What I want to achieve is to have every device use my Pi-hole as DNS server (192.168.10.20). I can see in Pi-hole that queries are being logged from all devices in the same network as Pi-hole itself (VLAN2).
However, devices on VLAN1 don't seem to be logging queries on Pi-hole which is odd, because I have set custom DNS servers on all three VLAN interfaces.
Pi-hole does not show any type of query coming from VLAN1 (192.168.8.0/24) even though it has access to Pi-hole.
So to test if the same happens on VLAN3, I connected to the Wi-Fi network associated with VLAN3 and tried to browse the internet which did not work. I then added internet access for VLAN3 and added a traffic rule which allows VLAN3 to access the Pi-hole.
And for some reason, all queries coming from VLAN3 are correctly going to Pi-hole and Pi-hole is logging all the queries from this VLAN, with hostname and all.
My question is: why is VLAN1 not querying Pi-hole even though it can access the entire VLAN that Pi-hole is sitting in? And why can VLAN3 query Pi-hole correctly if it's blocked from accessing the VLAN but has a special rule to allow access to Pi-hole?
I've tried adding the same traffic rule from the other two VLANs but not only did this not change anything, I don't think it should be necessary because both VLAN1 and VLAN3 have zone forwardings to VLAN2.
Any help would be much appreciated. I'm still very new to networking but trying to learn as much as I can.
But i do see something here which might give some further ideas why it fails to work.
I see you forward zone lan to wgclient, however if the vpn is up there is a chance the killswitch blocks it.
Have you enabled this setting aswell?
Allow access to lan? In the vpn options?
If you have vpn policies aswell please let me know this.
In the past ive used the command ip rule to get the mark to use on other networks with the split tunnel for wan to accept packets that worked for me but i dont know it is something like that.
You can try using the dns as gateway ip on each device that should cover the firewalling issue since the router gateway is allowed on 0.0.0.0 and just forwards aslong you remove option 6 and add it inside the dhcp forwardings in luci->network->dhcp options, so for vpn if your virtual ip was 10.0.8.1, you can use 10.0.8.1.
So I disabled the VPN to test if there was any changes, but unfortunately none of the queries (except still VLAN3) are being logged by Pi-hole. The weird thing is, VLAN4 (guest network) and VLAN3 are configured exactly the same but queries from VLAN4 are not going to Pi-hole. I can constantly see queries coming in Pi-hole from my phone when I'm on the Wi-Fi associated with VLAN3, but the moment I switch to VLAN1 or 4, nothing is being sent to Pi-hole anymore.
If I enter Pi-hole's IP address in the DNS settings as shown below, all queries are going to Pi-hole but Pi-hole is reporting all queries as coming from the router. For some reason, the DNS server sent to devices will be the router's IP address instead of the Pi-hole address that I entered.
Aha, thanks for posting a new screenshot of the firewall zones
Please ensure the input field for all non wan zones are set to accept.
This is essential to accept vlan frames aswell, in your traffic rules i see you copied the guest rules these are kinda redurant when you use the input field to accept.
Forward should be reject, and output is fine as accept, now incoming connections sent from the router are accepted in homelab and iot, however homelab and iot cannot talk (forwarding) to other zones.
now if you want to make the dns accessible from lan to iot and others you need traffic rules like (you probably have them already):
proto: tcp+udp
src: iot
dest: lan
dest_ip: your dns
dst port: 53
target: accept
Then re-add the dhcp option 6 in your iot and homelab dhcp
If that doesn't work can you please look into rebind protection?, look in openwrt logs if it shows something or in pi-hole.
I don't have a physical port for the IoT zone, it's only a Wi-Fi network and a separate interface. I don't want IoT devices to be able to access my router, which is why I have set it up exactly as the guest network.
I think it's easier if I post a screenshot of my entire firewall config:
So in my situation, LAN (VLAN1) and Guest (VLAN4) should already have access to Homelab (VLAN2) where my Pi-hole is hosted. So I don't need a separate traffic rule like I have for IoT and Guest. But Pi-hole is still not receiving queries correctly from LAN or Guest. I even granted Homelab access to LAN because maybe Pi-hole needs to talk back to the devices on LAN that are trying to send queries, but that also doesn't work. Unfortunately I just don't really understand what is happening anymore.
It's beyond me why IoT queries are being sent correctly to Pi-hole and and LAN/Guest queries are not. It's proving to be a lot more difficult than I can handle because I don't have a lot of knowledge or experience in networking stuff.
So far this looks okay of course there is room for improvement:
for each interface you created, can you edit it in luci and then in advanced uncheck the default gateway checkbox?
^ this however probably won't fix the issue but let me explain why this option could be better be unchecked.
This checkbox is basicly only ment for 'special' interfaces such as lan, or wan like type interfaces, when you have a other interface with this checked then a issue could arise for example: iot goes over the interface gateway of homelab and then to wan instead of iot -> wan which is the default gateway (this is what this checkbox means).
