Pi-Hole VLAN advice using 05-custom.conf or define VLAN interfaces

Hi,

I have 2 Pi-Hole's running on a Rasperry Pi 4 with unbound as resolver.
My network consist of 8 VLANS who are using Pi-Hole as their DNS, I have also some rules in my firewall to catch services from using another dns then Pi-Hole, all working fine.
To see the devices in my Pi-hole statisctics I use a 05.-custom.conf file, who looks like this:
server=/Kopernikus-Native.lan/10.10.1.1
server=/Kopernikus-Trusted.lan/10.10.10.1
server=/Kopernikus-Kids.lan/10.10.20.1
server=/Kopernikus-IoT.lan/10.10.30.1
server=/Kopernikus-Surveillance.lan/10.10.40.1
server=/Kopernikus-Servers.lan/10.10.50.1
server=/Kopernikus-Guests.lan/10.10.90.1
server=/Kopernikus-Management.lan/10.10.100.1
server=/1.10.10.in-addr.arpa/10.10.1.1
server=/10.10.10.in-addr.arpa/10.10.10.1
server=/20.10.10.in-addr.arpa/10.10.20.1
server=/30.10.10.in-addr.arpa/10.10.30.1
server=/40.10.10.in-addr.arpa/10.10.40.1
server=/50.10.10.in-addr.arpa/10.10.50.1
server=/90.10.10.in-addr.arpa/10.10.90.1
server=/100.10.10.in-addr.arpa/10.10.100.1

Now I saw on some threads some people are defining their VLAN interfaces on the raspberry pi itself.
Can someone explain the difference (or advantages) to the method I use?

Thx

The difference is that you don't have to route the DNS traffic

Maybe @nero355 can give additional info?!

Vlan's are a switch thing.
Clients and servers dont need to be aware what vlan's they are in.
They only need to be aware of the subnets.
There are some exceptions like hypervisors that apply virtual bridges etc for their guests/VM's that need to be in vlan trunks.
I could be wrong missing some bits but am sure someone here will correct me

To prevent having to route traffic between the subnets, you could assign all appropriate vlan's to the switch/router port that Pi-hole is connected to.
And create a bunch of aliased IP's for each vlan on one and the same physical connected interface.
Below how is done for Raspbian/Debian using dhcpcd5 network manager (without having to translate that Dutch link):

pi@ph5:~ $ ip -br link show
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0             UP             b8:27:eb:xx:xx:xx <BROADCAST,MULTICAST,UP,LOWER_UP>

pi@ph5:~ $ ip -br -4 address show
lo               UNKNOWN        127.0.0.1/8
eth0             UP             10.0.0.4/24

pi@ph5:~ $ sudo nano /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto eth0.0
iface eth0.0 inet manual

auto eth0.1
iface eth0.1 inet manual

auto eth0.22
iface eth0.22 inet manual

pi@ph5:~ $ sudo service networking restart
pi@ph5:~ $

pi@ph5:~ $ ip -br l
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0             UP             b8:27:eb:xx:xx:xx <BROADCAST,MULTICAST,UP,LOWER_UP>
eth0.0@eth0      UP             b8:27:eb:xx:xx:xx <BROADCAST,MULTICAST,UP,LOWER_UP>
eth0.1@eth0      UP             b8:27:eb:xx:xx:xx <BROADCAST,MULTICAST,UP,LOWER_UP>
eth0.22@eth0     UP             b8:27:eb:xx:xx:xx <BROADCAST,MULTICAST,UP,LOWER_UP>

pi@ph5:~ $ sudo nano /etc/dhcpcd.conf
[..]
interface eth0
  static ip_address=10.0.0.4/24
  static routers=10.0.0.1
  static domain_name_servers=10.0.0.1

interface eth0.0
  static ip_address=10.10.10.10/24

interface eth0.1
  static ip_address=172.16.0.2/24

interface eth0.22
  static ip_address=192.168.0.2/24

pi@ph5:~ $ sudo service dhcpcd restart
pi@ph5:~ $

pi@ph5:~ $ ip -br -4 a
lo               UNKNOWN        127.0.0.1/8
eth0             UP             10.0.0.4/24
eth0.0@eth0      UP             10.10.10.10/24
eth0.1@eth0      UP             172.16.0.2/24
eth0.22@eth0     UP             192.168.0.2/24

