Struggling with Pi-Hole DHCP on connectbox

Help
1

Setup

  • Home network has a combo router/modem ConnectBox (aka Internet Fiber Box, usually available in Germany/Austria);
  • Home network also has a few simple elements (phones, laptops, smartTV, occasional guests, etc.);
  • Pi-Hole is installed on a Raspberry Pi 4, connecting to the router/modem via wifi.

Expected Behaviour:

  • Pi-Hole filters DNS and handles DHCP on the home network.

Actual Behaviour:

  • At first, since the modem/router does not allow changing DNS directly, I disabled DHCP on the modem/router and activated it on Pi-Hole;
  • Result: no device could connect to the internet;
  • Then, I followed some tips from other threads on this forum, set the Pi's IP to 192.168.0.2 (permanently assigned), activated DHCP on the modem/router starting at 192.168.0.2 with a range of 1 (router is 192.168.0.1, as usual). This way, the Pi has its IP handled by the DHCP of the modem/router and all other devices have to rely on the Pi's DHCP. On the screenshot, we see other devices; my guess is that these are devices for whom the lease has not expired (although it says "permanent" and I am not sure why and I can't change it);

Screenshot 1
Screenshot 12012×1160 192 KB

Screenshot 2
Screenshot 21582×1515 159 KB

  • Result: I started seeing some devices using Pi-Hole and others not . But now it seems (and not home, but am told) that some devices cannot connect, that others do connect but there are connection issues with specific websites, etc.
  • I also get two errors in the "Pi-Hole diagnosis":

Screenshot 3
Screenshot 32349×1193 288 KB

Side issues

  • I have a pf-based firewall on my macos laptop and it seems to be interfering with my own connections (this only applies to my laptop and not other devices). What permissions are required to work smoothly? Somehow connections to the modem/router's and pi-hole's interface is blocked, despite allowing web server connections. Should specific permissions be given for DHCP connections to the Pi? (sorry for the newbie questions)
  • the home network has a guest network with the smart TV on it: does this change anything?

Debug Token:

https://tricorder.pi-hole.net/ouBrKbnl/

Thanks a lot in advance!
Tom

EDIT: Got home.

Turns out my own laptop was working because I had previously changed the DNS at system level, so that bypassed Pi-Hole (at least, that's my guess).

Other devices (radio, other laptop) connected to the network and had the Pi indicated as their DNS (the mac showed 192.168.0.2 as dns in the wifi settings), but failed to connect to any website.

Nevertheless, the Pi-Hole dashboard intermittently shows (a few) queries.

In the meantime, I have fully reactivated DHCP on the modem/router and that solves connection issues immediately (and the ISP's DNS now shows in the other laptop's wifi settings).

Any idea why devices cannot access the internet?

4

There is no reason why that should be the case, and that is the correct way to do it. I would try this again but first of all rule out any interference from things like a firewall. So the way this would look, now that you have re-enabled the router's DHCP:

  • The router's DHCP is enabled and running the show once again
  • Pi-hole is running and has an IP address. This could be reserved by the DHCP server, or it could be entered statically and the DHCP range adjusted to make the space for it, or it could even be not static at the moment, just as long as it has an address.

Pick a single machine to test with, say the laptop. Try running lookups for a blocked domain against the router and the Pi-hole. Eg

Test a blocked domain against the default DNS which is the router

nslookup flurry.com

Confirm it resolves.

Test against the Pi-hole

nslookup flurry.com <pihole ip>

Are you able to reach the Pi-hole this way? Does the Pi-hole test show that the domain is blocked (0.0.0.0)?

Test a working domain against the Pi-hole

nslookup example.com <pihole ip>

Confirm it resolves. Check the Pi-hole Query Log (refresh page if needed). Confirm the entry is showing and that it was sent upstream to the configured DNS.

If these work then it shows the Pi-hole is working and is also able to reach external DNS to resolve non-blocked domains. There is no firewall or anything on the router preventing Pi-hole from making external DNS requests.

Configure router DHCP range

You might find it useful to split the 254 addresses between the router and the Pi-hole. That way they won't give out each other's range if you have to switch between them. You'll have around 120 available address if you use this approach. To do this:

  • Ideally take all devices off the network temporarily. This will allow them to pick up fresh addresses shortly and will avoid any potential IP conflicts during this setup.

  • In the router set the start address as 192.168.0.140. Set the number of addresses as 115. This will cause the router to be handing out address from 192.168.0.140 to 192.168.0.254. Once this is saved you can disable the router's DHCP. Presumably if you enable it later on, it remembers these numbers. If not, make a note of them so you can re-enter them.

Configure Pi-hole and DHCP range

Give your Pi-hole a static IP of, say, 192.168.0.2. If you're using Pi OS Bookworm, which defaults to Network Manager, use the command sudo nmtui to run an interactive tool that makes it easy to set the address. Reboot the Pi, let it come back with the new address.

  • On the Pi-hole, turn DHCP on. Set the From address as 192.168.0.20 and the To address as 192.168.0.139. This will give 120 addresses for use. You also have 192.168.0.2 to 192.168.0.19 available for manual static use (you've just used .2 for Pi-hole itself).

