Pi-hole, multiple vLAN's, and DNS

tenkara · January 14, 2024, 4:45pm

I've read dozens of topics on the forum here and elsewhere online. Not sure if this is the correct category or not.

My setup:

Hardware: x86_64 box, core i5, 32gb RAM
TP-Link Omada ER7206 VPN Router
TP-Link Omada SG2008P switch (two of these)
TP-Link Omada WiFi APs (two)
Software: Ubuntu 22.04, QEMU/KVM
TP-Link Omada software controller

I have Pi-hole setup (including DNS resolution via unbound) in a VM on the machine above and have been running it successfully for many years with the router from my previous ISP. I recently got symmetrical gigabit fiber and as I run a small business from my home, I also upgraded my setup to include the TP-Link Omada gear I listed above. In doing so, I setup multiple vLANs on my system with the hope that my single VM with Pi-hole can resole DNS for all of the vLANs.

vLAN Setup:
vLAN1: management 192.168.0.0/24 (untagged)
vLAN2: guest 172.16.0.0/24 (tagged)
vLAN10: family wifi 192.168.10.0/24 (tagged)
vLAN20: media/streaming devices 10.10.20.0/24 (tagged)
vLAN1010: work 10.10.0.10/24 (tagged)
Tailscale

Initially, everything was setup on what is now the management vLAN and this is where the pi-hole currently is at as well. The pi-hole IP is 192.168.0.33. I've read dozens and dozens of topics here on the forum, read numerous websites and even read quite a few threads on reddit. And, I cannot figure out what I am doing incorrectly.

Expected Behaviour:

Pi-hole will resolve DNS and block ads on all vLANs.

Actual Behaviour:

I've tried pointing the various vLANs to the pi-hole via settings in the Omada controller and doing so results in no DNS resolution and no internet access on that vLAN. I have also tried setting multiple static IP addresses for the pi-hole via netplan on command line, which pi-hole even recognizes in the settings but this still does not enable ad blocking, DNS resolution, or internet access.

I've also attempted to set numerous ACL via the Omada controller with no improvement in the situation. In fact, it makes things worse. Admittedly, whilst I have read quite a bit about them, I only really understand using ACL in theory and not writing/implementing them. At the moment, all ACL are disabled.

So, what settings in pi-hole am I missing or not have setup correctly?

Debug Token:

My token
Thank you in advance for any assistance.

Edit: Reading through my debug, I see that dnsmasq does not see the additional static IP that I set. It only sees the original one from setting up the pi-hole 5 years ago. Could this be part of the problem?

Bucking_Horn · January 14, 2024, 6:18pm

Primarily, inter-VLAN communication is a routing issue, i.e. your router has to support it, and it has to be configured to do so.
It then would depend on whether your Pi-hole host machine would have been attached to each of your VLANs (i.e. it has an IP from each VLAN), or whether the router would NAT traffic to your Pi-hole host IP in the management VLAN.
Both of those scenarios should work with your Pi-hole straight away.

But sometimes, a router would directly route traffic from each of your VLANs to your host.

Strictly speaking, this would break VLAN isolation, but if that's how your router is handling it, you may have to switch Pi-hole's listening behaviour to Permit all origins.

tenkara · January 17, 2024, 9:46pm

Thank you for your quick reply. I do know that I can setup inter VLAN communication via my router.

No, from what I can tell at the moment, my pi-hole host machine does not have an IP from each VLAN. Whislt I was awaiting a reply, I kept playing around with settings. When I attempt to route from the VLAN20 that I reference above to the pi-hole on the pi-hole IP (currently set at 10.10.20.2) for that VLAN, it refuses to connect and says I do not have internet access. The reason for this is explained further below.

However, in playing around I changed the pi-hole settings from "Allow only local requests" to "Respond only on interface enp1s0". Then I pointed VLAN10 (family wifi) directly at the original pi-hole IP and it worked.

Update: Upon further digging for the past few days, I ended up discovering part of the problem. In short, it related to configuration within the TP-Link Omada controller. I was attempting to apply the VLAN to a port that had an AP connected to it and I had devices connected to a dumb-switch through the extra port on the AP. TP-Link explicitly state that if you apply VLAN settings to an AP directly, all connected devices will lose internet access, regardless of any other settings. In other words, I have to either live with the setup at the moment, or I need to run another drop to that location so they can be separated out.

Furthermore, I've been trying to learn more about dnsmasq to use custom settings to enable static IP addresses on my pi-hole for each VLAN. In so doing, then I can enable strict VLAN isolation while still retaining the benefits of pi-hole. With the settings I currently have, my router will direct traffic from each VLAN to the pi-hole, as you suggest.

Thanks for your suggestions @Bucking_Horn, they helped me look in the right direction.

rogern · January 18, 2024, 1:51pm

If you want to direct all DNS traffic in your network (VLAN`s), you do this by the router/firewall and is working very well here (UDM-Pro) .

system · February 8, 2024, 1:52pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.