[Salt] [Saltbox] Wifi clients won't connect via pihole DHCP

argonfox · May 17, 2021, 1:49pm

Hello, I'm not a networking expert but will try to give as much information as possible.

I'm running PiHole on a Raspberry Pi 1 Model B with DietPi.
My network begins with my ISP router, which I'm afraid I'm not allowed to change. It does come with some settings, but won't allow me to configure a dedicated DNS. I have therefore disabled the DHCP in the router settings and enabled the DHCP server in the pihole configuration, following the manual.

I have a second router wired to my ISP router, located in a different area. It's emitting a wifi and set to bridge all traffic to the ISP router. So on my ISP router, all clients coming from this connection look wired. For all of this, pihole works as I'd expect.

My ISP is also emitting a WiFi. When I try to connect to it, it looks like the client is not receiving an IP address and therefore, no network access is possible (tried with Android & MacOS). I also tried manually assigning an IP to the client, but network access remains unavailable. I remember from my university days that DHCP over WiFi is not as straight-forward as ethernet, but haven't found any further help on the internet so far.

Of course, I can connect with both clients using the AP WiFi and they will connect just fine. I assume this is because to my ISP router, they now look like a wired connection.

Here's a crude image of my network topology to maybe understand the issue better. I'm also happy to post log outputs from my Mac, if there's any commands which might help in finding the cause.

Edit: In case it helps, I have some syslogs from my Linux notebook trying to connect. It looks like DHCP requests are timing out. I'm not sure why this would be, but I'm starting to think this is a problem with my wonderful ISP router instead of pi-hole.

Debug Token:

https://tricorder.pi-hole.net/g668fbcvqd

deHakkelaar · May 17, 2021, 9:49pm

Naah, its prety straight forward.
First the client connects to WiFi and does the WPA thing to secure the link.
But once a WiFi link is established, the interface acts similar as a fixed ethernet one eg. you can assign a static IP to it or run dhclient on the interface same as with ethernet.

dehakkelaar@laptop:~$ sudo iw dev wlan0 scan
[..]
        SSID: dehakkelaar
        Supported rates: 1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0
[..]
        RSN:     * Version: 1
                 * Group cipher: TKIP
                 * Pairwise ciphers: CCMP TKIP
                 * Authentication suites: PSK
                 * Capabilities: 16-PTKSA-RC 1-GTKSA-RC (0x000c)

dehakkelaar@laptop:~$ sudo iw dev wlan0 link
Connected to 50:46:5d:xx:xx:xx (on wlan0)
        SSID: dehakkelaar
[..]

dehakkelaar@laptop:~$ ip -4 -br address show wlan0
wlan0            UP             10.0.0.220/24

Releasing the DHCP lease:

dehakkelaar@laptop:~$ sudo dhclient -r -v wlan0
Killed old client process
Internet Systems Consortium DHCP Client 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlan0/00:1f:3c:xx:xx:xx
Sending on   LPF/wlan0/00:1f:3c:xx:xx:xx
Sending on   Socket/fallback
DHCPRELEASE on wlan0 to 10.0.0.2 port 67

dehakkelaar@laptop:~$ ip -4 -br address show wlan0
dehakkelaar@laptop:~$

And get a new lease again:

dehakkelaar@laptop:~$ sudo dhclient -v wlan0
Internet Systems Consortium DHCP Client 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/wlan0/00:1f:3c:xx:xx:xx
Sending on   LPF/wlan0/00:1f:3c:xx:xx:xx
Sending on   Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 3
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
DHCPREQUEST of 10.0.0.220 on wlan0 to 255.255.255.255 port 67
DHCPOFFER of 10.0.0.220 from 10.0.0.2
DHCPACK of 10.0.0.220 from 10.0.0.2
bound to 10.0.0.220 -- renewal in 32453 seconds.

dehakkelaar@laptop:~$ ip -4 -br address show wlan0
wlan0            UP             10.0.0.220/24

I'm guessing the router-A WiFi is in a different network segment/broadcast domain.
Sorry but I have no more pointers at this time

Bucking_Horn · May 18, 2021, 7:07am

This is a networking rather than a Pi-hole issue - I'm moving your topic to the Community Help category.

If they time out, your laptop's broadcasts for a DHCP server are likely never answered, presumably because there is no DHCP server on that link.

This could happen if your router would split its wifi into its own network segment. Commonly, routers may do that when trying to separate a guest network from regular clients, or if they offer VLAN configurations.
Probably check if the SSID you connect to is associated with such a guest network.

Also check your laptop's arp table (sudo arp -a) for same-link devices.

bigpcjunky · May 18, 2021, 10:31am

I have a similar network with 2 wifi routers but also have a poe switch. I try to give every device a static address from the pihole dhcp settings. Check under tools > network to see if pihole is even seeing the devices that don't have internet. I don't know when or why but the network list says my primary router and pihole device don't use pihole.