pi@ph5:~ $ ip -br -4 r
default via 10.0.0.1 dev eth0 src 10.0.0.4 metric 202
10.0.0.0/24 dev eth0 proto dhcp scope link src 10.0.0.4 metric 202
10.10.10.0/24 dev eth0.0 proto dhcp scope link src 10.10.10.10 metric 206
172.16.0.0/24 dev eth0.1 proto dhcp scope link src 172.16.0.2 metric 207
192.168.0.0/24 dev eth0.22 proto dhcp scope link src 192.168.0.2 metric 208

And make sure Pi-hole is set to "Listen on all interfaces" below:

http://pi.hole/admin/settings.php?tab=dns

EDIT: added routes

@deHakkelaar

Hi,

Thx for the info.

So if I understand correctly:

• Create a new VLAN switch profile for my pihole's leaving them in the server VLAN (where they reside now) and tag all other VLAN networks

• Install VLAN support on the raspberry pi

• Create a vlan file in /etc/network/interfaces.d to define my VLANS --> I suppose I can skip the VLAN where my pihole is in? Since this is connected to eth0

• Edit /etc/dhcpcd.conf --> do I need to do this also when not using to Pi-Hole's as DHCP server? I rather let my Ubiquiti USG/controller handle this, if needed what's the use of the static ip adress defined for every VLAN? Also the static IP for eth0 shoudl this be the IP adress of the Pi-Hole, now it gets is IP from my DHCP (static assignement)

• Set Pi-hole to listen to all interfaces

• Now in all VLANS the dns is pointed to the same DNS, do I need to change DNS now for each VLAN to the coresponding static ip set in dhcpcd.conf?

Do I still have to use my 05-custom.conf file? or delete it...

Thx!

--> I'll gave it a try and all seem to be working except for eth0 as soon as my VLANS are up I can't connect to the pihole admin page or ssh or use DNS on eth0 (however pinging to it works), on the vlans I can go to the static set adress and login to pihole use ssh/dns, after removing vlans from the vlan file and reset networking I am able to access the pihole again on eth0, any idea what could cause this?

Not sure if you need that vlan package and 8021q driver.
As said before:

pi@ph5:~ $ apt show vlan
[..]
Description: ifupdown integration for vlan configuration
 This package contains integration scripts for configuring vlan
 interfaces via ifupdown (/etc/network/interfaces).
 For further details see vlan-interfaces(5) man page in this package.
 .
 Please note that these integration scripts only supports a limited
 set of interface naming schemes, which means you might be better
 off with writing your own ifupdown hooks using ip(route2)
 directly in /etc/network/interfaces rather than using this package.
 .
 It currently also ships a wrapper script for backwards compatibility
 called vconfig, that replaces the old deprecated vconfig program
 with translations to ip(route2) commands.
 This compatibility shim might be dropped in future releases, please
 use ip(route2) commands directly.
 .
 Your kernel needs vlan support for this to work, see "modinfo 8021q".

pi@ph5:~ $ apt-file list vlan
vlan: /etc/network/if-post-down.d/vlan
vlan: /etc/network/if-pre-up.d/vlan
vlan: /etc/network/if-up.d/ip
vlan: /sbin/vconfig
vlan: /usr/share/doc/vlan/NEWS.Debian.gz
vlan: /usr/share/doc/vlan/TODO
vlan: /usr/share/doc/vlan/changelog.gz
vlan: /usr/share/doc/vlan/copyright
vlan: /usr/share/man/man5/vlan-interfaces.5.gz
vlan: /usr/share/man/man8/vconfig.8.gz

You can create those aliased IP's without above.
Maybe @nero355 can elaborate why that vlan package and 8021q driver is necessary ?

