pi@ph5:~ $ sudo netstat -nltup | grep 'Proto\|:67 '
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:67 0.0.0.0:* 7445/pihole-FTL
You can check loggings for client activity with below:
grep dnsmasq-dhcp /var/log/pihole.log
Or tail the logs live:
tail -F /var/log/pihole.log | grep dnsmasq-dhcp
Ps. activate DHCP service on Pi-hole first before disabling the one on the router!
This because some routers re-initialize their interfaces when changing settings causing the clients to shortly loose connection and prematurely trying to acquire a DHCP lease while no DHCP service is active yet.
Also you'll have to renew DHCP leases on all the clients.
Usually disconnecting and reconnecting them does that.
I think I get what you doing. From your setup, you probably do not even have a router in between. I really like it but I probably will not follow this route because if raspberry fails, the whole family will be totally in blind.
I wish I could just set Orbi NDSMasq to option 6. I will keep digging a little more and see if I can get it done...
Thanks for you input. It has been fun learning from all of you.
For 1, I saw discussions about it before. I guess we just leave it alone.
For 2, seems like a amazon aws related, should I blacklist it?
For 3, there seems to be a problem. It seems to be a self reverse referencing for 192.168.1.22. But I did not find a device with that IP on my network.
Any suggestions.
Also, about DHCP on Rpi, I might want to set it up and run for a few weeks so that I understand what domains each devices hit. Blacklist a few if I have to. And then turns it back to DHCP on Orbi. My concern is that if I am not at home, my family wont be able just unplug/plug Orbi to fix some network problems (if DHCP is on Rpi). Is my understanding correct?
Yes, I made the change. I have a few legacy static IPs to take care of and then setup a strip of DHCP zone that has about 140 IPs controlled by RPi now. It has been a few days. It is running stable. Thanks for helping to get this done, so that I can target each IPs and see what is going on. This way, I found Orbi marked a nitendo switch as macbook, which had me worried about having a mysterious device connected to our network.
Also, I have a regex domain question. If I need to open up a different discussion, please let me know.
I am still working on blocking youtube ads. I used a regex expression:
r[0-9]—sn-[a-z0-9]*.googlevideo.com$
Good news, it works. Bad news, it blocks everything. Since I do not have GUI, can I just set enable/disable column in the database manually? I want to ask because it can be messy if I manually changing database. Especially for this particular case, I might have to join a few tables.
I want to keep this regex in the tables so that I can turn it on when kids remote schooling, and turn off when they are not in school.
Being able to quickly turn on/off is a feature, this should advertised broadly as a plus for pihole.
So, the id in the vw_regex_blacklist will be the same as the one in the aggregated domainlist, with group type =3, am I right. this way I will be able to quickly lookup the id in the shorter regex table. With this enable/disable key, pihole will instantly work as expected, am I right?
As I am digging a little more in this, I like pihole more and more. I am working on setting up an IKEv2 VPN server on the RPi. So that I can install an always on VPN for all kids' iOS devices, this way, they will have a consistent internet experience wherever/whenever, because I know that sooner rather than later, I will have to worry about this anyway.
For this purpose, I have a question, as the VPN server will acting a little part like a DHCP server. Will this potentially conflict with the DHCP conf from pihole. After the GUI conflict with Plex, I need to be careful and think about each step as I am slowly moving forward.
The earlier bare Raspi 1 and 2 models are not well suited for running a full pledged VPN server.
This because they dont have gigabit but 100mbit instead thus all traffic, LAN and VPN, need to share that 100mbit.
And the DNS + Pi-hole gravity runs + VPN encryption + DHCP + routing going on might be a bit heavy for the Pi 1's.
Checkout below official guide that also allows the option to only route DNS traffic through the VPN tunnel and let the regular traffic take the default route to internet provided by ISP router or phone operator:
I spent the weekend getting the IKEv2 VPN on RPi 4. It has been running for 1 day. Now I have DNS + DHCP + VPN + Plex running, CPU temp is higher than before, 45 C vs 43 C. But it seems holding up fine.
I went with Strongswan IKEv2 setup because IKEv2 is well supported by iOS, my long time goal is to have all kids' devices hard wired with this VPN, always on. So that I would not worry about what internet kids have access to, and they can also watch their videos wherever they are. I am slowly moving towards that direction.