Sometimes you just need to reboot your devices and routers to get everything working.

argonfox · May 21, 2021, 10:02am

Thank you kindly everyone for the responses.

Fully understand, thanks for moving it. I think we can be fairly sure it's a networking issue by now, apologies for the initial miscategorisation.

I also had the assumption that it's about the WiFi being put into its own zone/domain. I tripple checked the router settings and there's nothing that indicates this is happening - the opposite actually is the case (with AP isolation being turned off).

Interestingly enough, I can establish a connection to the network if I use static IPs on my WiFi clients. When connected, I'm able to ping the router itself. However, I'm unable to ping the pi-hole (which is plugged directly into the router). So it still looks like there's some kind of isolation happening.

But here's something that surprised me. Running nmap across the IP pool in the network returned ALL clients (even the ones wired into via the second router) - and also the pi-hole, including IP address, network adapter, host name, etc... But when I try to ping it, the call just ends in a timeout.

The last straw that I can think of is the domain name set on the pi-hole:

There is no way to set a domain on the router if I disable the DHCP server component there. Maybe WiFi clients trying to connect will be on a blank domain instead and therefore unable to communicate with the pi?

I tried blanking the domain on the pihole, but apparently this setting is not supported. I'm pretty much out of ideas at this point, any further hints or suggestions are always welcome.

Edit: A quick search has brought up this lovely PR though: https://github.com/pi-hole/pi-hole/pull/1150 I will try and set the domain name to none, maybe it helps.

Bucking_Horn · May 21, 2021, 6:17pm

The domain name has no bearing on your issue.

You should focus on establishing whether your router's wifi would define a separate link:

argonfox · May 22, 2021, 3:27pm

Thank you for getting back about this and your suggestion. You were right about the domain, clearing it did not resolve the issue or cause a change in behaviour.

I configured a static IP for my client so I could connect, then ran sudo arp -a. Here's the output:

? (192.168.0.20) at b8:27:eb:29:3e:34 [ether] on wl2ps0
? (192.168.0.1) at 44:fe:3b:fc:84:b7 [ether] on wl2ps0

The first item is the pi-hole, the second is the router. I can ping the router fine, but pinging the pi-hole results in a timeouts. I find both devices (and all other connected clients) running nmap.

I do have a guest wifi spun up with this router as well, but that's not the one I'm connecting to - I would understand the isolation if I was within the guest network.

Unfortunately, the wifi settings are not very detailled on the ISP router web UI.

Bucking_Horn · May 22, 2021, 5:15pm

That shows at least that Pi-hole and your laptop are indeed on the same link.

If arp -a would produce a reciprocal output on your Pi-hole host machine, then the most likely cause would be a firewall interfering.
(Did you make sure your Pi-hole host doesn't block Pi-hole's required ports?)

Also, how did your laptop acquire its IP address?

EDIT:

AP client isolation probably means wifi clients won't be able to talk to each other. Look for a separate advanced wifi option labeled client isolation or similar. You may want to consult your router's documentation sources for further details.
Also, consider sharing you router's make and model, and put that in your topic title as well, in order to better attract users with relevant experiences here.

argonfox · May 24, 2021, 8:49am

Hi,

running arp -a returns a list of all connected clients, including 192.168.0.185. This is the IP I set on my laptops wifi connection (wl0ps2) statically. I cannot connect to the network at all using dynamic DHCP (as calls to the pi-hole seem to be timing out).

I run arp -a again on my laptop this morning as well and it returned one more device, my NAS, which is connected directly to the router as well. Pinging both the NAS and the pi-hole does not work. Pinging the router works as expected.

The Pi-Hole is hosted on a dietpi, to my knowledge the default installation does not include any firewall software. In any case, would that not block all traffic coming from all the other clients as well?

I believe it's the ISPs router which is actively preventing a connection to the LAN network. Why, I cannot say. Unfortunately, the device does not come with a lot of settings, the screenshot I shared above are the advanced settings already. There's no documentation beyong a single page of paper available as well. It's just a piece of consumer hardware pushed onto clients of my ISP. It doesn't allow you to setup DNS directly, which is the entire reason I'm forced to use piholes DHCP server. I have updated the original question with the model.

I've tried tunneling into the router via SSH to check the barebone settings, but no luck.

Just to be 100% clear, if I enable the DHCP server on the router again, everything works as expected, WIFI clients can connect and have network access, including access to the Pihole and all other clients connected to the LAN. So there shouldn't be any isolation happening.

It's only when disabling the routers DHCP and trying to receive an IP from the pihole. For some reason, communication to the LAN is blocked then?

Edit: Interestingly, when I boot the laptop into Windows, I get what looks like a valid WiFi connection. I'm also being assinged an IP address (not static). However, any internet access fails due to DNS probes. Just as with Linux, I'm also unable to ping anything other than the router. arp -a does return a long list of all clients though (including wired ones).

system · June 14, 2021, 8:50am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.