Assigning a static IP through dhcpcd.conf may sound confusing as if it were to get IP details via DHCP but this is not the case.
The static ip_address= directive will assign a static IP without DHCP dependency:

pi@ph5:~ $ apt show dhcpcd5
[..]
Description: DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
 dhcpcd is a one stop network management daemon which includes
  * RFC compliant DHCPv4 and DHCPv6 clients
  * DHCPv6 Prefix Delegation support
  * IPv4LL (aka ZeroConf) support
  * ARP address conflict resolution
  * Link carrier detection
  * Wireless SSID profiles
  * ARP ping profiles

N: There is 1 additional record. Please use the '-a' switch to see it

Yes.

Yes that file is suited for storing your own customizations.

Human error
Can you post content of the dhcpcd.conf and interfaces.d-->vlan file ?

sudo grep -v '^\s*#\|^\s*$' -R /etc/network/interfaces*

sudo grep -v '^\s*#\|^\s*$' /etc/dhcpcd.conf

And post output for below when cant connect to eth0 IP (ssh into one of the other IP's) ?

ip -4 a s eth0

ip -4 r

@deHakkelaar

Hi,

Activated config and did SSH to VLAN10 10.10.10.41 (since eth0 on 10.10.50.41 doesn't work)

Content of dhcpcd.conf:

hostname
clientid
persistent
option rapid_commit
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
option interface_mtu
require dhcp_server_identifier
slaac private
interface eth0
static ip_address=10.10.50.41/24
static routers=10.10.50.1
static domain_name_servers=127.0.0.1
interface eth0.10
static ip_address=10.10.10.41/24
interface eth0.20
static ip_address=10.10.20.41/24
interface eth0.30
static ip_address=10.10.30.41/24
interface eth0.90
static ip_address=10.10.90.41/24

Content of vlan:

/etc/network/interfaces:source-directory /etc/network/interfaces.d
/etc/network/interfaces.d/vlans:auto eth0.10
/etc/network/interfaces.d/vlans:iface eth0.10 inet manual
/etc/network/interfaces.d/vlans:vlan-raw-device eth0
/etc/network/interfaces.d/vlans:auto eth0.20
/etc/network/interfaces.d/vlans:iface eth0.20 inet manual
/etc/network/interfaces.d/vlans:vlan-raw-device eth0
/etc/network/interfaces.d/vlans:auto eth0.30
/etc/network/interfaces.d/vlans:iface eth0.30 inet manual
/etc/network/interfaces.d/vlans:vlan-raw-device eth0
/etc/network/interfaces.d/vlans:auto eth0.90
/etc/network/interfaces.d/vlans:iface eth0.90 inet manual
/etc/network/interfaces.d/vlans:vlan-raw-device eth0

ip -4 a s eth0:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group defa ult qlen 1000
inet 10.10.50.41/24 brd 10.10.50.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever

ip -4 r:

default via 10.10.50.1 dev eth0 src 10.10.50.41 metric 202
10.10.10.0/24 dev eth0.10 proto dhcp scope link src 10.10.10.41 metric 204
10.10.20.0/24 dev eth0.20 proto dhcp scope link src 10.10.20.41 metric 205
10.10.30.0/24 dev eth0.30 proto dhcp scope link src 10.10.30.41 metric 206
10.10.50.0/24 dev eth0 proto dhcp scope link src 10.10.50.41 metric 202
10.10.90.0/24 dev eth0.90 proto dhcp scope link src 10.10.90.41 metric 207

Hope you can see some error

Thx!

Got it working!

Somehow it was the vlan package that caused the problem.
So I removed the vlan package and disabled the kernel module from starting.
Reboot and I can acess pihole on eth0 and all other vlans.

Next test change DNS in controller/USG to the appropiate VLAN dns and see if all is working.

Good tips here. I just enabled a couple firewall rules to allow traffic from one vlan to the other for my pihole specific IP's. but maybe I will test this out in the future!

I prefer to have another external DNS server(s) configured for processes running on the Pi-hole host.
Sometimes, like for example when tinkering, the pihole-FTL daemon could stop replying to DNS lookups on the 127.0.0.1 IP and your dead in the water without DNS.

To compliment your setup, I would also configure a firewall either local or on the router/switch to block certain ports for particular vlan's.
For the non trusted vlan's, I would block SSH (22TCP) and the web GUI access (80TCP) to Pi-hole.

