Running Pi Hole on a bridged/segregated network, how?

Help
1

I wish to use a Linux box between the rest of the house and my own devices, with my own IP, DHCP and PiHole doing my DNS.

I wish to use two seperate network interfaces, with differing LAN (172) and 'WAN'(192) IP addresses, one for my local network(172), the other connecting to the router that serves the rest of the house, with it's services, serving them DHCP and DNS (192).

What's the best way of going about this?

When I have set up Pi Hole on Zentyal previously, Pi Hole as tried to work on the WAN (192) side, even when given the LAN side (172) interface. This configuration is where I fall short, not knowing what configuration steps I should take.

What's the best way of going about this, as it's clear that my attempts are not working?

As an aside, I cannot be the only person trying to run Pi Hole in such a manner on their router.

2

A bridge does the opposite and aggregates instead of segregating so you wont be needing a bridge:

Instead of a bridged setup, you want a router with Pi-hole's own dns and dhcp services am I right ?
Below is roughly what I can think of that needs to be done:

  1. Setup static or dhcp assigned ip & default route(gw) on the wan interface;
  2. Setup static ip (no gw) on the lan interface;
  3. Configure dns server ip to be one thats available on the wan interface;
  4. Enable "IP Forwarding";
  5. Add persistent iptables MASQUERADE rules.
  6. Run Pi-hole install;
  7. Configure Pi-hole dhcp service;
  8. Add/change dhcp option "3", which is the gw to be pushed to the clients, to be that of the lan interface ip.
  9. Setup iptables to only allow incoming dns, dhcp, http, ssh etc on the lan interface.

Which part(s) do you have problems with ?

EDIT: added step 5.

3

I have / had no idea which term I should use to try and describe what I am trying to do, in turn, that meant trying to find what I detailed steps on obtaining what I want hard to find, so why not both? Someone will know what I actually mean.

I'll give these steps a shot, I'll reply either way, relaying how it went.

Getting information on half this stuff can be hard if you haven't a clue what you want to do is called in the networking world..

4

I know what you mean.
Most of the steps are not that difficult if know how to google/duck duck your way around for your particular distro :wink:

1 Like
5

Ehm... this has nothing to do with Pi-Hole :wink:

You just want a router with some additional interfaces or simply some VLAN's and that's it!
Depending on the amount of switches around the house you might need some of those too, or the current amount but then Managed instead of Unmanaged so that they understand VLAN's !!

What you could do is get one of these : EdgeRouter X - Ubiquiti Store

Then do the following :

  • Connect eth0 to the network of your current NAT Router.
  • Connect eth1 to the network starting with 192.x.x.x
  • Connect eth2 to the network starting with 172.x.x.x
  • Connect eth3 to a small network that has all the usefull stuff for the other networks like Pi-Hole and stuff like that :slight_smile:

And then just set up some routes or routing protocols and have some fun with your network!

Good luck :smiley:

6

Good idea, but it's added hardware that I don't have the money for. I'll post some screenshots to explain the issues I am having

7

Forgot to add iptables MASQUERADE rules for the actuall routing.
Below example if eth0 is the wan and eth1 the lan interface:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -j ACCEPT
8

Okay, had some time and took screenshots.

I select the internal network, note the IP, https://i.imgur.com/l6GY9ZD.png
Now, on determining the gateway, it chooses the IP of the interface that faces the outside network, https://i.imgur.com/WxTka1Z.png

Upon setting a password, before reboot, I try to connect to it on it's 172 interface out of interest, Plus listening to Level1Techs podcast, so not rebooted yet. admin interface loads. Shows this. https://i.imgur.com/6ei0dD7.png

I thought looking at the DHCP settings might be interesting, https://i.imgur.com/BPvOSB3.png

Here's hoping this makes sense to someone. I think these screenshots go some way to describe my issue.

What goes where, and what do I edit to get this to work?

9

Lets do this step by step.
You might be heading into the wrong direction doing things that are not necessary for example.
And whenever possible, try to avoid screenshots especially if its shell/bash output (copy text from the SSH client to clipboard and paste here please).

First start with networking (steps 1 & 2).
So you've chosen enp6s0 to do wan and enx60e3271b4be8 to do lan am I right ?
The IP address 172.0.0.1 that you've chosen for the lan interface enx60e3271b4be8 is outside the recommended private IP range/space:

Better configure one within the private ip range like for example 172.16.0.1/24 or why not 10.0.0.1/24 ?

First two screenshots look ok.

When ready, post results for the IP addresses with below one:

ip a

Post routes (attention to the default route/gateway):

ip r

And if want to see interface link status:

ip l

Post results from a traceroute to pi-hole.net 206.189.252.21:

traceroute -n 206.189.252.21

And advancing to step 3, post results for below DNS related two:

cat /etc/resolv.conf

host pi-hole.net

1 Like
10

I realised that IP was unusable upon seeing 172-0-0-0.lightspeed.brhmal.sbcglobal.net in places.

