I've recently installed Pi-Hole on my raspberry pi and everything seems to be working fine, however i have my PC on a VLAN and if i try to change my DNS server to the raspberry pi IP, it doesn't get recognized and running nslookup pi.hole returns UnKnown can't find pi.hole: Non-existent domain. For network management i use a UDM SE, i've tried setting up some firewall rules to try and let access through as I can ping the raspberry pi ip from my computer, but the raspberry pi doesn't get a response from mine. I have the "permit all origins" button checked and don't sqeem to be any errors in the debug log.
If i put my computer on the same subnet as the pi, it works flawlessly.
I've not used UDM but from what I've read inter-VLAN routing is enabled by default. Therefore one approach to test this might be to revert to the default rulesets, possibly by starting over with the VLAN config to be certain it's clean defaults (if that's feasible in your application), and then testing access to Pi-hole from the other subnets.
If that works then it's a case of finding the right firewall rules to lock them back down while retaining the Pi-hole capability. At least you will know it's doable and just a permissions/firewall issue.
If you have subnets A, B and C, perhaps one option is to put the Pi-hole on its own subnet P, and not set any blocks between each A and P, B and P and C and P, and let the default inter-VLAN routing continue to work for those combinations. Rather than trying to mostly lock down, say, A and B but allowing the Pi-hole to keep working.
On a side note, in your debug log the router at 192.168.1.1 is the DHCP server and is giving out itself via DHCP as the DNS server to use.
The DNS server would need to be changed to the Pi-hole's IP on 192.168.1.112. It may just be that at the moment you're testing with a manually configured DNS on a client and will do this later, but I thought it worth mentioning. The log shows that blocking is working fine when Pi-hole is asked, as your same-subnet tests have also shown.
I don't have firewall rules blocking inter-vlan communication from or to the default subnet. I've kept things mostly default as i am still learning how to work with it all, the only firewall rules affecting my VLAN is to block connections between VLANs of other computers on the network and i don't think that should affect pi-hole as it only blocks my computer from communicating with other computers, not everything else. The firewall rules I tried to assign to pihole is a desperate attempt at allowing traffic through port 53 between my computer and pihole, however it hasn't worked. What i have noticed though is that my computer IP does actually show up in pihole's administration panel, however there are only two queries to sdk.split.io and nslookup pi.hole still returns the same thing.
And yes, i am aware that the DHCP server on 192.168.1.1 is still set to itself, i am planning to change it when I resolve this issue and get pihole working on vlans and mounted on my rack.
Main thing is that your Pihole address needs to have an ALLOW rule for DNS lookups in the firewall before your BLOCK rule preventing Inter-VLAN communication.
I have a UDM-Pro and a UDM-SE in two different setups, but both use the same firewall logic. I allow my Trusted VLAN and Management VLAN full access to my other VLANs, but the other VLANs are restricted from the Trusted and Management. Pihole sits in my Trusted VLAN, for my uses.
First, a rule to let your VLANs talk to your Pihole
Type: LAN In
Name: Allow DNS access from all VLANs
Action: Accept
Protocol: TCP and UDP
Source Type: Port/IP Group
Address Group: Any
Port Group: Any
Destination Type: Port/IP Group
Address Group: Allowed DNS Server Addresses (this group is defined under Profiles/IP Groups as my Pihole's IP address; you can add others, or you can set Destination Type to "IP Address" and specify that way)
Port Group: DNS ports 53 and 853 (again, defined under Profiles to contain both these port numbers in one group)
Then a rule to let your Pihole get out to perform lookups:
Same as above except "Source Type" is Port/IP Group using that same "Allowed DNS Server Addresses" group. Destination is the same as above "DNS Ports 53 and 853".
Then a rule to drop unauthorized DNS:
Type: LAN In
Name: Block unknown DNS servers
Action: Drop
Protocol: TCP and UDP
Source: Any
Destination: Port/IP Group
Port Group: "DNS Ports 53 and 853"
Of course, make sure your Allows are above the Drop rule.
Finally, your Pihole can be configured to use the option "Respond only on interface ..." whatever interface name corresponds to your Pi's primary network interface. Because all network traffic via the UDM is presumably through that primary interface.
I've added the rules exactly how you said they should be.
nslookup pi.hole no longer shows "Non-exists domain", however now it shows this:
>nslookup pi.hole
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.112
DNS request timed out.
timeout was 2 seconds.
So we're getting somewhere, there's just something else in the way.
As per request from Bucking_Horn, here are outputs of the commands:
**ping 192.168.1.112**
Pinging 192.168.1.112 with 32 bytes of data:
Reply from 192.168.1.112: bytes=32 time<1ms TTL=63
Reply from 192.168.1.112: bytes=32 time<1ms TTL=63
Reply from 192.168.1.112: bytes=32 time<1ms TTL=63
Reply from 192.168.1.112: bytes=32 time<1ms TTL=63
Ping statistics for 192.168.1.112:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
**ping fe80::9841:f42b:9828:dec9**
Pinging fe80::9841:f42b:9828:dec9 with 32 bytes of data:
Destination host unreachable.
Ping statistics for fe80::9841:f42b:9828:dec9:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
**nslookup pi.hole**
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.112
**nslookup pi.hole 192.168.1.112**
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.112
**nslookup pi.hole fe80::9841:f42b:9828:dec9**
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: fe80::9841:f42b:9828:dec9
For testing purposes, disable/pause all your firewall rules in the UDM-Pro then try the nslookups again.
If it still fails, I don't see how it's a problem with the UDM-Pro. As @chrislph said above, by default all VLANs can talk to one another -- UNLESS you have an "Isolation" checkbox selected (under Settings/Networks/networkname/Isolation or Settings/WiFi/SSID/Advance/Client Device Isolation.
I've paused the firewall rules and the old Non-existent domain error pops up again.
None of my VLANs have isolation enabled.
If it's not a problem with the UDM, what else could it be?