Eero, Pi-hole, Homebridge, Strongswan

Help Community Help
1

Please follow the below template, it will help us to help you!

Expected Behaviour:

System wide traffic requests resolve through pi-hole.

Setup is:
Modem: Arris
Router: Eero Pro 6 + Eero 6 Extender - providing DHCP (v6.6.1)
Switch: TP-Link 8 Port Gigabit
Pi: Butter, fully updated - using Lighttpd
Homebridge, fully updated
Strongswan, fully updated

Actual Behaviour:

I have been researching for the last few days and have read through a number variations of this issue that I can find. I have pihole running on an rpi at 192.168.0.40. It also has an install of Homebridge & Strongswan installed as well. I have started with several clients manually set to resolve through it. DHCP addresses are doled out from the eero router, then the clients resolve via pihole. Works exactly as it should.

After testing at the client level, I decided to try pihole network wide. I set a single ipv4 dns entry at the router via the Eero app. Initially it worked for about 15 minutes. Then suddenly nothing resolves for any client - the internet dies. If I set the Eero back to use say 1.1.1.2 DNS, the manual DNS server assignments will work again.

My pi-hole set up:

  • router: eero pro 6 @ 192.168.0.1, primary dns set to 192.168.0.40, no secondary dns set, ipv6 off
  • pihole: rpi running a light version of raspbian @ 192.168.0.40. Blocklists, gravity is up to date, ipv6 is off for eth0
  • rpi's resolv.conf: nameserver 192.168.0.1

I have tried all sorts of things like adding and removing dns entries on pi-hole (127.0.0.1# & 1.1.1.2, 1.0.0.2 and others). After hours of trying things, I tried pihole -r which is what got it working network wide for about 15 minutes. Then promptly stopped and the Eero hit a red light situation.

At this point, I generated a debug token after resetting the DNS at the router to the known good configuration. For the life of me, I can not figure out why it was working for a brief time and then stopped. Or why it works on a per device basis.

I have turned of HomeKit secure in the HomeKit app - as that was suggested elsewhere. That does not seem to have changed anything.

Eero does not have local DNS caching on. Optimize for gaming is not on. WPA3 is not on due to two old devices on the network. Eero secure is not on.

I can log into the pi-hole GUI via a webbrowser as well.

Output of nslookup pi.hole (when device direct connected) is:

Server:		192.168.0.40
Address:	192.168.0.40#53

Name:	pi.hole
Address: 192.168.0.40

When not directly connected is:
Server: 192.168.0.1
Address: 192.168.0.1#53

** server can't find pi.hole: NXDOMAIN

Output of nslookup pi.hole 192.168.0.40 (when not directly connected) is:

Server:		192.168.0.40
Address:	192.168.0.40#53

Name:	pi.hole
Address: 192.168.0.40

Output of nslookup pi-hole.net (when device direct connected) is:

Server:		192.168.0.40
Address:	192.168.0.40#53

Non-authoritative answer:
Name:	pi-hole.net
Address: 3.18.136.52

Output of nslookup pi-hole.net (when device not directly connected) is:

Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
Name:	pi-hole.net
Address: 3.18.136.52

Output of scutil —dns is (when device not direct connected):
DNS configuration

resolver #1
  nameserver[0] : 192.168.0.1
  if_index : 5 (en1)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 192.168.0.1
  if_index : 5 (en1)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

Output of scutil —dns is (when device directly connected):
DNS configuration

resolver #1
  nameserver[0] : 192.168.0.40
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 192.168.0.40
  if_index : 5 (en1)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

Both Homebridge and strongswan are working fine as well.

Any help or advice would be appreciated!

Debug Token:

kOY1kY9u

2

I can get it to work for a few minutes by restarting the pi. But after several minutes it will stop allowing the Eero to get the internet at large via the DNS. I’m guessing that it might have something to do with too many requests? Though I’m not getting that error.

I don’t understand why it stops working after a few minutes of use via the Eero.

3

That client isn't using Pi-hole for DNS, but your router at 192.168.0.1.

What does "not directly connected" mean?
Connected via your Eero extender or your TP-Link switch?

4

Meaning, when I don't have the client directly connected to the DNS. Meaning it's not using Pi-hole, but is on the network. Attempting to be very thorough about what I check and how it's checked.

5

What's the output of nslookup during a failure?

nslookup pi.hole

nslookup flurry.com

nslookup flurry.com 192.168.0.40
6

Here's the outputs:

nslookup flurry.com
Server: 192.168.0.1
Address: 192.168.0.1#53

Non-authoritative answer:
Name: flurry.com
Address: 98.136.103.23
Name: flurry.com
Address: 74.6.136.150
Name: flurry.com
Address: 212.82.100.150

nslookup flurry.com 192.168.0.40
Server: 192.168.0.40
Address: 192.168.0.40#53

Non-authoritative answer:
Name: flurry.com
Address: 98.136.103.23
Name: flurry.com
Address: 74.6.136.150
Name: flurry.com
Address: 212.82.100.150

nslookup pi.hole
Server: 192.168.0.1
Address: 192.168.0.1#53

** server can't find pi.hole: NXDOMAIN

These are done from the Pi when the Eero is not pointed at the pi-hole. Mainly because, I need the internet to work in order to get email and visit websites. I can try again from the pi later tonight if it needs to be from there when the Eero has stopped getting internet via pi-hole.

