Pi-hole & DHCP & UPnP

iBotPeaches · August 9, 2020, 1:26pm

To prefix this, I don't think I'm a master at networks so maybe I'm misunderstanding something here. I noticed my NAT in video games was Moderate, which makes some actions quite difficult. The obvious fix for a moderate NAT is either UPnP or port forwarding.

We are in 2020, so manually setting up all 50+ ports that Steam requires (Destiny 2, Overwatch) is quite daunting. That is why UPnP just "works" and is so clever.

So now lets talk about the issue. I tell my router to disable DHCP and use my Pi-hole as the DHCP server, this helps so I can actually see which client is doing things. Instead of a generic router/IP owning all the outbound DNS requests.

This works great, but instantly causes my PC to result to a Moderate NAT when gaming. I imagine this is because with my DHCP server disabled on router, Pi-hole does not or can't communicate with UPnP on my main router (? - someone check me here)

I go back to DHCP on my router and immediately my game has an Open NAT. However, I don't see threads asking about this outside of this Reddit thread (https://www.reddit.com/r/pihole/comments/a8yivi/pihole_and_call_of_duty_black_ops_4_conection/)

So can anyone shed some light here? Is there a way to roll Pi-hole DHCP + UPnP? Or break it down where my logic is wrong? Am I doing something wrong?

yubiuser · August 9, 2020, 1:49pm

Configure you router to distribute pihole's IP as DNS server via DHCP. Then you can easily see individual clients in pihole's dashboard.

Tntdruid · August 9, 2020, 1:56pm

Dont turn on UPnP.

iBotPeaches · August 9, 2020, 2:12pm

Do you mean to use port forwarding instead? Or something else?

iBotPeaches · August 9, 2020, 2:12pm

I have set this up now and running my tests.

Bucking_Horn · August 10, 2020, 9:31am

Short answer:
Pi-hole isn't concerned with NAT and UPnP at all.

If Pi-hole interferes with some of your UPnP HTTP requests, then that's because its doing its job: It is blocking a domain.
How do I determine what domain an ad is coming from? may help you in finding out what domain is being blocked.

Once identified, make an informed decision on whether you want to keep it blocked or not. Allowing access may just please whatever tool you use to display the text Open NAT.

Longer explanation (click)

Terms like strict NAT, moderate NAT or open NAT were coined by game console and router manufacturers, with possible contradictory or overlapping meanings (e.g. ASUS uses Open NAT as a name for a feature in its gaming routers to bundle port forwarding rules into profiles for specific games, while Xbox means its connected to the Internet the way it wants)

In networking, NAT means Network Address Translation.

While those terms are obviously related, the former usage is too ambiguous.

Pi-hole is neither a game console nor a router.
It has absolutely not active part in NAT. It will however be affected by it, much in the same way as any other device on your network.

UPnP is a bunch of related protocols meant to allow network devices to discover, use and potentially manipulate each others services.

The only protocol Pi-hole cares about is DNS (and DHCP if acting as DHCP server).
Pi-hole is not directly concerned with any of UPnP related protocols, some of them leveraging HTTP.
However, Pi-hole will be asked to resolve a domain as contained in a HTTP URL, and it may be configured to block it, which may prevent UPnP requests to succeed.
But there's normally a (good) reason why someone puts a domain on a blockllist.

It's probably safe to enable and(!) confine UPnP within the limits of your home network, but it's really a convenience feature (for manufacturers, mostly) that poses some larger security risks, e.g. it lacks authentication by default, meaning a UPnP device may accept and process commands regardless of origin. For that reason (and others), you're not very likely to find UPnP enabled in a company network.

I'd rather go the hard way and configure forwarding rules myself, much the same way as I wouldn't hand my house keys to my favourite pizza delivery service just to spare me from having to walk to the door.
Granted, they are hard to come by at times, as even official game support seems to lack full and proper information - as said, UPnP is a convenience feature for manufacturers, mostly.

iBotPeaches · August 12, 2020, 12:06pm

Thank you for the detailed response. I guess I'm not sure what I'm dealing with then. If I disable the entire pi-hole block-lists - no dice as I still have moderate NAT (for whatever that means). I did this because I watched the live pi-hole log during gaming and the only blocked domain was some vortex Microsoft one and I whitelisted it to test.

If I put DHCP back to router, back to open NAT. Keep DHCP on router, but use DNS from pi-hole and open NAT, but then all my requests in pi-hole are owned by the router hostname/ip.

I guess I'll just continue tweaking. I see there is a new version, so I'll continue to test and learn/research.

Bucking_Horn · August 12, 2020, 12:15pm

That clearly indicates your router is using Pi-hole merely as its upstream DNS.
That's a perfectly viable setup, especially if your router doesn't allow you to distribute a local DNS server via DHCP.
If that DHCP option is available on yours, I'd recommend using that instead of upstream DNS.

Whatever device or software is telling you this, its manufacturer may be able to shed some light on this, and maybe also its potential impact on DNS, if any.

Nexipal · March 27, 2021, 10:46pm

I have the same issues with quiet strict NAT Types since using Pihole. Router has Pihole set as broadcasted DNS. Blocklist is completely empty = NAT = medium or strict.
Enabling DHCP on my modem and removing Pihole from my network = NAT open. Makes some games unable to host so my friends can't join anymore.

I have tested this across 3 platforms and over 20 games.

DanSchaper · March 28, 2021, 12:46am

The explanation given in Pi-hole & DHCP & UPnP - #7 by Bucking_Horn still applies. There really isn't a way for DNS server on a separate server can affect NAT which is purely on the router.

Sciant · September 26, 2021, 5:14am

I actually have this problem too, but it can't be. It has to be something about how Xbox determines the NAT type, because other way it really makes no sense.

NAT is a networking aid that groups several individual IPs into a single one. So, your ISP may give you 10.10.10.1 and under that one address you have every device in your house. NAT's work is to know wich device an incoming internet package is intended for. Under no condition a normal pihole installation does this.

Without Microsoft telling us what the Xbox looks for, we'll never know. I suspect it just traceroute a dns (8.8.8.8) petition and if its sees your Xbox first asks a local device, before reaching Google's cloud it assumes you have to have a double nat situation.

I would advise to just disable pihole for your Xbox. Anyways is not like we constantly see ads on it.