Raspberry Pi4 Linux 6.12.47+rpt-rpi-v8, Debian GNU/Linux 13 (trixie)
Only eth0 (Ethernet) is configures. WLan is deactivated.
PiHole V6.3, FTL V6.4.1
DNS Settings --> Interface Setting --> Respond only on interface eth0
DNS Settings --> Interface Setting --> Custom DNS servers 127.0.0.1#53535 for Unbound
All Settings --> DNS Server --> dns.revServers
true,192.168.99.240/28,192.168.99.254,mgmt.woonan
true,192.168.101.0/26,192.168.101.62,lan.woonan
true,172.16.254.0/27,172.16.254.30,gugus
true,10.1.255.128/25,10.1.255.254,nowayout
EdgeRouter ER-12 V3.0.1
Networks:
br101 over eth10.101 and switch0.101
br102 over eth10.102 and switch0.102
br255 over eth10.255 and switch0.255
eth4 is part of switch0 and set as PVID 102 as part of br102 (PiHole is connected here)
eth8 not in use
eth9 has 192.168.33.254/30
eth10 is on 192.168.99.254/28 which is the management network
eth11 is the WAN Port
switch0 has no IP
On ER-12 I have following NAT rules configured which do work to stop devices to use hard coded DNS settings.
rule 8 {
description "Rule 8: br102 DNS Redirect to PiHole"
destination {
group {
port-group DNS_Port
}
}
disabled right NOW
inbound-interface br102
inside-address {
address PIHOLE_DNS-Server
port 53
}
log enable
protocol tcp_udp
source {
address !PIHOLE_DNS-Server
group {
}
}
type destination
}
... the above rule has been crated for all local networks in use.
rule 5000 {
description "Rule 5000: masquerade for WAN"
log enable
outbound-interface eth11
protocol all
type masquerade
}
...
rule 5003 {
description "Rule 5003: br102 Translate DNS to Internal"
destination {
group {
address-group PIHOLE_DNS-Server
port-group DNS_Port
}
}
disabled right NOW
log enable
outbound-interface br102
protocol tcp_udp
source {
group {
}
}
type masquerade
}
... The above SNAT - Masquerade rule is only needed once.
My problems are:
1.) If NAT rule 8 and rule 5003 are disabled, PiHole can resolve all DNS names of the local networks. On the other hand, this will not catch any devices that want to bypass the DNS server set via DHCP (PiHole) and thus will not redirect them to PiHole.
2.) If NAT rule 8 and rule 5003 are enabled, PiHole can ONLY resolve DNS names in its own VLAN. All other devices are then displayed with the same Gateway IP of the network where PiHole is part of. It is no longer possible to distinguish which device made which DNS query. This will successfully intercept all devices that attempt to bypass the specified DNS server and will be redirected to PiHole.
On the Raspberry Pi (PiHole server), I tried to get PiHole to resolve all IPs to the corresponding DNS names using various guides. (VLAN settings, Network settings, ...) But the guides are written for PiHole V5. No guides were found for PiHole V6, which now only uses the NetworkManager (nmcli).
The question is whether the DNAT & SNAT/Masquerade rules of the EdgeRouter need to be changed or if an adjustment is needed in the Raspberry Pi.
Who uses this combination and what are the settings for it.
I wish everyone a pleasant X-Mas holiday with family and/or friends.
Thomas