8

Here's the results when the Eero is set to use Pi-hole for DNS.

nslookup pi.hole
Server: 192.168.0.1
Address: 192.168.0.1#53

Non-authoritative answer:
Name: pi.hole
Address: 192.168.0.40

nslookup flurry.com
Server: 192.168.0.1
Address: 192.168.0.1#53

** server can't find flurry.com: SERVFAIL

nslookup flurry.com 192.168.0.40
Server: 192.168.0.40
Address: 192.168.0.40#53

** server can't find flurry.com: SERVFAIL

9

I believe I've finally figured out the problem. It appears that it was in the resolv.conf file. Apparently Pi-hole set the nameserver value to my router's address. I modified it to be 127.0.0.1 and now I'm getting the proper outputs on nslookups.

Still need to test a bit more and see if it fully works with the router. But at least now all the examples I've been looking at are giving the correct outputs now.

10

Unfortunately switching the Eero to use the Pi-hole still ends up killing the internet. I'm at a loss.

root@pi:/etc# nslookup apple.com
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find apple.com: SERVFAIL

root@pi:/etc# nslookup flurry
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find flurry.pi.hole: SERVFAIL

11

This would have no impact on your issue, as this is only controlling how Pi-hole's host machine would resolve DNS.

Pi-hole's DNS server operation isn't affected by its hosts DNS configuration. Pi-hole will only use its configured upstreams for DNS resolution.

From that first Server: 192.168.0.1, I'd conclude that your Eero is configured for using Pi-hole as upstream DNS server while still telling your clients to use the router for DNS (as that is your router's IP address).

Did you try configuring your router to distribute Pi-hole as local DNS server via DHCP instead?

12

If you mean setting the Eero’s DNS setting to the IP of the pi which is 192.168.0.40 - then yes. That is the output when the Eero’s DNS setting is set to the pi-hole residing at DHCP reserved at 192.168.0.40.

I’ve tried setting the pi-hole nameserver setting to both the router’s IP which is 192.168.0.1 and 127.0.0.1 - based on various setup videos, the manual, and tutorials I’ve seen on the net. It doesn’t seem to matter what I set it to, once I set the Eero to the pi-hole, the internet stops.

How would I set the Eero to the Pi-hole via DHCP when the Eero is what is distributing DHCP?

13

I can only provide generic advice here, as I am not familiar with Eero.

Most routers would offer two distinctive ways of configuring a DNS server:
a) upstream DNS server (commonly a WAN/Internet setting),
b) local DNS server (commonly a LAN/DHCP setting)

Less configurable routers often don't support b), distributing their own IP as local DNS servers.

As explained, your nslookup output suggests yours is configured for a), as your client is still using your router for DNS when "the Eero is set to use Pi-hole for DNS".

I cannot know whether your router currently is or once was configured for b), or if it would allow for b) at all, which prompted my question.

15

I guess that begs the question, should I be setting up content forwarding in pi-hole to the WAN address. Cause the more I think about it, setting the DNS of the router to the pi-hole and setting the pi-hole to localhost or to the router’s IP seems as if it is going to cause a closed loop.

16

To close a loop, both Pi-hole and your router have to forward DNS requests to each other.

Your debug log has expired, but if I remember correctly, it did not show your router as Pi-hole's upstream, but a couple of Cloudflare's DNS IPs (1.1.1.x).

If you had Conditional Forwarding to your router's IP enabled, that would close a partial DNS loop which could potentially affect the respective IPs and local domain only, while resolution of public domains would work unimpeded.

17

In trying the following from the Pi directly without the Eero's DNS pointing at the Pi-hole:

In resolv.conf:

  1. Setting nameserver to 192.168.0.1 (Eero's IP) and doing an nslookup, results in things not getting blocked.
nslookup flurry.com
Server: 192.168.0.1
Address: 192.168.0.1#53

Non-authoritative answer:
Name: flurry.com
Address: 212.82.100.150

Name: flurry.com
Address: 98.136.103.23
Name: flurry.com
Address: 74.6.136.150
  1. Setting nameserver to 192.168.0.40 (Pi & Pi-hole static IP) and doing an nslookup results in things getting blocked.
nslookup flurry.com
Server: 192.168.0.40
Address: 192.168.0.40#53

Name: flurry.com
Address: 0.0.0.0
Name: flurry.com
Address: ::
  1. Setting nameserver to 127.0.0.1 and doing an nslookup results in things getting blocked.
nslookup flurry.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: flurry.com
Address: 0.0.0.0
Name: flurry.com
Address: ::

That is all while dhcpcd.conf has the following setting:

interface eth0
static ip_address=192.168.0.40/24
#static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.0.1
static domain_name_servers=192.168.0.40

I'm trying all kinds of permutations since the simple install doesn't appear to work with the Eero routers. If needed I can generate more debug logs based on whatever suggested setup data. Really need a push in the right direction of settings that allows the Eero's to work.

18

THE ANSWER IS: Eero's HomeKit setting interferes with DNS inquiries. I had read somewhere else on the internet that it should work if one turns off a security setting in HomeKit for the router. However, this is not the case. Eero cannot be used for HomeKit at all in order for Pi-hole to work.

Apologies for writing out so many posts in the attempt to figure this all out.

19

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.