The Dream: Network Wide PiHole

I would like help on setting one PiHole for the whole network → This means that the Wifi and Ethernet Network, Guest wifi and IoT wifi all use the PiHole.

[Hard\Soft]ware Info:

• ISP
  • Fiber Converter: ZTE (model unknown)
  • Router: ZTE ZXHN H3600 (specs)
• My Network
  • TP-Link Deco XE75 (specs)
    • 3 Units, 1 Main, 2 Mesh
  • PiHole
    • Raspberry 5
    • OS: Debian 1:6.12.34-1+rpt1~bookworm (2025-06-26)
    • Core: v6.1.4
    • FTL: v6.2.3
    • Web interface: v6.2.1

Expected Behaviour:

• Deco Wifi and Ethernet Networks works fine
• PiHole is set as DNS for all devices on Deco Network
• Guest Network works as well
• IoT Network works as well

Actual Behaviour:

• Guest and IoT networks accept connections of devices
• Devices on those networks fail on DNS

Debug Token:

https://tricorder.pi-hole.net/5qafbG8L/

Current Network - Diagram:

n.drawio733×804 100 KB

Root Cause

TP-Link Guest and IoT Networks run on a separate VLan that is setup by the Main Deco Router.

However:

• TP-Link Main Deco Router pass the DNS Address that User sets on the Main Network to the Guest and IoT Networks.
• TP-Link does NOT allow a different DNS Address to be set for the other networks.

Causing:

• Guest and IoT Network only works if DNS is reachable for separate VLANs.

Related: TP-Link guest wifi networks and Pi-hole – Roy Tanck

Possible Solution

PiHole on ISP Router → Making it Global

n_option2.drawio1112×806 133 KB

That did NOT work, and would like some help to understand why.

Steps:

• Connected Laptop to ISP Router by Cable
• Connected PiHole to ISP Router by Cable
• Connected Computer to Deco Mesh Router by Cable
• Setup ISP Router to give static IP to PiHole
• Setup new static IP to PiHole
• Set the new PiHole IP Address as new DNS Server Address
  • In Main Deco
  • In Laptop
• Restarted all machines
• Verified DNS Address is received in DHCP

Expected:

• Laptop network to work
• Computer network to work

Actual:

• DHCP sent the new PiHole Address
• Laptop was able to connect fine since it was straight up on the ISP router along the PiHole
• Computer was NOT able to connect → since it was in the Deco Network → Cant reach pihole ???

TL;DR → Can someone help me setting PiHole IP Address in a global way so the Deco devices can also reach it ? How to setup it on the ISP router and make it reachable to the Deco Routers as well ?

If you reach this far, thank you very much. Appreciate your time and help.

Thanks also to the team behind the project (big kudos to any contributors !)

I dont have a solution for you but, what allot of routers do is isolate clients in the guest network in a /31 subnet (2 addresses) with only the client and router IP.
So no way out to other IP's without additional routes or NATing.

Just complementing deHakkelaar's answer:

This is a guess because I don't have a TP Link Deco, but you can try to disable AP isolation on your router:

• How to set up Device Isolation on TP-Link Router/Deco (follow the link instructions, but turn off the isolation switch).

And your attention to detail, testing, and the data-presentation architecture diagrams are also appreciated.

Thanks for the info.
I am guessing that I will have to de-prioritize guest network from working with the PiHole.

At least, if they can connect to “an network” and use it, they will be fine. And since the Guest Network should be isolated, that is fine by me for now.

I will take this out of my objectives list.

Appreciate the reply from a Dev.

You are correct:
IF device is isolated
THEN it does not work
DUE to device not able to connect to the DNS PiHole.

For any device to work, it has to be NOT isolated.

The funny thing is: That is NOT an option for the TP-Link so called “IoT Network“ and “Guest Network“.
DUE to these Networks coping the DNS address from the Main Network configuration.
AND TP-Link always isolating them (non configurable).

If you know anything around those constraints let me know, but since they are “hardcoded“ on the Decos to act like that, it seems to have little hope changing that part.

[Followup 1] NAT Forwarding or Static Routing

@deHakkelaar Mentioned:

“So no way out to other IP's without additional routes or NATing. “

I dont have experience with those, that is why I tried to set the addresses directly on the Main Deco to point the DNS to the Main ISP Router [1] that is then configured to have the DHCP to point to the PiHole[2]. (see picture above)

I checked both the Deco Router and the ISP Router → both have those options available to be configured.

Maybe I just need to learn more about those and try something out

Quick Question: Would using those configurations make it work ?

Example Configuration (static route idea)

Maybe firewalls could be what is messing things here (need to check)
In theory, that gist should work no ?

Altough not a priority, even if the device is isolated - on main, guest or IoT network - they will ask Deco Router for the PiHole address, and the Deco Router itself will know how to forward the requests.

Any info to quickstart or some guidelines\gist would be highly appreciated.

No, sorry I don't have anything else to say about this router. As I said, I don't have a TP Link Deco.

I only posted a link from TP-Link Router/Deco support.
I think you will need to search their support website to find a better answer.

I think you'll have better luck asking on the TP-Link support forum for how to break out of guest isolation ... if applied at all.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.