I am a complete Linux noob, so I'm starting out saying that. I can get the DNShole and DHCP working on a single interface, or a bridge working. I cant seem to get it to work using both and have to keep flashing PiOS to reset files edited by bridging scripts I find. The Web Admin shows my computers connected to the Eth, but they dont have internet access. My router is Starlink, so 0 options because it's so basic. I haven't even attemped to add the switch yet, because my laptop isn't getting internet from Eth to Eth.
Expected Behaviour:
Obtain internet from Wi-Fi, create subnet with PiHole deployed via DHCP over Eth, then Eth to a switch. Perhaps it's a dnsmasq issure. I really dont know.
-2023-02-21-raspios-bullseye-arm64.img, updated
-Pi 400
Actual Behaviour:
No internet on the bridged devices with PiHole deployed, no matter the scripts I find. DHCP from PiHole is not sending IP information out the Eth port and bridged devices attempting to use the wrong DNS (google instead of Quad9) even when set to use a static IP with all the correct information (PiHole set as dns, gateway, and with a static IP in the correct range.
I would like to avoid spending further money on a router with more features.
This seems like a mix of OS, networking and possibly Pi-hole configuration issues.
We may only be able to properly address the Pi-hole ones here.
Before we start figuring those apart:
Why would you want to bridge network interfaces on your RPi400?
I want to use a switch my company already has and PiHole’s DHCP to give out PiHole DNS setups, with whitelists, to the employee mesh without having to set a static IP on all their devices. They watch videos while using dangerous machinery. The plan was to do this by connecting the 400 to the executive wi-fi router and plugging the ethernet into the switch.
I fail to understand how that relates to my question, specifically why it would require you to bridge your RPi400's network interfaces?
How did you go about configuring your router to make use of Pi-hole?
In general, most routers would allow to configure either the local DNS server as distributed via DHCP (often, a LAN/DHCP setting), or the upstream DNS server as used by the router (a WAN/Internet setting).
While the former one would be preferred, Pi-hole would also work with the latter.
Only if none of those router options would be available or work, you should consider to give disabling your router's DHCP server and enabling Pi-hole's DHCP server a try.
None of the above would require you to bridge your RPi400's network interfaces.
Are they required to do so?
Or do you intend to block them from watching videos?
In that case, a filtering DNS resolver like Pi-hole likely would not be sufficient.
I need to make the ethernet port be an internet out, not an in. They have locked down tablets so they can’t install apps, but the PiHole can whitelist what website they can visit in the browser, like no netflix.com and such, and protect the company from some avenues of obtaining malware that could compromise floor operations data security.
As I mentioned in the OP the main router is from Starlink. If you are unfamiliar with one, it has no options but custom DNS, can’t disable DHCP. The executives do not need whitelisting. It’s the most useless router I have ever seen. It connects to the Google mesh via switch.
I would like to connect to Starlink with wi-fi on the 400, and connect the 400 to the switch with the ethernet port to provide DNS filtering in addition to providing DHCP on a separate subnet. Basically turning the 400 into a router without installing OpenWrt, which I don’t think supports or even needs PiHole, and I’m unsure if it provides similar functionality or the ability to use it as anything but a router. Bridge may not be the proper term here, as that’s just data pass-through if I recall correctly.
The employees are not supposed to be watching anything while working on the machines, they only need the installed apps and access to a few websites. They could lose a finger and sue the company where I live (Mexico) for having a dangerous workplace, which would cost a fortune in disability pay and raise our taxes while causing regular government inspections.
If all else fails, I can try to ask the PiOS or other Linux forums, or we replace the switch with an actual router and plug the 400 into that. I’d just prefer not to do the latter as the switch would be a loss and a router would be a cost. If I can get the 400 to handle it, while still being able to provide other services itself and to the executive network, the company would be very pleased and allow me to apply to method to other contract work.
For note, I have only tested my attempts to PiHole and route/bridge with a laptop’s ethernet port and my home router, as the company needs full internet access at all hours. PiHole with DCHP alone works. Bridge alone works.
I'm indeed unfamiliar with almost any router firmware ever in existence, bar perhaps a few dozens that I've came to use in the past.
As you can't disable DHCP, you want to verify that you can restrict your router's DHCP range to accommodate just Pi-hole's host machine, and configure a DHCP lease reservation/fixed IP address for that in your router.
If you router's DHCP wouldn't support such configuration, then any DHCP client on that network segment could choose to request a lease through either your router's or your Pi-hole's DHCP server at its own discretion.
That sounds as if your router as custom DNS options?
Did you try to pointing that to Pi-hole?
But then again, locking down access in the way you want would require a proper firewall, blocking IP addresses at the gateway level.
DNS filtering could be done in conjunction with that, but by itself, it is too easy to by-pass, e.g. you could just manually switch the DNS resolver for a device to a public one.
If your router would not employ a firewall or expose its configuration options, you'd need a dedicated firewall device.
As all your network's traffic must pass through that device, it would have to replace your router as router/gateway for your network's clients.
In contrast, Pi-hole would just handle DNS (and optionally DHCP) traffic, and only for clients willingly requesting those services through Pi-hole.
Dedicated router software like OpenWrt certainly would seem a better match for your requirements.