Configure the laptop

Reconnect the laptop to the network. It should pick up an address from the Pi-hole's DHCP server. Check the laptop's IP to confirm, it should be in that .20 to .139 'low' range. Run the earlier first nslookup command, it should show the domain is blocked without needing to specify the Pi-hole IP.

nslookup flurry.com

If there is something on the laptop interfering with your ability to reach the Pi-hole, that needs fixing so it's not interfering. Try another client if possible, for example a phone, test on that as well or instead.

Finishing up

If that worked then everything should be working. You can bring each device back online one at a time and check it works. You will be able to see Pi-hole allocating their leases in Settings > DHCP.

If you ever need to turn off the Pi-hole and lose the DHCP server, you can turn it off, then re-enable the router's DHCP (and make sure it has those specific numbers from earlier). Then have your devices reconnect to the network to pick up the new IPs. You will see these are in the 'high' range, from .140 to .254 and that's how you know you're on the router's DHCP. The nice thing about this approach is that the ranges don't overlap so you can move between DHCP servers during admin/testing with minimal work and no risk of IP conflicts.

Regarding those permanent leases, it means they were allocated with no TTL set. There must be some way to delete them from the list. Perhaps changing the DHCP range in the earlier step will flush them. Check the manual for the router. If not, I'd ignore them and see if they ever become a problem.

1 Like
5

Massive thanks for the detailed reply, @chrislph! That's really appreciated and the answer is very clear.

Here is the situation after some testing this morning:

  1. I deactivated the firewall that was activated on my box (isn't that a useful thing, though?)
  2. I tested a blocked domain against the default DNS (router) --> it resolves
  3. I tested a blocked domain against the Pi-hole --> it is blocked (got 0.0.0.0)
  4. I tested a working domain against the Pi-hole --> it doesn't really work:
  • in the terminal, I get ";; connection timed out; no servers could be reached" (tried with several working domains and it always times out)
  • in the Pi-hole Query Log, I see, as status (for domains not blocked): "OK (sent to XXX.XXX.XXXX#443)", where XXX.XXX.XXX.XXX is an IP address related to my VPN.

So it seems like Pi-Hole is indeed working, but somehow the information is sent elsewhere and not back to my laptop.

I tried deactivating the mac's native firewall, I tried enabling "local networking sharing" in my VPN app (and, of course, my own pf firewall is already deactivated, since I cannot access the Pi or the modem/router when it is enabled -- still haven't found the right rule for that and am happy for guidance there too), but none of that makes a difference, requests just time out.

Since I am the only one using a VPN at home, I guess this means that Pi-hole could work for other devices, but I'd quite like to solve this before proceeding.

Any ideas?

6

I am obviously a jackass. I took me the whole day to realise that "sent to" did not mean "result sent back to device XXX" but "DNS request forwarded to resolver XXX". And that the ip in question was the custom one that I had entered and which, as it turns out, no longer accepts unencrypted DNS requests. Hence the connection error.

Now continuing with @chrislph's description.

EDIT after finishing the tutorial:

  1. All devices seem to be connecting well to the internet. I'm monitoring connections to Pi-hole to make sure it's all ok.
  2. When I resumed the tutorial, I forgot to re-deactivate the firewall on my box (which I had restarted when things didn't work). Since connections are good, is it safe to say that it can just stay up?
  3. The smartTV is connecting to the internet but, when I checked its settings, the IP it automatically gets is 192.168.101.175, which does not match the range of IP addresses provided by the Pi (and the "gateway"'s ip is 192.168.101.1). I manually set the DNS ip to the Pi's ip address. Still, the TV doesn't show up in the DHCP panel of the Pi. When I tried manually assigning an ip to the TV (setting 192.168.0.1 as gateway) and registering the TV's mac address for static DHCP leases configuration via pi-hole, I got an error saying the mac address was already assigned (and the TV lost connection to the internet). Any ideas?
  4. Finally, and on a different note, any ideas about pf rules for my own firewall to allowing connections to the pi? I have it set as "block all unless allowed" and I cannot find the way to allow connections to elements on the local network...

Anyway, thanks again for all the help!

7

ACTUALLY...

I guess that not everything is all fine and well.

After everything worked out, Bae and I took a break and watched TV (not online). After that, she checks her phone and says wifi doesn't work. And, indeed, the phone connect to the wifi network but there is not connectivity. I see the ip is 169.254...

I check my own laptop and it can't connect either. Doesn't get an ip attributed. I manually give one (at random 192.168.0.74, in the low range). Doesn't give internet access, but I can access the modem's dashboard and from there I can re-enable the modem's DHCP. All of a sudden, of course, everything works, with IPs in the high range.

And now, somehow, it seems like pi-hole is working again. Disabled modem DHCP, reset my DHCP lease, got a low-range ip. Same with Bae's laptop (although I hadn't tried it when things were down).

Here is the debug token: https://tricorder.pi-hole.net/AtYtRp0N/

8

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.