I am administrator of a Ubuntu 20.04 LTE server (latest updates installed) that already runs PiHole (v 5.3.1/FTL v. 5.8.1), using the PiHole both as DHCP server and web filter for a network with up to 1200 devices connected to Wifi, the server is attached to a router but the internet traffic is not directed through the server.
This is working pretty good so far.
Now we want to have the DHCP addresses split into two disjunct ranges, depending on the MAC addresses but using one PiHole instance only. We run a lot of same models of devices that use the same Wifi manufacturer chips and thereby having a range of "same" MAC addresses, say A:B:C:D:: with the last two bytes being wildcards. And there are other devices which should be allowed in the net as well, as "guests", i.e. their MAC addresses are not known to us in advance.
The real IP addresses etc. are different, but consider following smaller setup
Gateway is working (but not important for the issue)
NIC address: 10.20.0.10
DHCP range 10.20.0.11 to 10.20.0.200 for the devices
We thought about using a custom dnsmasq configuration file placed in /etc/dnsmasq.d, say 99-custom-dhcp.conf with following rules (A:B:C:D will be replaced by the real bytes of the MAC addresses)
/* This is meant for all other devices that do not match the MAC address range below */
/* Now the devices with known MAC address range */
Now, pihole restartdns works and it reads the custom configuration file, recognizes the custom rules, but afterwards the DHCP range is fixed again from 10.20.0.11 to 10.20.0.200 as set in the web admin interface of PiHole -- the rules are not applied, i.e. the devices from different MAC address ranges are served with arbitrary IP addresses from the whole range, not from their designated segments.
My understanding of dnsmasq rules is that the latest one is used first, then preceding ones will be applied -- I am wrong here?
Is my setup of MAC filtering wrong, i.e. wrong usage of tags?
Are there other ways to achieve our goal from within Pi-hole?
Edit: Please note that our issue is about filtering the MAC addresses from the DHCP part, not about web blocking based on rules for MAC addresses (all devices should have the same blocking rules)