Doing it your way means the router is using valuable resources to NAT traffic from one vlan to another.
More load and more memory used for the routing tables etc.
Letting the switch engine do all the work, like described in this thread, is less resource heavy for your router/switch.
And you wont have to reboot the router every now and than because the NAT tables are all messed up again.

@deHakkelaar

Screamed to fast that it was working
Came home all was locked up, had to revert everything.
But maybe I'm closer to a solution, what happened was the following: I made a VPN connection to my OpenVPN AS who's is running a docker container on my Synology NAS. I disable the VLAN service on the raspberry pi's, and then did a ping to the eth0 interface and all was working without realising the only reason that is was resolving was because of the VPN connection. when I was back home I couldn't reach the pihole on their eth0 interface, as soon as I dissabled them again all was working fine.

So what would be the problem here?

sudo grep -i 'interface=\|bind-' -R /etc/dnsmasq.*

?

EDIT: ps. whats a "OpenVPN AS" ?

Hi,

Did:
sudo grep -i 'interface=|bind-' -R /etc/dnsmasq.*

But still can't reach on eth0
To test tried it also from other vlan's and also the native lan (eth1), same result, also disabled firewall to test but doensn't work, question remain why did it work through the VPN

OpenVPN Access Server+ (GitHub - linuxserver/docker-openvpn-as)

I meant I wanted to see the output for that grep command ?
If no output, thats a good thing.

I cant make up which device is dialing into that Docker VPN server ?
If its the Pi-hole host, test without being connected to VPN first.
VPN servers will force their own DNS server IP's onto the clients.

To test DNS resolution, you can use the nslookup tool on a client (Windows/Linux/MacOS) as well as on the Pi-hole host itself eg:

nslookup pi.hole

nslookup pi.hole 10.10.50.41

nslookup pi.hole 10.10.90.41

nslookup pi.hole 8.8.8.8

nslookup pi-hole.net 10.10.50.41

EDIT: ow ps. make sure DNS queries dont get looped back to Pi-hole.
A typical loop that users create is to configure their router to be the upstream DNS server for Pi-hole.
And the loop is closed when the router upstream WAN/Internet DNS setting points to the Pi-hole IP.
The "Conditional forwarding" setting in Pi-hole can also create a DNS loop.

Hi,

No output from the grep command.
It was a Windows pc (at my work) who was connecting to it, from there I have access to all my VLANS, it are the Pi-Hole dns servers who are pushed.
If I do the nslookup test on my pc all seem to resolve fine.
Also ping to it responds (IP & hostname).
But it won't let me access the admin page, also SSH and DNS not working.
When I remove the aliases all is working fine again.

Router is set to cloudflare DNS, but I have DNS redirtection and maqquerade rules in my json file for devices who have hard coded DNS. Conditional forwarding is disabled... however is my 05-custom.conf not doing the same?

Did also tracert to the pihole ip and all goes like it should first out of the trusted vlan gateway and then to the pihole.

It'l like something blocked the ports, but why only when the aliases are activated.

Btw, as upstream for my pihole's I use Unbound

Are you sure no DNS loop exists (like described in previous posting of mine) that can lockup the pihole-FTL daemon ?
Usually you get "time-out" messages when doing a nslookup (without VPN).
And load on the Pi-hole host is unusually high:

uptime

And check the logs live if pihole-FTL gets flooded:

pihole -t

Do some more nslookup checks to pinpoint!

All nslookups give me instant aswer without delay, same for tracert all below 1ms
Could it have something to do with Unbound?

So it seems currently all is working as intended ?
But after a while it grinds to a halt ?
Thats what happens if you have a DNS loop.
But yeah unbound can have issues too:

journalctl -u unbound

No DNS lookups work but can't access the admin interface or connect through ssh on eth0.
Just checked the pihole-FTL live all seems fine.
It's like there a firewall rule who's not allow to connect.

Check local firewall on Pi-hole.
Below is permissive allowing all:

pi@ph5:~ $ sudo iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

EDIT: one more:

sudo netstat -nltup