How to allow one private network external of Pi-Hole?

Hello. How can i allow just a network on pi-hole?

Context: i don't wnat to allow all origins or all on the interface, so, i need to allow just one network, how example 172.16.0.0/24.

How can i do this?

172.16.0.0/24 would be a private network so just choose allow only local requests. If that doesn't suffice perhaps expand on what you looking to do.

1 Like

It's a range private, but not the private of Pi-Hole. The network is divided on 2 networks, CGNAT and the LAN. The 172.16.0.0/24 it's an example.

The real scenario it's: Pi-Hole + Border with CGNAT (net like 100.64.0.0/10).

So, i wnat to know how can i allow the LAN, 10.10.50.0/24 or something like that, and the CGNAT

CGNAT addresses are ISP internal.
Why would you expect that other ISP customers would access your Pi-hole?
And why would you want to allow that?

Yeah, i know. But i'm the ISP. I want to set the DNS on my PPPoE Server for the queries. Just i know is to know if is possible make the Pi-Hole accept the other networks to realize querys.

The Pi-hole on my network don't have a public IP, and i don't want to do. For this, he have the IP 10.10.50.2/30, and my border have 10.10.50.1/30, just for communication. So, the network of CGNAT (or any other type of network, like hotspot) have an range of IP out of the range of Pi-Hole.

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Ok, here is the Token:

https://tricorder.pi-hole.net/Hc0QhWue/

Pi-hole is designed to be operated within the (reasonably) safe boundaries of your private network.

Exposing it to a larger public (like operating as an ISP) would require you to apply adequate security measures (firewalling, SSL, subnetting, to name a few).

You'd probably be facing privacy issues as well, as Pi-hole may log sensitive data (this may be disabled by setting the corresponding Privacy Level) .
Depending on the jurisdiction in your country of residence, you could be obliged to gather and archive prior consent of your users.


Your debug log shows that your machine running Pi-hole doesn't feature an interface that would carry CGNAT address or addresses from the 172.16.0.0/24 range you mentioned.

Thus, none of Pi-hole's Interface settings options can achieve what you want.

The most obvious way of mitigating this would be to have your gateway NAT requests from your alternative subnet to your Pi-hole machine's subnet, where your alternative subnet's DNS requests would be aggregated under your gateway's IP.

Alternatively, you could consider to assign an IP from your 172.16.0.0/24 subnet to your Pi-hole machine (provided your network environment allows that), and have your gateway distribute that IP for DNS.

Both measures would allow you to pick Allow only local requests from Pi-hole's Interface settings.

Ok, so, it's impossible to allow just a network only in the pi-hole. But i thought in another possibilities to do that. Thank you for attention

What IP address are your 172.16.0.0 and 10.10.50.0 subnets using as DNS server?

To explain more the scenario, in lab is:

The intention for make a PTP on Border and Pi-Hole is for isolating the pi-hole of my network, and make just for DNS (TCP/UDP 53). But, however, i will do this on MikroTik, or create rules on Iptables in Pi-Hole, using the "Permit All origins"

The 172.16.0.0/24 it's an exemple to simulate CGNAT, yeah, i know the CGNAT is 100.64.0.0/10, but it's only for example

That doesn't answer my question:

Would that be 10.10.50.2 for both subnets?

Also, are you really operating as an ISP, intending to deploy that into a CGNAT environment?

Yes, the IP DNS Server of both networks is 10.10.50.2 (IP of Pi-Hole).

In fact, I'm doing tests to see the feasibility, to deploy pi-hole like DNS recursive

I'd advise against using 10.10.50.2 (or any other private IP address) as DNS server in your CGNAT subnet. If your customers happen to choose that private IP address range for their own networks, that may prompt routing issues - worst case, it may deprive them from resolving DNS altogether.

Why not manually assign a static IP address (say, 172.160.0.53) from your CGNAT range to the Pi-hole machine (in addition to its existing 10.10.50.2), and add appropriate routing for 172.160.0.53/32 to your Microtok router?

It's a possibility. i'll study another possibilities to make this scenario.