PiHole behind CGNAT cannot ping router as soon as it's setup as WAN DNS in Router settings

Expected Behaviour:

-operating system - Linux Mint Mate 20.1
-hardware]_ - Hyper-V VM

Actual Behaviour:

Nothing works as expected

Debug Token:

https://gist.github.com/IosifZ/4f93122601f517e5589f7740112b6884

I had Pi-Hole as a Hyper-V VM for a year I think working fine. recently I've changed places and due to CGNAT I had to start using IPv6 in order to access my stuff from outside my network.
At some point I've noticed that the ads on my phone are starting to show up.
The initial VM seemed to be buggy and I thought to start fresh.

Topology:
Asus RT-AC68u router acting as DHCP and Gateway - 192.168.0.1
Windows 10 PC - acting as a Docker (Docker for Windows) and VM host - 192.168.0.55
Pi-Hole Hyper-V VM - Linux Mint Mate 20.1 - 192.168.0.54 (the old one was 192.168.0.53).

Currently the Router cannot ping the Pi-Hole and the other way around. But my PC and Pi-Hole can ping each other without issues. If I ping google.com I get an IPv6 response. If I ping 1.1.1.1 or 8.8.8.8 from the Pi-Hole it fails.

I've tried a lot of stuff before giving up and thinking to post here. Initially I'ver noticed the issue due to the fact that some websites were unreachable.
Scope: I would like for the router to remain as the DHCP as it always was (just in case my PC/VM have issues and I do not want my wife to scream at me) and to have ads blocked on IPv4 and IPv6.
Currently I cannot upload the log directly, I just generated from the interface and copy pasted it on Gist.Github.

Many thanks in advance for any help you might give me.

(Side note: Use nslookup or dig to analyse and document DNS issues.
In general, ping isn't adequate to analyse DNS issues, even when using hostnames, as it resolves hostnames through a variety of sources, not just DNS, while pinging IP addresses wouldn't involve name resolution at all.).

If you cannot ping an address, your issue is with networking rather than Pi-hole.

Your debug log would support this, as it shows that Pihole doesn't receive any DHCP replies on its link:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   DHCP packets received on interface eth0: 0
   DHCP packets received on interface lo: 0

This would suggest that your router and your Pi-hole's host are not residing within the same network segment (or link), either because a switch or similar network equipment is splitting your network into separate segments, or because your VM software does.

Note that this would be normal for a dockered Pi-hole with Docker's (default) bridge network. Yet in that case, Docker would take care of routing traffic between the Docker host to its internal bridge network.

I'd guess that your Hyper-V Pi-hole VM somehow may lack proper routing, so you should probably check your VM network settings (I am unfamiliar with that type of setup, so cannot provide any more specific advice, sorry).

As far as DNS is concerned, your Pi-hole isn't able to forward DNS requests to public IPv4 DNS servers:

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] 4e76.btcc.com is 0.0.0.0 via localhost (127.0.0.1)
[✓] 4e76.btcc.com is 0.0.0.0 via Pi-hole (192.168.0.54)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)

This could be due to the same networking issue (Pi-hole's VM may lack proper routing).

Currently, you have configured your Pi-hole to use a single IPv4 DNS server (1.1.1.1) as upstream. As a workaround, you may instead try to configure IPv6 addresses exclusively as Pi-hole's upstream. As you mentioned your ISP is CGNATing your IPv4, using IPv6 upstreams should also speed up DNS resolution by a bit (by avoiding the multiple NATs asscoiated with CGNAT).

While doing so may allow you to resolve DNS successfully, it won't address your IP ping issues.
To solve those, you should also consider your VM documentation and support forums.

Thanks. I am reading again some stuff about Hyper-V. The things that seems weird are:

• The VM had a proper Internet connection before setting up Pi-Hole as I was able to install Pi-Hole.
  This makes me think that maybe I messed something up, but for the life of me I am not able to figure out what.
• The IPv4 of the Pi-Hole is a DHCP reservation handled through the router.
• I already checked that the MAC address of the VM corresponds with the the MAC Address of the reservation (although the router saw the VM at the moment of the the DHCP reservation).
  There is no other equipment over there beside the Router and various devices connected through wired or wireless network. The router and the Pi-Hole are the only ones able to touch/modify the network's behavior (no Switch, AP etc.).
  LE: I've managed to find out the article that I used to create the External Hyper-V Switch ages ago. I've doubled checked my settings and they are identical.
  Even later Edit: I've checked only IPv6 in Upstream DNS and here is a fresh copy of the log
  2 websites that cannot be accessed from Pihole VM Firefox are github.com and test-ipv6.com
  Approx. 30 minutes ago when I wrote the above, TeamViewer was saying "Ready to connect", now without any other modifications (I've been googling and reading the debug log) is says "Only LAN connections are possible" again. I feel lost... It's there, but I cannot really touch it.
  BTW: The IPv6 firewall is disabled on the router and the IPv6 address of the Pihole is listed as the DNS there. on the LAN and WAN sections of the router I have the IPv4 address of the Pihole listed as the DNS (192.168.0.54).

Current status:

iosif@iosif-DNS2:~$ dig google.com
; <<>> DiG 9.16.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43589
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		78	IN	A	216.58.212.174

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 06 15:16:34 EEST 2021
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.16.1-Ubuntu <<>> github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9067
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;github.com.			IN	A

;; ANSWER SECTION:
github.com.		57	IN	A	140.82.121.4

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 06 15:19:44 EEST 2021
;; MSG SIZE  rcvd: 55

Latest debug log
Ping is still not working and I still cannot access github or test-ipv6.com from the pihole VM.

Those dig results demonstrate that DNS resolution is working fine for both google.com as well as github.com, as an IP address is returned in both cases.

If you can't access those sites, that may be for the same reason that you cannot ping IPv4 addresses - and that would be a networking issue rather than Pi-hole.

We are good here at tackling Pi-hole issues, but for specific networking issues, you may want to consult other sources as well.
I'd probably start with Hyper-V, and I'd verify how my ISP's CGNAT is (supposed to be) working.

You may get lucky and one of our community members running a Hyper-V-VM setup behind a CGNAT had experienced the same issue as you and have already found a solution they would willing to share.
In order to better attract such users, you should consider changing your topic title to better reflect your config.

@Bucking_Horn So I spin up another VM, same OS.

• Applied all the OS updates, installed the latest kernel plus TeamViewer.
  All good my router was responding to VMs pings all the time after each step.
• Then I installed PiHole.
  All good my router was responding to VMs pings
• Imported through the teleporter the Whitelist, Blacklist and Adlists.
  All good my router was responding to VMs pings
• I've setup the new VM (192.168.0.23) as a LAN DNS in my router settings.
  All good my router was responding to VMs pings
• I've setup the new VM as the WAN DNS.
  This is the moment when the router stopped answering my pings.

iosif@DNS-2:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.428 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.344 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=1.05 ms
^C
--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2056ms
rtt min/avg/max/mdev = 0.344/0.605/1.045/0.312 ms
iosif@DNS-2:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.392 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.484 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.392/0.438/0.484/0.046 ms
iosif@DNS-2:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
From 192.168.0.23 icmp_seq=1 Destination Host Unreachable
From 192.168.0.23 icmp_seq=2 Destination Host Unreachable
From 192.168.0.23 icmp_seq=3 Destination Host Unreachable
From 192.168.0.23 icmp_seq=4 Destination Host Unreachable
From 192.168.0.23 icmp_seq=5 Destination Host Unreachable
From 192.168.0.23 icmp_seq=6 Destination Host Unreachable
^C
--- 192.168.0.1 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6140ms
pipe 3

So now I will try to rename my thread and see if I can find out more people with experience with this kind of issues.

Thank you for all your help so far.

L.E.: I've setup 8.8.8.8 as the WAN DNS in my router settings and boom, my router started to answer to ping requests sent from the Pihole VM. Also the VM is answering to the ping requests from the router interface.
I've took the opportunity to finally submit a debug log, token: oaz9g81fox

So according to this my mistake is using the Pihole as WAN DNS. I should use it only on the LAN section of the router. I will give this a go and let you know if it works.

L.E.: Everything seems to be working now.
Here is the current configuration:

• LAN DNS in the DHCP section of the router = Pihole VM IP address (IPv4)
• WAN DNS is the one from Google (8.8.8.8) with Cloudflare (1.1.1.1) as a backup
• IPv6 section = Pihole VM IP address (IPv6)

The only weird thing is that for some reason on my phone I see ads although I do not see them on my PC.
Later Edit: This post which helped figure out the fact that my Asus router insists on advertising itself as a DNS to the LAN devices in addition to the DNS settings explicitly filled in by the user. This helped figure out why my phone still sees ads (because it's using the router's IP as DNS for IPv6 and modern devices prefer IPv6 over IPv4).
The solution for the last remaining issue as far as I found out reading on Google, can be solved by using a third party firmware for my router (dd-wrt or Merlin) but considering that for the moment my router is still in the warranty period I am not sure if I should go there yet.

Disable IPv6 on your router and this should fix the problem.

@jfb I need the IPv6 due to the fact that I am behind CGNAT and I want to be able to access my services from outside the house.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.