I have changed the IP for enx60e3271b4be8 to 172.16, after some searching ( my access point does not like the 10.0.0.* range)

ip a yields,

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet 127.0.1.1/8 scope host secondary lo valid_lft forever preferred_lft forever 2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:03:0d:9b:bc:59 brd ff:ff:ff:ff:ff:ff inet 192.168.0.24/24 brd 192.168.0.255 scope global enp6s0 valid_lft forever preferred_lft forever 3: enx60e3271b4be8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether 60:e3:27:1b:4b:e8 brd ff:ff:ff:ff:ff:ff inet 172.16.0.1/24 brd 172.16.0.255 scope global enx60e3271b4be8 valid_lft forever preferred_lft forever

ip r

172.16.0.0/24 dev enx60e3271b4be8 proto kernel scope link src 172.16.0.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.0.0/24 dev enp6s0 proto kernel scope link src 192.168.0.24 metric 202

ip l

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 00:03:0d:9b:bc:59 brd ff:ff:ff:ff:ff:ff 3: enx60e3271b4be8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 60:e3:27:1b:4b:e8 brd ff:ff:ff:ff:ff:ff 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:40:b3:84:40 brd ff:ff:ff:ff:ff:ff

traceroute -n 206.189.252.21

traceroute -n 206.189.252.21 traceroute to 206.189.252.21 (206.189.252.21), 30 hops max, 60 byte packets 1 192.168.0.1 5.770 ms 5.642 ms 5.585 ms 2 * * * 3 2.120.9.82 29.907 ms 29.889 ms 33.867 ms 4 62.73.179.165 30.759 ms 33.651 ms 34.551 ms 5 129.250.4.125 36.474 ms 36.459 ms 40.674 ms 6 129.250.2.18 115.107 ms 110.529 ms 110.379 ms 7 129.250.3.181 108.917 ms 90.980 ms 129.250.5.62 98.040 ms 8 157.238.179.154 96.146 ms 157.238.179.70 93.197 ms 93.103 ms

cat /etc/resolv.conf

nameserver 127.0.0.1 search zentyal-domain.lan home

host pi-hole.net

pi-hole.net has address 206.189.252.21 pi-hole.net has IPv6 address 2604:a880:400:d0::1071:1 pi-hole.net mail is handled by 10 one.mxroute.com. pi-hole.net mail is handled by 20 one-relay.mxroute.com.

Here's something I should add, /etc/pihole/setupVars.conf

Reason being is the IP address that it gives to enx60e3271b4be8 upon install, being 192.168.0.24, upon debug, it shows with the wrong IP, so I have changed it to 172.16.0.1 Is this part of the issue?

DNSMASQ_LISTENING=single PIHOLE_DNS_3=1.1.1.1 PIHOLE_DNS_4=1.0.0.1 DNS_FQDN_REQUIRED=true DNS_BOGUS_PRIV=true DNSSEC=false CONDITIONAL_FORWARDING=false DHCP_ACTIVE=true DHCP_START=172.16.0.3 DHCP_END=172.16.0.254 DHCP_ROUTER=172.16.0.1 DHCP_LEASETIME=24 PIHOLE_DOMAIN=lan DHCP_IPv6=false PIHOLE_INTERFACE=enx60e3271b4be8 IPV4_ADDRESS=172.16.0.1/24 IPV6_ADDRESS= PIHOLE_DNS_1=1.1.1.1 PIHOLE_DNS_2=1.0.0.1 QUERY_LOGGING=true INSTALL_WEB_SERVER=true INSTALL_WEB_INTERFACE=true LIGHTTPD_ENABLED=true

11

Addresses ok.

Am missing a default route/gateway:

pi@noads:~ $ ip r
default via 10.0.0.1 dev eth0  metric 202
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.2  metric 202

Have you configured a gateway on that first screenshot in that Zentyal web GUI ?

Strange thing is, it does find the correct route via gw 192.168.0.1 even without a default one.
Lets assume this bit is working as expected.

This indicates probably a local DNS services/daemon on the localhost IP 127.0.0.1 is already running.
To figure out which one, post results for below one:
(Ps. am trying tho fix this LF/CR issue by adding the "sed 's/$'"/echo \\\r/"" bit to try fix the output).

sudo netstat -nltup | grep ':53 ' | sed 's/$'"/`echo \\\r`/"

You might need to kill this daemon because its conflicting with Pi-hole's own DNS service.
And this Zentyal distro might not like us replacing the one running now with that of Pi-hole.
Settings in Zentyal web GUI might not propagating to right location, unexpected behaviour etc.
Complicating matters.

Looks ok.

You did the right thing.
Once we get some other things fixed first, you'll be needing to run repair "pihole -r" to have these settings propagated to the right sub config files/services.

Probably the reason why pihole-FTL isnt running is because it has a conflict with the other DNS daemon thats currently running ... as mentioned before.

