Plan for installing Pi-Hole on single, tagged VLAN

Help
1

Please follow the below template, it will help us to help you!

Expected Behaviour:

Run successfully before running the Pi-Hole installation script.

Actual Behaviour:

None yet - this is my plan.

Debug Token:

interface]_
None yet - this is my plan.

I’m a newbie at this, and since I’ve been unable to find cookbook instructions for setting up a Pi-Hole on a single tagged VLAN, I’d like to present my plan. Am I overlooking anything?

Here are my desires and actions to date.

  1. I’ve set my new Raspberry Pi 3B+ up as per the instructions on Raspberry Pi “Securing your Raspberry Pi:” changed the password, required sudo password, set up ssh key-based authentication, removed password for login, and installed ufw Uncomplicated Fire Wall; I did not install Fail2Ban. Running the RPi headless works on my untagged LAN and now I want to run in on my tagged, Internet of Things (IoT) VLAN.

  2. I want my router to work the DHCP and let the Pi-Hole serve as DNS.
    2.1. I will install the RPi on a tagged virtual LAN (VLAN) that I’ve set aside for my IoT devices - so far, this is exclusively media streaming, i.e., Amazon Fire Stick and audio-visual receiver music.
    2.2. I will dedicate an Ethernet port to Pi-Hole on that VLAN.
    2.3. I only require Pi-Hole ad-blocking on that single tagged VLAN.

  3. Plan
    3.1. Add to the router a DHCP Reservation (instead of a static IP address) using the IP address from within the DHCP range, the MAC eth0 identifier, and the name “Pi-Hole.”
    3.2. Reboot the RPi in order to have it receive the new IP address.

  4. Change the router from automatically assigned DNS address to the RPi IP address in 3.1, above.

  5. Test to see if the RPi is established on the IoT VLAN.

  6. If it's working, then run the Pi-Hole installation script.

Having the Pi-Hole not work wouldn’t be the end of the world, but I’d hate to have this setup write to configuration files and then have to spend days trying to understand what I’ve screwed up. So, as a newbie, I’m pretty thick—skinned, so tell me my mistakes before I make them, please and thank you.

2

Welcome to the Pi-hole community, clicker :slight_smile:

Your current scheme looks feasible enough, with one possible major caveat and a minor reordering of steps.

I'd push step 4. to the very end, so you only switch DNS servers once you are sure Pi-hole's installation has completed sucessfully.
Otherwise, you might end up with no DNS resolution if anything fails during installation.

Also, Step 4. is critical for your plan.
You should be acutely aware of how you configure your router to use Pi-hole as DNS server:

a) you configure your router to distribute Pi-hole as local DNS server for your VLAN (commonly a LAN or DHCP setting)
That way, your network's devices will talk to Pi-hole directly for DNS resolution.
Distributing Pi-hole by DHCP is also the preferred way to establish Pi-hole as DNS server.

b) you configure your router to use Pi-hole as its upstream DNS server (commonly a WAN or Internet setting)
That way, your network's devices will continue to use your router as DNS server, while your router forwards DNS requests to Pi-hole.

Your plan for setting up Pi-hole for a single VLAN will only work if you use option a) and only if your router would allow you to configure DHCP DNS settings on VLAN level.

If you use option b), the entire network managed by your router will have its DNS traffic filtered by Pi-hole.

Note that depending on your router and firmware version, you may be limited both in your choice of options and in the details you can control.

Furthermore, some routers are also known to interfere unfavourably with DNS settings, like always distributing themselves as DNS, or by blocking or redirecting DNS traffic.

You have to experiment how well your router will fit your plan.

3

Thank you for the details, Bucking_Horn. I have moved Step 4 to the end.

You've given me a lot to think about. I did consider starting with Pi-Hole as DHCP, but it seemed pretty complicated - I found no cookbook for an untagged LAN and two tagged VLANs - so I decided to start slowly and change as I learned about DNS, NAT, and DHCP functions. I've read about using the Pi-Hole as a recursive server, and I want to get there eventually, but for now I can learn if the VLAN tags cause any problems on a single LAN.

Pepwave Surf SOHO Router Network Settings
Pepwave Surf SOHO Router Network Settings1578×366 36.6 KB

This is the lower part of the VLAN page that I'll be altering, below the IP range.

Your comment, "a) you configure your router to distribute Pi-hole as local DNS server for your VLAN (commonly a LAN or DHCP setting)" causes me to wonder if it refers to what in the above image. It's local, as far as I can discern.

4

Providing advice for specific router settings exceeds the scope of Pi-hole.

Your screenshot seems to show DHCP options, but I can only speculate whether you'd either be able to supply DNS servers manually if you uncheck Assign DNS server automatically or you'd have to provide them as an Extended DHCP Option.

You could always search these forums for your specific router, or try to attract the attention of users that run the same router as you. Of course, you'd need to disclose your router's model and firmware for that to work, preferably in this topic's title. :wink:

In the short run, you'd have better luck for a quick and more knowledgeable answer if you consult your router's documentation and/or forums on how to specifically apply DNS related settings.

5

Thanks. Unchecking the DNS box does provide input for manual DNS choices. In retrospect, that's the image I should have posted.

In any case, I'm ready to give it a try. I'll report back for posterity.

Pepwave Surf SOHO Mk3 fw8.01
Pepwave Surf SOHO Mk3 fw8.011628×542 48.2 KB

6

Edit: too soon to declare victory yet. It seemed to work, but at present I have a problem with "Device does not use Pi-Hole."

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.