Pihole plus Guest Wifi on different IP range

Hi All

With reference to the diagram below I'm looking to set my Pi up to act as a PiHole + Guest Wifi

I already have PiHole (SunnySide) up and running and acting as DNS/DHCP server for my main home network (Birdsnest) and have also configured hostapd to turn the WAP on at a basic level (ie I can see it in a wifi client).

I think i have enough detail to get the forwarding etc back over to eth0 up and working but where I'm stuck (in my head at least) is on configuring DHCP.

What I want is that eth0 assigns IPs in the range 192.168.1.100 - 192.168.1.200 (ie the current behaviour) but clients connecting via wlan0 get assigned IP addresses in the range 10.0.0100-10.0.0.200

http://sharetheexperience.co.uk/PI/MikeNet.png

Make a firewall rule on Guest Wifi to send dns to SunnySide

I use EdgeRouter

Ok so progress of a sort.

Can connect via the guest wifi providing I set the IPs manually soo all thats left is to figure out how too do the DHCP bit.

Oh and figure out how to either disable 5Ghz or at leats give it an SSID (keeps coming up on clients as

----information to get the wifi working-------------

/etc/dhcpcd.conf

interface eth0
static ip_address=192.168.1.210/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

interface wlan0
static ip_address=10.0.0.1/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

/etc/hostapd/hostapd.conf

interface=wlan0
driver=nl80211
ssid=Sunnyside
hw_mode=g
channel=8
ieee80211n=1
wmm_enabled=1
#ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
auth_algs=1
#ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=PASSWORD
rsn_pairwise=CCMP

/etc/default/hostapd

DAEMON_CONF="/etc/hostapd/hostapd.conf"

/etc/sysctl.conf

net.ipv4.ip_forward=1

Shell
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

/etc/rc.local

iptables-restore < /etc/iptables.ipv4.nat

/etc/dnsmasq.d/01-pihole.conf (added via web interface. This listens on all interfaces at all times)

except-interface=nonexisting

aha there's a thought.

Disable the DHCP part of PiHole

Install full DNSmaq and only use that for DHCP

IIRC you can have 2 or more instances of dnsmaq running bound to sperate interfaces (as long as only one of them is bound to the loopback address)

task for tomorrow I think

The pihole-FTL binary already has a full version of dnsmasq embedded:

https://docs.pi-hole.net/ftldns/dns-resolver/

EDIT: aha sorry, alongside Pi-hole yes
Binding DHCP could be difficult though as I failed last time I tried.

EDIT2: This one might do the trick:

pi@noads:~ $ man dnsmasq
[..]
       -2, --no-dhcp-interface=<interface name>
              Do  not  provide DHCP or TFTP on the specified interface, but do
              provide DNS service.
[..]

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

EDIT3: And use below one allot:

sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471[1-8] '

A while ago, I've setup a separate Pi (i.e in addition to an existing Pi-hole machine) as WLAN access point to isolate my TV from the rest of my network - not quite your setup, but maybe I can provide one hint or another.

Your network diagram is impressive, but it brings up quite a few questions, so I hope I did understand your setup sufficiently to be of help.

If I read your chart correctly, you plan to use your SunnySide-Pi as both a DHCP and a Pi-hole augmented DNS server for two separate sub-networks (which makes this setup a bit trickier than mine).

In my setup, I disabled DHCP client configuration for my WLAN in /etc/dhcpcd.conf:

denyinterfaces wlan0

Instead, I defined a static IP for it in /etc/network/interfaces

# WLAN-interface
allow-hotplug wlan0
iface wlan0 inet static
address 10.10.10.1
netmask 255.255.255.0

In addition, you should consider doing this for your eth0 as well.

With regards to iptable's firewall settings, just the following line (exactly the first in your statements) was enough to get me running:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The tricky part is going to be the configuration of dnsmasq to serve two subnetworks. In my case, that would've been done by editing /etc/dnsmasq.conf:

# sufficient for my scenario
interface=wlan0
dhcp-range=10.10.10.100,10.10.10.200,24h
dhcp-option=option:dns-server,10.10.10.1

# additional config for your scenario
interface=eth0
dhcp-range=192.168.1.100,192.168.1.200,24h
dhcp-option=option:dns-server,192.168.1.2

This configures a distinct sub-network address range for each interface and hands out the SunnySide's respective IP address as DNS server.

However, as you are using Pi-hole on the same machine in your configuration, you have to find a way to integrate this with Pi-holes built-in dnsmasq (configured via files in the /etc/dnsmasq.d/ directory) and make this configuration survive Pi-hole updates as well as manipulations through Pi-holes web admin UI.

Perhaps one of the Pi-hole moderators can jump in here and provide us with some insights on how to achieve this ?

Put the configuration lines in a file other than 01-pihole.conf and it will not be affected by updates. There will be no available manipulations to the file from the web GUI.

@Bucking_Horn
ahh the .2 & .210 there's a (not very) good reason for that.

I was doing some fiddling around and I lost access to my Pi and it was quicker just to whip out the SD card and rebuild than it was to go hunting around for a monitor lead etc (or maybe I was just being lazy) ;o)

I just haven't redone the IP addressing yet (although both are outside the range asigned by DHCP)

Based on your comments & @jfbs contribution that gives me something to work on later .

Question though: If I'm putting the extra config in a new config file inside of /etc/dnsmasq.d then I presume I will still need to leave "Enable DHCP" ticked in the webgui

That shouldn't hurt, that range is what is used if a client (like your Guest-1 or Laptop-1) is asking for its configuration via DHCP.
Your static DHCP leases (for Birdsnest and SkyNet) should be done in the usual way, i.e. the respective section within Pi-holes web admin panel.
I'd assume that's how you did configure your network so far, didn't you?
If not, we should develop a better understanding of your current setup first, as I wouldn't want you to end up with your router being inaccessible.

So this means Pi-hole will write information on DHCP IP address range as well as static leases to /etc/dnsmasq.d/01-pihole.conf. As Pi-holes admin console seems to configure strictly one (sub)network, this will likely be the one bound to your existent network on the eth0 interface.

Hence, I'd suggest to give jfb's suggestion a try put only the wlan0 related lines of my above dnsmasq.conf into a new file /etc/dnsmasq.d/09-guestnet.conf.
On a hunch, it might be a good idea to verify Pi-hole's own 01-pihole.conf contains an eth0 configuration similar to the lines I posted above, just to make sure it's set to hand out a DNS server IP address that's valid on that eth0 sub-network.

And yes, I'd leave DHCP enabled in Pi-hole.

@Bucking_Horn

Birdnsest & Skynet are both Sagecom routers supplied by my ISP (I had a spare one lying around from moving house so I repurposed it)

Birdsnest is the ISP facing device where the WAN IP is assigned dynamically (but I am running a Dynamic DNS client on it) and the LAN IP of 192.168.1.1 is set on there by default (I've just disabled the DHCP server on it)

SkyNet has its (effective) WAN IP set statically in it's config to 192.168.1.3 with SunnySide as it's DNS whilst its LAN is using 192.168.2.1 dishing out IPs in the range 192.168.2.100-192.168.2.200. The Skynet Clients use the router (192.168.2.1) as their DNS.

SunnySide (the Pi) now has it's eth0 IP (ie what is effectivly it's WAN IP) set statically to 192.168.1.2 in /etc/dhcpcd.conf and its wlan0 IP (ie it's LAN) also set statically in there to 10.0.0.1

interface eth0
static ip_address=192.168.1.2/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

interface wlan0
static ip_address=10.0.0.1/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

The Sunnyside WAN is acting as DHCP and DNS for the 192.168.1.* network dishing out IPs in the range 192.168.1.100 -192.168.1.200

Neither Birdsnests or Skynets IPs are stored in any lease info being outside the DHCP assigned range.

Getting the Sunnyside LAN working is now the final part of the jigsaw. Effectively it needs to work the same as Skynet.

NB have gone back to a more basic config for now and haven't got any of the iptables bits in there. Not bothered about breaking anything as I can always quickly turn back on DHCP on Birdsnet as a failover (will then revert to using the original DNS settings). Also need to redo hostapd bits.

Right back to the rest:

/etc/dnsmasq.d/01-pihole.conf

This appears to be for DNS only and is currently set via the webgui to listen on all interfaces (so clients on the Sunnyside LAN will be able to use 10.0.0.1 as their DNS)

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list
localise-queries
no-resolv
cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
server=1.1.1.1
server=1.0.0.1
domain-needed
bogus-priv
except-interface=nonexisting

/etc/dnsmasq.d/01-pihole.conf

appears to contain the DHCP info although it doesn't bind it to a specific interface so that may cause a problem even with a new "guest" conf file as suggested (watch this space)

dhcp-authoritative
dhcp-range=192.168.1.100,192.168.1.200,24h
dhcp-option=option:router,192.168.1.1
dhcp-leasefile=/etc/pihole/dhcp.leases
#quiet-dhcp

domain=lan

Update

Reconfigured Hostapd and added the new pihole conf file as suggested and I can now connect to the Sunnyside guest wifi & get assigned an IP range from the pool. Now all that's left to do is get the traffic flowing ;o)

/etc/dnsmasq.d/09-guestnet.conf
interface=wlan0
dhcp-range=10.0.0.100,10.0.0.200,24h
dhcp-option=option:dns-server,10.0.0.1

Hostapd stuff

sudo apt-get -y install hostapd

/etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=Sunnyside
hw_mode=g
channel=8
ieee80211n=1
wmm_enabled=1
#ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=ITSASECRET
rsn_pairwise=CCMP

/etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"

Need to correct initial startup errors

sudo systemctl unmask hostapd
sudo systemctl enable hostapd
sudo systemctl start hostapd

@ deHakkelaar

apologies I seem to have missed your post but thanks

I wasn't expecting to see this based on @jfb s comments

pihole_dhcp_01991×676 24.7 KB

98% working.

I say 98% as although my android phones all connect to the guest wifi on Sunnyside and work as expected for some reason my W10 laptop point blank refuses too (simply states "unable to connect to this network) .

So my final (for now lol) setup is/was

Install Raspbian

Set Static IPs in /etc/dhcpcd.conf

interface eth0
static ip_address=192.168.1.2/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1

interface wlan0
static ip_address=10.0.0.1/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

Reboot

Install PiHole

Change /etc/dhcpcd.conf back to the below for eth0

static domain_name_servers=127.0.01

Create New conf file for guest network /etc/dnsmasq.d/09-guestnet.conf (happy for guests not to use pihole)

interface=wlan0
dhcp-range=10.0.0.100,10.0.0.200,4h
dhcp-option=option:dns-server,1.1.1.1,8.8.8.8
dhcp-option=option:router,10.0.0.1

Install Hostapd and configure as follows

Create /etc/hostapd/hostapd.conf

interface=wlan0
driver=nl80211
ssid=Sunnyside
hw_mode=g
channel=8
ieee80211n=1
wmm_enabled=1
#ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
auth_algs=1
#ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=PASSWORD
rsn_pairwise=CCMP

Add the following to /etc/default/hostapd

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Edit /etc/sysctl.conf and uncomment

net.ipv4.ip_forward=1

Shell
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
sudo systemctl start hostapd

add too /etc/rc.local
iptables-restore < /etc/iptables.ipv4.nat

Reboot

or not

just spotted new clients connecting to Birdsnest are getting an IP from the correct pool but being given the wlan0 gateway and DNS servers .

Commented all the extra conf in the new file out for now so everything else but the guest wifi on Sunnyside still works properly.

Back to the drawing board I think tomorrow.

Sorry for a bit of an absence, but there were other weekend activities keeping me relaxed

I've tried to emulate parts of your scenario in my network and succeded with minor adjustments.

First, I switched configuring the Pi's (your SunnySide's) static IP addresses via dhcpcd.conf just like you, instead of denying the interfaces there and using /etc/network/interfaces for configuration.
The difference is in how I configure wlan0 in
/etc/dhcpcd.conf

interface wlan0
     static ip_address=10.0.0.1/24
     static routers=192.168.1.1
     static domain_name_servers=127.0.0.1
     nohook wpa_supplicant

As you can see, I keep localhost (SunnySide) as DNS server and try to prevent wlan0 from being configured as a potential client by wpa_supplicant.

Then I tried binding the DHCP configuration options specific for your guest wlan to wlan0 explicitly in
/etc/dnsmasq.d/09-guestnet.conf:

interface=wlan0
dhcp-range=wlan0,10.0.0.100,10.0.0.200,4h
dhcp-option=wlan0,option:router,10.0.0.1
dhcp-option=wlan0,option:dns-server,10.0.0.1

So SunnySide will propagate itself as router/gateway as well as DNS server to its clients in the 10.x.x.x sub-network bound to wlan0. I didn't touch any of the Pi-hole's own dnsmasq.d/ configuration files.
I have, however, setup some static leases, which resulted in Pi-hole's web admin panel complaining about missing files at first as well as in creation of a few extra config files - they are explained in What files does Pi-hole use?, with the exception of the file for static leases themselves, 04-pihole-static-dhcp.conf.
[EDIT]
It probably would have been nice to assign an alternate domain name for the 10.x.x.x clients, but I have failed to do so. Attaching an interface to the domain directive (e.g.domain=wlan0,guest-wlan) results in FTL faliure to start, whereas just stating another domain is ignored.
[/EDIT]

The last difference remains with my iptables configuration:

I doubt that your additional lines have any influence on the problem, but thought I mention it nonetheless.

With these configurations, I was able to connect my Laptop to my 192.x.x.x (standard gateway 192.x.x.1 as reported by Windows) as well as to my 10.x.x.x network (standard gateway 10.x.x.1 as reported by Windows) with the correct gateway and traffic being filtered by Pi-hole.
(Should you need to add IPV6 support for SunnySides clients, additional configuration steps will have to be made.)

I hope it'll do the same for you.

@Bucking_Horn

I know the feeling, I suspect I wont get back on this until tomorrow now when "the boss" is in work ;o)

In the meantime just dived into my box of bits and found a 5 Port TL-SG105 Gigabit swiitch and a TL-WR702N mini router lying around i there, Oddly I can't connect to the wifi on that from my laptop either (which is the same problem I have with Sunnyside wifi) but I can from my android phones.

Ho Hum , something else to look into in the meantime updated diagram and random picture of the Birdsnest router, the Pi , the switch & the mini router

MikeNet1076×726 41.7 KB

IMG_20190915_1219345120×3840 2.94 MB

@Bucking_Horn

Perfect all working as expected...mostly

Thanks very much for the assist.

Only issue I have is that one of my 2 laptops (which are both running W10) simply will not connect and doesn't even get as far as a password prompt (Simply pops up as "Unable to Connect") when connecting to the SSID but given its doing the same for both Sunnyside & Valhalla says to me that's a laptop or some oddball compatability issue (although it connects to other wifi networks fine) .

Which leaves the question, what do I use Valhalla for lol

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.