If able to, on the Pi-hole web GUI settings, in the DNS tab, change "Interface listening behavior" into "Listen on all interfaces, permit all origins" for now.
And after, check the IPV4_ADDRESS again in /etc/pihole/setupVars.conf.

1 Like
12

Just set it with Webmin,

ip r default via 192.168.0.1 dev enp6s0 src 192.168.0.24 metric 202

Output of netstat -nltup | grep ':53 ' | sed 's/$'"/echo \\\r /" tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 5119/pihole-FTL tcp6 0 0 :::53 :::* LISTEN 5119/pihole-FTL udp 0 0 192.168.0.24:53 0.0.0.0:* 17462/named udp 0 0 172.16.0.1:53 0.0.0.0:* 17462/named udp 0 0 172.17.0.1:53 0.0.0.0:* 17462/named udp 0 0 127.0.1.1:53 0.0.0.0:* 17462/named udp 0 0 127.0.0.1:53 0.0.0.0:* 17462/named udp 0 0 0.0.0.0:53 0.0.0.0:* 5119/pihole-FTL udp6 0 0 :::53 :::* 5119/pihole-FTL

All changes, including repairing the install (Including checking the IP), and setting the DNS to listen on all interfaces, permit all origins have been made.

13

"named" is running and answering ipv4 DNS requests on ports 53 UDP instead of pihole-FTL.
"named" is part of the BIND9 DNS software package.

For diagnosing, whats output for below one:

sudo service bind9 stop

sudo service pihole-FTL restart

sudo service pihole-FTL status -l

sudo netstat -nltup | grep 'Proto\|:53 '

Might want to check the web GUI also if FTL is online now.

EDIT: If want named to be permanently disabled from starting at boot:

sudo systemctl disable bind9

Ps. can you find a solution for the CR/LF issue at your end please ?
Its very hard to read and time consuming.

14

Yeah, sorry. No formatting tools. Gonna try copy and paste into Notepad.
Output of netstat -nltup | grep 'Proto|:53

'Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 3827/pihole-FTL tcp6 0 0 :::53 :::* LISTEN 3827/pihole-FTL udp 0 0 0.0.0.0:53 0.0.0.0:* 3827/pihole-FTL udp6 0 0 :::53 :::* 3827/pihole-FTL

This is terrible, how do I make these easier to read?

15

Update. It's working! Thank you :smiley:

16

That looks better.
have you checked the web GUI ?

Windows notepad ?
Could try install notepad ++.
It probably has a pulldown menu tool to convert LINUX/UNIX line feeds into Windows LF+CR.

But reading up on Zentyal, it probably heavily depends on BIND9 if its doing MS Exchange and Samba stuff.
You can have both running alongside each other if you either configure named to listen/bind on a different port instead of the default 53 (for example port 5353).
And configure Pi-hole's custom upstream DNS server to be "127.0.0.1#5353".

Or other way around, configure Pi-hole to listen/bind to port 5353 instead of the default 53.
And configure BIND9 to use 127.0.0.1 port 5353 as upstream DNS server.

For pihole-FTL, you can use the "port=5353" directive if you put that in a new file:

sudo nano /etc/dnsmasq.d/99-my-settings.conf

And restart:

sudo service pihole-FTL restart

And check if port has changed into 5353 for pihole-FTL:

sudo netstat -nltup

I would prefer changing the BIND9 listening port to be 5353 because of the stats on the Pi-hole web GUI.
You miss out on individual client stats if you alter pihole-FTL listening port into 5353.

Cant help you with the bind9 part though.

1 Like
17

apt removed bind9, also pulled zentyal-dns with it. It's working after a reboot.

Zentyal is/was merely a stepping stone to assign IP addresses and have a firewall in place. I'm going to see about removing more of it, now I have routing set up and working.

What files should I be aware of outside of Pi hole that I would need to (re)edit or recreate to get this functionality should I need to reinstall Pi hole, or remove zentyal and have it wipe out parts of the configuration on Ubuntu 16.04?

I'm thinking about starting again, just with Pi hole and Webmin, if the functionality of Zentyal is not required for this to function as it is now.

Someone really needs to make Pi hole into a router distribution.

18

:rofl:

That mostly depends on what distro you choose.
But you can use the Teleporter to export/download current Pi-hole settings.
And you can import them again on a new installment.

1 Like
19

Are you sure ?
Have you tested with a client on the 172.16.0.0 segment ?
Like for example a ping to chess.com ?

Am missing below steps or was it possible to configure masquerading in Zentyal ?

20

now I have routing set up and working.

Yep, I've just booted my ESXi host, told that to renegotiate an IP, and it received one, so did the guests OS'es.
Able to RDP into my Windows VM on IP.

Side note, hostnames don't seem to be working without .lan at the end. And everything has .lan at the end of it, any ideas?

I have no idea on where to start with iptables. Or IP forwarding. Or masquerading. :stuck_out_tongue: