I had my router setup as the primary DNS server and noticed all my queries in the admin page came from my router. I then decided to use dhcp-option=6,pi-hole-ip,router-ip in DNSMasq Options which worked great for my private network.
The guest network resorted to the router ip since it couldn't resolve the pi-hole ip address thus bypassing the ads. I used iptables to allow the guest network to communicate with the private pi-hole ip on tcp/udp 53 and that worked and I started to see the guest network IP addresses in the web interface on the pi-holr.
The main issue i have now is that pages take allot longer to finish loading on the guest network. Same page on the private network loads quickly. Some pages take almost a minute to fully load. It's not that you can't browse the page it just doesn't fully load, almost as if it's waiting on the ads to load but eventually times out.
As a work around the primary DNS for the guest network is my router and the primary static DNS for the router is the pi-hole, by doing this I avoid the long load times yet able to block ads. The downside to this is all guest network queries show up as my router ip.
Any way to fix why the pages are slow when using the the pi-hole as the primary DNS on the guest network?
I'm going to guess and say that it's the lighttpd process. On the private network, when a domain is blocked, the lighttpd daemon sends a replacement image as a 404 to the browser, so it gets an immediate replacement and can continue rendering the page. On the guest network if you only have port 53 open for DNS traffic, then the clients on that network are indeed timing out waiting for an element to render. If you give the guest clients access to port 80 of the Pi-hole and let the 404's flow, then I suspect you will see a dramatic increase on the page rendering times for guests.
Nope pages are still slow for guest even with port 80 open, it's indeed open coz i can get to the web interface from the guest network. It could be I just need to reboot the router which I can't do at the moment.
EDIT:
Using the below lines it causes the pages to load slow.
iptables -I FORWARD -i xy1 -p tcp -d pi-hole-ip -m multiport --dport 53,80 -j ACCEPT
iptables -I FORWARD -i xy1 -p udp -d pi-hole-ip -m multiport --dport 53,80 -j ACCEPT
But using this pages load quick, I rather not use this since it give the guest full access. Is there any other ports uased by Pi-Hole?
iptables -I FORWARD -i xy1 -o xy0 -d pi-hole-ip -m state --state NEW -j ACCEPT
--dport 53,443 -j ACCEPT worked for most sites I tried, a few sites required port 80 to be also open as well. However I can live with the delay on the guest network because I don't want to give guest access to pi-hole, until pi-hole admin page gets a password.
I am hoping either @JohnSnow or @DanSchaper are still around and can report back on how this ended up -- with a little more specifics. My problem is that after setting up dnsmasq, my guest network lost all connectivity to the WAN (it never had connectivity to the LAN).
I have a PiHole setup on a RPI3, connected to a Tomato-based router. On the Tomato, I used Advanced>DHCP>DNS>Dnsmasq>dhcp-option=6,192.0.1.99 to set up the PiHole's DNS. The Tomato's primary network is br0 (I think -- that is the bridge, the interface is wl0) and the guest network is br1 (interface wl0.1).
I have the networks isolated using the following firewall iptables:
## BLOCK br1 (GUEST) from being able to access br0's (PRIMARY) LAN
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
I tried to follow the suggested iptables add, but got no joy. Here is what I tried:
If there is a way to both (A) have PiHole setup and working on the primary network and (B) have a working guest network(it doesn't matter if PiHole works on the guest network -- so long as it has WAN access) please post back?
Awesome!!! This works for me. I did have to leave my VLAN blocking rules in, however, because without them my guest network can access the Admin page. Not sure why that is, but the rules I have to block that work and the added rules you posted don't conflict. Thanks!