Pi-hole Across VLANs

Pi-hole is working on my main VLAN (MAIN). It's my Iot Network that's the problem; I can not Ping from the cmd, or log into my Pihole from there

192.168.1.1/24 - MAIN
192.168.20.1/24 - IoT
192.168.1.5 - DNS (Pi-Hole)

When connected to MAIN, I get this in CMD ipconfig /all :

Connection Specific DNS Suffix: localdomain
Connection Specific DNS Suffix Search List: localdomain
DNS Servers . . . . . . . . . . . : 192.168.1.5

When connected to IoT I get this in CMD:

Connection-specific DNS Suffix :
Connection Specific DNS Suffix Search List:
DNS Servers . . . . . . . . . . . : 192.168.1.5

I have conditional forwarding, and listen on all interfaces selected.

@Pashovski
You will need to create firewall rules in your router to allow the devices on the IoT VLAN to be able to send DNS requests (& receive replies) to/from the MAIN LAN's Pi-hole.

Thanks for the reply. I'll add my rules here. I've tried reading through every one of the dozens of USG + Pihole threads. I am not sure at this point if it is my rules or something in the Pi-Hole setup that is wrong. Along with not being able to log into Pi-hole when connected to my IoT network, I am not able to log into my Unifi Controller. My Current setup is USG > 8-switch-60w > Pi-hole.

My rules: Unifi Firewall Rules - Google Sheets

@Pashovski
FWIW. I have a Ubiquiti UniFi network. I have a pair of Pi-holes running on my native LAN and employ a number of VLANs, including one for IoT devices. My first FW rule is a LAN IN rule that is similar to your rule 2000. This allows all established/related traffic between all VLANs.

Specifically for the Pi-hole, I have a LAN IN rule for each VLAN that I want to have access to the Pi-holes. This rule accepts new, established, & related TCP and UDP traffic on ports 53 & 5335 from the VLAN to the LAN.

And in my case, I use a third rule which blocks everything else from the VLAN to the LAN.

With these three rules, I do not have any issues using my Pi-holes for DNS requests. All of my IoT devices (like my Davis Advantage Pro & NetAtmo weather stations) can easily send their respective data over the Internet.

2 piholes! that is cool. Maybe i should look into that, although I should probably keep it simple and figure this out first

Would you mind telling me, what do you have listed for domain in IoT vlan domain field? I just realized mine (IoT) is blank; i have localdomain for my MAIN VLAN. Wondering if that might be a problem

@Pashovski
Yep, two Pi-holes for performance, and somewhat for redundancy.

I use iot.local for the domain. My native LAN is localdomain, like yours.

Okay I think I'm getting it.

I have a LAN IN rule for each VLAN that I want to have access to the Pi-holes. This rule accepts new, established, & related TCP and UDP traffic on ports 53 & 5335 from the VLAN to the LAN. Blockquote

Am I right that "from" the VLAN = (Destination) "to" the LAN = (Source) ?
Also the source is Address/Port Group ANY/ANY, and the destination is Address/Port Group 192.168.1.5/Port 53 & 5335? (That's my pi-hole IP)

@Pashovski

Here's the rule I use for my IoT VLAN:
(Note that I'm using the new beta interface for creating the rule.)

GENERAL
Type: LAN IN
Description: Allow LAN-IoT to Pi-hole
Rule Applied: Before Predefined Rules
Action: Accept
IPv4 Protocol: TCP and UDP

SOURCE
Source Type: Network
Network: LAN-IoT << My IoT Corporate VLAN network
Network type: IPv4 Subnet

DESTINATION
Destination Type: Address/Port Group
IPv4 Address Group: Pi-hole Address Group << I created a FW group of type "IPv4 Address/subnet" that includes the IPv4 addresses of my two Pi-holes
Port Group: DNS Port Group << I created a FW group of type "Port Group" that includes ports 53 & 5335. The latter port is only required if you opt to run unbound on your Pi.

ADVANCED
Match State New - enabled
Match State Established - enabled
Match State Related - enabled

Does this help?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.