Also, Strongswan provided some extra packages, DHCP and FARP, which will make the remote clients acting as if they are just connected to the local LAN. So it serves my purpose perfectly. There is no conflict with any other services that I am running on RPi 4, as of yet....
The setup is okay, I made some stupid mistakes myself. After reading a lot of documents, I finally made my way out. If anyone wants to do the same, I would be happy to help. This seems to be a very helpful and friendly community and I learnt a lot from here.
Thats not a static IP address assignment on the device itself.
That file is for static DHCP reservations.
The client device itself will still acquire an IP through DHCP but it will always get the same IP assigned depending the MAC address.
A true static IP address can only be assigned on the client device itself!
This is always confusing somehow
EDIT: The Pi-hole host needs to be configured with a true static IP for proper functioning:
True, Pi-hole needs a fixed IP address, but whether that's defined statically on-device or as a DHCP lease reservation on a router's DHCP server is up to the network's admin.
If you decide to define it statically, consider using or adding a public DNS server to domain_name_servers, so you'd still be able to download updates on your Pi-hole host in the event of Pi-hole's DNS resolution failing for some reason.
Exception, if Pi-hole is going to do DHCP, you cant have the DHCP service on the router running (except maybe as a relay).
Thus making reservations on the router is of no use then ... and one would need a true static IP.
As answered by deHakkelaar, if we disable the DHCP on the router, it renders the static reservation on the router invalid, I found this out in a hard way. And then went setup all reservation again with 04-pihole-static-dhcp.conf.
As I mentioned, I carved out strip of DHCPs, leaving the low and high ends open for static ip reservations. So that one day, I will have all home devices lined up perfectly from 192.168.1.1 to 192.168.1.60.
I am glad that I listened to your suggestion to turn on DHCP with Pihole, configured as shown in the setupVars.conf.
Have one follow up question now. I noticed that you had
DHCP_IPv6=false
Since I have started using pihole for IPv6 DNS, I am wondering if I can start to use Pihole for IPv6 DHCP as well. My knowledge for IPv6 is very limited and I understand that IPv6 is more complicated than IPv4. So I assume it would not be as simple as to just turn it on. Do you have suggestions either way? The reason I want to do IPv6 DHCP is that pihole sometimes cannot resolve the IPv6 address on the LAN, I want to tie up the IPv4/IPv6 with the computers'/devices' names. Am I right?
Also, even though I have started using pihole for IPv6 DNS, I have not assigned a static IPv6 for RPi yet, since I do not know how anyway. It seems to be fine for now as RPi has been running without reboot for a long time. I think I am just lucky for this one.
P.S. Thanks for your help. I have RPi with m.2 SSD up and running. I now regularly clone the whole system back to the SD card.
Cant give you a solid advice on that.
I dont have IPv6 configured on my LAN.
Its disabled in router LAN settings and Pi-hole.
My opinion, its of no added value if you dont have IPv6 support upstream.
Except maybe for the learning experience.
And running a dual IPv4 + IPv6 stack complicates things unnessesarely ... KISS.
Search Discourse here for IPv6 related threads.
You are right, it complicates things. However, I was pleasantly surprised by pihole. Pihole is running first 10 minutes of each hour aggressively PTR queries, which seems to be able to tie up IPv4 and IPv6 with devices' names, even though the IPv6 changes all the time. Just my observations, I am not sure if I am understanding it correctly.
For my setup with my router, I cannot turn off IPv6 DHCP from the router. It only gives me two options: 1) Use my own DHCP server, or 2) Auto config. I am using auto config, which is (my understanding) letting the router decide whether or not to IPv6 DHCP. If the router stops IPv6 DHCP any computers/devices, it falls back to RPi for IPv4 DHCP.
For example, this morning when I tried to run the test you linked, my desktop does not even have IPv6. But my iphone does show native IPv6 support by default and falls back to IPv4 in one second. All three DNS configurations are supported, i.e., DNS4 + IP6, DNS6 + IP4, DNS6 + IP6.
This definitely un-necessarily made things more difficult to track, as pihole will show distinctive entries for the same device but IPv6 and IPv4, plus there could be more than one IPv6. We have 22 devices connected to the network, and some virtual IPs for VPNs, but Pihole says that we have 122 clients.....which is about 6 times more than what is necessary.
