Please follow the below template, it will help us to help you!
If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx instead of lighttpd, or there is some other aspect of your install that is customised) - please use the Community Help category.
Expected Behaviour:
_[Should be able to reach internet from both VLANs
H/W: Raspi 4B
SW: v6.0.5]_
Actual Behaviour:
[I can only reach internet from devices on one of my VLANs. I just upgraded from Pi-Hole 5.x to 6.0]
I went into the Pi-Hole DNS settings, clicked the Advanced button, and selected the "Respond only on interface" in the Interface Settings. Now I can access the internet from my other VLAN.
However, is this safe? My Pi-Hole is within my local network, all Unifi network devices.
Quoting the on-screen description of Pi-hole's Interface Settings:
These options are dangerous on devices directly connected to the Internet such as cloud instances and are only safe if your Pi-hole is properly firewalled. In a typical at-home setup where your Pi-hole is located within your local network (and you have not forwarded port 53 in your router!) they are safe to use.
I was also hoping to get hints as to why clicking this option "unblocks" internet access from one of my VLANs. Although my setup is behind a firewall, I would rather fix the root cause... Looking for hints as to what to check, whether in the Pi-Hole or in my router/firewall.
My basic setup is a UDM with two /24 VLANs, one for my "trusted" stuff, the other for IoT. I currently have them both setup the same wrt firewall rules, just to be able to find the root cause of why my IoT is having trouble reaching the internet.
Here's my basic understanding of this setting (and I use it as well). I have 4 VLANs on my home network.
Let's say your main LAN is on 192.168.1.0/24, including your Pihole device.
Pihole by default will only answer requests that are made from machines in that subnet (192.168.1.1 - 192.168.1.254). Everything else is ignored.
You have another VLAN on 192.168.99.0/24, addresses for devices are 192.168.99.1 - 192.168.99.254. If they make a DNS request to Pihole, it's ignored by default.
But since it's a VLAN, it (and any other VLAN you create this way) is still using the same network connection (cable, interface, etc.) to communicate with your gateway/router. Let's say this interface name on the Pihole device is eth0.
When you change the setting you've mentioned above, you're telling Pihole to answer any DNS request that comes over that physical interface (eth0) regardless of which virtual network address makes the request.
The above explanation derives from my experience on a Unifi UDM-Pro router/gateway.
So instead of using the “Respond only on interface” option, is there a way to simply tell it to only respond to dns queries from my two specific VLAN address ranges? (e.g. only respond to queries from 192.168.1.0/24 and 192.168.99.0/24)
It is weird, but when the Pi-Hole's Interface settings set to "Recommended setting", I have internet access but only from one of my VLANs (the same one that the Pi-Hole is on, e.g. 192.168.1.0/24).
But when I switch the setting to "Respond only on interface", then I get access to the internet on both my VLANs (e.g. 192.168.1.0/24 and 192.168.99.0/24).
(I have not changed anything on the router side)
nprampage answered my question as to why this happens (thank you!)
I don't remember having this setting set to "Respond only on interface" before I upgraded my Pi-Hole from v5 to v6, so now I am trying to find out if there's some other setting within my Pi-Hole (or my router/firewall) that I need to tweak in order to use the Pi-Hole's "Recommended setting" instead, and still have access to internet from both VLANs.
I can't speak to what you encountered, since I don't know the specifics of your network configuration, but I can tell you that my setup included the need to set "Respond only on interface..." instead of the default under both versions 5 and 6.