Pi-Hole Static DHCP not working properly

Please follow the below template, it will help us to help you!

Expected Behaviour:

Static IP should be allocated to specific MAC and leased

Actual Behaviour:

Devices with static and no static IP are not being leased with DHCP and hostapd somehow deauths them

Debug Token:

https://tricorder.pi-hole.net/redacted

Further info:

The Pi is the Access Point (hostapd), it has the Pi-hole and pi-vpn, pi-hole provides DNS blocking and DHCP. Whenever there is a static IP set in the pi-hole/admin page the devices whether they have dhcp static lease or not, cannot get connected to the Pi. If I remove all the static IP entries, the problem disappears*. But I need the static IP enabled.

A device experiences this error: (Android)
#1 Connects to AP, DHCP lease ok, after few seconds, disconnects
#2 Reconnects again and repeat #1

Keep the wifi open.
after some time, the client can connect to AP without any disconnection. But if you disable the wifi and reconnect again, same problem occurs.

other device:
Connected to AP but cannot even go to pihole admin page, unable to connect

Thank You

This looks much more like a hostapd bug then a Pi-hole bug. The only difference between a dynamic and a static lease is that, in the latter case, we ensure to always hand out the configured IP address to the configured device.

Note that the Pi-hole DHCP server is unlike many router DHCP servers. Instead of assigning IP addresses sequentially (first device becomes .2, second device becomes .3, etc.), we try to always assign the same address to the same device (based on a hash computed form the device’s MAC address). This is the reason why the first device connected might receive a high address like .145.

Taking this into account, you can maybe even live without fixed static assignments? If not, you will likely have to file a bug against hostapd because - from Pi-hole’s perspective - static leases are nothing special at all. As said, the only difference is that we look up the address to be handed out in a table instead of computing it from the MAC address. Everything else in the procedure is exactly the same.

1 Like

Thank you for your fast response and clear explanation to dhcp leases. I have now compiled and installed newer version (2.9) of hostapd from w1.fi. I will now continue to monitor if I still get the said issues. This is really a strange issue, it happens randomly.

I have another question, If I set a blocklist of around a million (or more), will this slow down pihole-FTL (dnsmasq right) to answer requests and dhcp?

I want to disable all logging including to /var/log/pihole.log, but there is warning on the admin page that it will disable REGEX blocking? This is the wildcard blocking right? Is there a way to enable regex (wildcard) blocking even if all logging are off?

Can someone help me with iptables?
my net interface upstream wlan1
my LAN interface wlan0
I have a unbound dns setup and I have set the iptables to drop (chain input,output and forward), I just cannot figure out on how to allow unbound access the upstream net and give the result to pi-hole FTL (dnsmasq). NAT is configured but it does not work. I think it may be easier to just put iptables in ACCEPT chains but I do not want to allow everything.

Thank You

Generally not. Your gravity list is stored in memory and lookups are quite fast. Where problems arise is when you start running out of memory. You can easily have a million domains in gravity on a recent Pi (even a Zero), but an original Pi may be challenged with only 256 MB memory.

The more important question - what do you hope to accomplish with more blocklists? Are you seeing ads? Do you want to filter out specific content? I have experimented with anything from the bare minimum lists to a few million domains in gravity, and the result with more blocklists was a lot of false positives and more whitelisting on my part. So I run just the 6 lists that ship with Pi-Hole and add a few regex and local blacklist.

You shouldn’t need any specific IP tables to run unbound. It uses port 53 outgoing the same as Pi-Hole. If Pi-Hole works on the Pi, then so will unbound on the same Pi.

I want to disable all logging including to /var/log/pihole.log, but there is warning on the admin page that it will disable REGEX blocking? This is the wildcard blocking right? Is there a way to enable regex (wildcard) blocking even if all logging are off?

With more blocklist, I intend to block more ads, trackers from various sources? Oh, does pihole remove dulicate domains from different sources before compiling to gravity? Yes, i expect more whitelisting on my part.

Unbound was on 5354 port and I redirect all DNS request to my pihole to prevent other DNS setup of of other devices, I guess I need to experimnet more on iptables.

Yes, if you use a privacy level other than “No statistics mode”. Level 3 should meet your needs.

https://docs.pi-hole.net/ftldns/privacylevels/

Yes. Duplicate entries are removed when gravity is built.

When you redirect your DNS queries to Pi-Hole, you don’t need to do any further redirection. Pi-Hole receives the queries, filters them for blockage, then if needed Pi-Hole communicates directly with unbound using the assigned port on the Pi. Your IPtables surely have an exception for the Pi itself, otherwise Pi-Hole can’t reach any external DNS servers (nor can unbound).

Just curious - which guide did you follow to set up unbound with Pi-Hole? Port 5354 is not the port we typically see used.

Yes, if you use any privacy level other than “No statistics mode”. Level 3 should meet your needs.

Will this disable the file log to /var/log/pihole.log, to maximize SD card life?

This is conflicting to my mind: If I execute this, regex will not work?

Additionally, you can disable logging to the file /var/log/pihole.log using sudo pihole logging off .

I used the official guide for pi-hole unbound, I just changed port number.
https://docs.pi-hole.net/guides/unbound/

No. For that, you would disable query logging from the Web GUI > Settings > System or from the command line with the pihole command.

I wouldn’t worry too much about this bit of writing damaging your SD card. Also note that if you disable query logging you lose the ability to tail the pihole log, which is a handy troubleshooting tool.

-l, logging [on|off|off noflush]
           Specify whether the Pi-hole log should be used

            (Logging options):
             on                Enable the Pi-hole log at /var/log/pihole.log
             off               Disable and flush the Pi-hole log at
                               /var/log/pihole.log
             off noflush       Disable the Pi-hole log at /var/log/pihole.log

If you use privacy level 3, you can still use regex. If you disable query logging, you can still use regex.

1 Like

Thanks and Good Night

The issue appeared again with the updated hostapd and wpa_supplicant version 2.9. The entropy is > 3400.

As of this moment, I do not know what caused this error.
It may also because of the ht_capab in the hostapd config.
I will close this issue now