How to make an isolated bridge use the PiHole? (DDWRT)

I have an R8500 with DD-WRT on it.

Router configurastion

I have a local network (br0 / 192.168.1.1) with the only DNS server as 192.168.1.2.
I also have a wireless interface W1.1 with a bridge br1 (192.168.10.1) with Net Isolation enabled, as it is shared with my neighbors and I don’t want them to mess with my personal network.

I configured PiHole with Conditional Forwarding.

Goal

My goal is to use Pihole to make DNS queries and all devices connected to the network needs to use the PiHole as it’s DNS server. I also want to know which device made the query.

I tried…

  • Local DNS In Router IP
  • Static DNS 1 in DHCP
  • dhcp-option=6,192.168.1.2 in Additional DNSMasq Options
  • Forced DNS Redirection which result in no DNS at all for all devices on the entire network.

I’m testing using an Android phone and a laptop connected to the shared network with auto DNS and DHCP on the clients to see if the PiHole will catch the requests. I disconnect and reconnect the devices every time I change a configuration.

You can check my PiHole configuration here: https://tricorder.pi-hole.net/81om9lzgzm

I’m not quite sure how I should achieve this, any suggestion? I’ve been playing with this for a long time :slight_smile: And I’m sorry if something isn’t clear or if I forgot something, just let me know!

EDIT

I played a little and found some rules that doesn’t work. I disabled Net Isolation for br1 and tried the following Firewall rules:
The middle rules are to try forcing the DNS server on the clients.

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

#keep network on pi-hole
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
#punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br0 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset

Internet doesn’t work on the br1 (w1.1) public interface with those but I’m still playing with them.

One option: How are you running Pi-Hole? Is it on a VM/LXC/docker container or running on standalone hardware? I ask because if you are able, make another instance of pihole with one running on your subnet and the other running on your “public” subnet.

1 Like

Thanks for your answer! It’s running standalone on a raspberry. I managed, with the help of the ddwrt community, to allow Isolated client to use the PiHole but it’s going through the router, so all requests are from the client “192.168.1.1”.

That is because, right now, redirecting DNS queries to the PiHole doesn’t work so I have to use the router’s DNS for the isolated bridge. The router then ask the PiHole.

You can follow the progress here: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320067

Makes sense. Glad you found a solution.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.