Please follow the below template, it will help us to help you!
Expected Behaviour:
Set Router DNS to PiHole static IP, get faster, cleaner internet on all devices wired or wireless.
Actual Behaviour:
Devices connected to one of the two identical access points don't have internet access.
Debug Token:
Pending -> PiHole taken offline to look for options prior to exhausting the WAF.
Long Story:
I've a Mikrotik Hex S and a few POE network switches, I setup PiHole on a RPI2 hard wired to a port on the router and updated the DNS servers to ONLY include the PiHole static IP. I am using the router as the DHCP server. If I plug either WAP (EAP245) into a long run with an unmanaged POE switch, I get internet access on any device connected to it. If I plug either WAP into the HEX S directly through a POE Injector, devices connected to that WAP do NOT have internet access. I've swapped the WAPs, replaced cables, swapped injectors, even tried another POE switch.. I cannot get both WAPs to provide internet access while the PiHole is setup. While connected to the "no internet" WAP, I can visit the PiHole admin page. Any suggestions before I plug it back up and try again? I'm running low on WAF and need a plan of action prior to re-enabling PiHole.
@RamSet I'd had it set to "Listen on all interfaces" but I changed it to "Listen on all interfaces, permit all origins" and reconfigured DNS on my router. Again I lost internet connectivity on the devices connected to that WAP. I ran debug from the admin page. Also, THANK YOU for helping!
Ah. I'd added my router to the upstream DNS list... probably misread that on the forum. Removed it and still having the same problem. I've run debug again just to see if you notice anything else or if it's still doing it (my router is issuing itself as a DNS server, even though I've only got the PiHole setup in the config).
Can you share the network configuration (status screen) of one of the clients that's not working ?
It's fine if the router provides its IP as the DNS to the clients.
Can you please explain again, from a simple connection perspective your topology ?
As in:
ISP in router 1.
Router 1 hardwired Pi-hole and hardwired Router 2.
Devices connected to Router 1 are all working just right.
Whatever is in Router 2 does not work.
Did I get that right ?
I do believe there is a networking (settings) problem as Pi-hole is working as expected.
The debug token provides information related to the Pi-hole environment and Pi-hole settings. Nothing beyond that. Can't really see where and how the network is setup past the Pi-hole hosting device.
What's the output of the nslookup command on the client that's connected to the non working AP ?
Could be that the microtik does not play well with allowing DNS requests from with the LAN.
Maybe DNS Rebind/Hijacking protection settings?
I've the ISP coming into Ether1 on the Mikrotik Router. Ether2 runs across my home to an unmanaged POE switch with WAP1 (working) plugged into it. Ether3 runs to the managed POE switch (or the injector, which I took out since it didn't help). WAP2 is currently plugged into port1 of the POE switch, other hard wired devices are on that switch working fine.
broken chain: ISP -> Router port1 -> Router Port 3 -> POE Switch -> WAP2 (EAP245)
Working chain: ISP -> Router port1 -> Router port 2 -> POE Switch -> WAP1 (EAP245)
*I tried swapping the WAPs, and swapping ports on the router to the WAPs, as well as using a POE injector directly to port 3 on the router. What's killing my brain is the other WAP working fine...
NSLookup had to be via iOS App, since I only have desktop PCs and they're all wired (some to each of the two POE Switches) Everything is working wired as well.
SSID, gets an IP, subnet and gateway. Under DNS it lists the RPI and the Router. If I manually set 8.8.8.8 as the DNS on the phone everything works (thought it was worth checking!).
Same SSID, different channels for both 2.4GHz and 5GHz and load balanced by the TPLink Omada controller software running on my desktop. The two WAPs are identical and both worked fine before.
I really do appreciate your help! The benefits of PiHole are too great to give up on my end
I believe that your managed switch is blocking the DNS requests to go through. See if you can set-up the DNS parameters under the management page on the managed switch, as DNS requests might drop here (coming in from a client but not cascaded/relayed further down the tree).
What if, for testing purposes, you plug WAP2 into a port in the Mikrotik ?
Good thought, however it's a POE WAP and I'd started with a simple injector vs the POE Switch. Prior to the switch I had no internet through the WAP with just the injector either.
ISP -> Router port 1 -> Router Port 3 -> POE Injector -> WAP2
For completeness I will swap the two switches this evening when the family is done "interneting" to see if the issue follows the switch.
Before you move hardware, see if in the settings for the managed switch ( I own one that is not in use but I do recall of a similar scenario where it would require me to define the DNS downstream from it within the same subnet).
It should be called out in General and Network parameters as DNS...
I'll swap out for the POE injector that originally didn't work either... because we did make the original changes you recommended. If that doesn't work, I'll try the unmanaged POE switch too. I'll post results.
Swapped for the POE Injector, still no internet.
Swapped for the unmanaged switch, still no internet...
I can't figure out where to even look for the problem, so I found a workaround (with one caveat).
Workaround:
On the Mikrotik Firewall, I added a NAT rule for all local addresses to redirect UDP on port 53 to the static IP of the PiHole. This is working (and incredibly fast), with a few potential issues:
I originally setup the network DHCP server to leave some reserved IPs around my router, for the WAPs, switches, PiHoles, etc. When I created the Address list I specifically excluded those reserved addresses. If the PiHole was included in this redirect NAT it would have looped when trying to get to the upstream DNS servers.
I was planning on redundancy with the Pi2 being secondary DNS and the more powerful NanoPi Neo2 as primary. Using this firewall rule workaround I'm not sure of a means to do this.