac?
[quote="Bucking_Horn, post:27, topic:29231"]
That firewall rule seems a bit tight if you want to expand providing Pi-hole to other subnets as well some time later, and it would also lack IPv6 specifics if you’d plan on using IPv6.
[/quote] Right - it's part of the "start small and add complications" effort. I won't be using IPv6 any sooner than I have to. I can add two more addresses for the two VLANs or learn something about subnet masks and do it all at once when they're needed.
Yes, it is, and I'll do that. I'm surprised that the Pi-Hole installer didn't add the rules - it implied it would.
"Even if manual override works on your Mac, you may run into IoT devices that do not allow manual DNS configuration."
Yes - that concerns me and implies I don't have a handle on this situation.
It resolves to zero zero zero zero on both Pi and Mac.
Edit 1: I got my first two blocks that weren't flurry.com - maybe it's working. I'm running only the default blocklists.
Edit 2: My iPhone is using Pi-Hole without my manually adding it to the phone.
Your debug shows Pi-hole as up and running with flawless IPv4 connectivity, but still shows only one client (i.e. Pi-hole itself) is using it -much as it has been before, I am afraid:
[2020-03-13 10:25:42.978 986] Imported 87 queries from the long-term database
[2020-03-13 10:25:42.978 986] -> Total DNS queries: 87
[2020-03-13 10:25:42.978 986] -> Cached DNS queries: 31
[2020-03-13 10:25:42.978 986] -> Forwarded DNS queries: 56
[2020-03-13 10:25:42.978 986] -> Exactly blocked DNS queries: 0
[2020-03-13 10:25:42.978 986] -> Unknown DNS queries: 0
[2020-03-13 10:25:42.978 986] -> Unique domains: 30
[2020-03-13 10:25:42.978 986] -> Unique clients: 1
[2020-03-13 10:25:42.979 986] -> Known forward destinations: 2
It should at least have registered your flurry.com queries, but has indeed blocked no DNS query so far (which is in line with no other client than Pi-hole).
How did you observe your other two blocks?
With regards to your firewall,
Why do you think that Pi-hole didn't add any rules?
Console log:
2020-03-13 15:02:52 A s.marketwatch.com (Mac LAN IP address) Blocked(gravity) ##This is my iPhone
...
2020-03-13 12:51:37 A stats.wp.com localhost Blocked(gravity)
...
2020-03-13 12:45:06 A www.smokersopinionpoll.com raspberrypi Blocked(gravity)
When I looked at it (sudo status verbose) the only rules were the ones I put there previous to installing Pi-Hole. After I installed them (and manually added the DNS to the Mac), things appeared to work a little. As I mentioned, I did not add my iPhone's DNS manually. There are a few others, but these are examples of the types.
Edit: Here's a fascinating one: 2020-03-13 15:07:02 A amazon-adsystem.com (ip address of Amazon fire Stick that's on an entirely different LAN/VLAN) Blocked(gravity). It shouldn't be reachable - different VLAN, no inter-VLAN routing, DNS servers automatically.
Your router seems to be a quite capable and flexible device.
It'll take a while to get the hang of it, especially if you are new to the whole matter of networking. The community at Pepwave seems to be as friendly as we are here (well, almost, I hope) - and they use discourse as well
From Pi-hole's point of view, you now have a fully operational installation and finally managed to integrate it into your network - time for a little celebration.