My suspicion though might be that your dns requests are filtered, can you check in luci -> dhcp and check if rebind protection is unchecked, filtering private, can you also check if this is also happening on the pi-hole ?, maybe its blocking it due to different range.
I have unchecked default gateway for the Homelab, IoT and Guest interface, thanks for the tip. Rebind protection is unchecked and filter private is checked, should I uncheck filter private?
I have Pi-hole set to "Permit all origins" so I believe it is configured properly (unless there are more options to change that I am unaware of).
Please let me know if you've managed to get it to work. I've given up for now and did a complete reset of my router. The VLAN stuff is too complicated for me so all my devices will just be in the same subnet. I had a lot of issues with getting Home Assistant to discover devices on differen subnets as well.
But let me know if you've found the solution because maybe I'll try again in the future. And thanks for all your help.
note that when I started configuring the vpn especially with the auto profile then I came into issues.
I was using mullvad for this example, but mullvad has its own configuration hardcoded in /etc/config/wireguard you have to replace the dns entries to the one provided by your own dns.
secondly I also disabled Allow Custom DNS to Override VPN DNS inside the gl ui inside the dns settings, I'm not sure if it does something special but im always afraid of new functions
^ after some further testing there is still a problem with the vpn, dns route from gateway ip instead of the client.... this is more a issue with the gl firmware i think, maybe just delete the full dns field in /etc/config/wireguard fixes it.
here are my configurations so you can compare those
the contents of /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd41:3898:e437::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan4'
list ports 'lan5'
# note usually you would take note of the device lan1, lan2 etcetera in normal OpenWrt these must be unconfigured (I don't know why gl-inet specifies those)
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option ipv6 '0'
option classlessroute '0'
option metric '10'
option vlanid '0'
option peerdns '1'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
option classlessroute '0'
option device 'lan1'
config interface 'secondwan6'
option proto 'dhcpv6'
option device '@secondwan'
option disabled '1'
option metric '15'
config interface 'modem_1_1_2_6'
option proto 'dhcpv6'
option disabled '1'
option device '@modem_1_1_2'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config device
option type 'bridge'
option name 'br-homelab'
list ports 'lan2'
list ports 'lan3'
config interface 'homelab'
option proto 'static'
option device 'br-homelab'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option defaultroute '0'
config device
option type 'bridge'
option name 'br-iot'
option bridge_empty '1'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'wgclient'
option proto 'wgclient'
option config 'peer_2004'
option disabled '0'
the contents of /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '0'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone
option name 'homelab'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'homelab'
config forwarding
option src 'homelab'
option dest 'wan'
config rule
option name 'allow-dns-lan'
option src 'lan'
option dest 'homelab'
list dest_ip '192.168.10.89'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'allow-pihole-web'
option src 'lan'
option dest_port '80'
option target 'ACCEPT'
option dest 'homelab'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option name 'allow-dns-iot'
option src 'iot'
option dest 'homelab'
list dest_ip '192.168.10.89'
option dest_port '53'
option target 'ACCEPT'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgclient'
option enabled '1'
option input 'DROP'
option masq '1'
option masq6 '1'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '1'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '1'
config forwarding 'wgclient2lan'
option src 'wgclient'
option dest 'lan'
option enabled '0'
config forwarding
option src 'iot'
option dest 'wgclient'
config forwarding
option src 'homelab'
option dest 'wgclient'
the contents of /etc/config/dhcp the only change i made was `Local service only' to be unchecked but i think this might not be needed.
So after a lot of testing it seems that the VPN is indeed the culprit. When I turn the VPN off, all queries are being logged by Pi-hole. However, I still want to be able to use WireGuard client on my router. I removed the DNS line in etc/config/wireguard but that didn't help. Did it work for you? Or did you find a different way to point your DNS server to Pi-hole when using WireGuard on your router?
Update: I readded the DNS line with my Pi-hole IP's address and now all queries from all VLANs are correctly going to Pi-hole with WireGuard client activated on the router. But, this results in every query originating from "GT-M6000.lan". Is there a way Pi-hole can see where the query is coming from instead of the router?
So I found out some more and maybe you can point me in the right direction. When the VPN is active, Pi-hole is receiving queries from both the router and my local device from a different subnet. They're the exact same queries but Pi-hole is only logging the one coming from the router (I changed the IP addresses to name for easier reading):
14:30:09.330297 IP desktoppc.lan.64395 > pi.hole: 27934+ A? b.thumbs.redditmedia.com. (42)
14:30:09.330548 IP router.lan.54563 > pi.hole: 50845+ A? b.thumbs.redditmedia.com. (42)
14:30:09.330611 IP desktoppc.lan.60347 > pi.hole: 16678+ A? styles.redditmedia.com. (40)
14:30:09.330728 IP router.lan.53769 > pi.hole: 44735+ A? styles.redditmedia.com. (40)
14:30:09.331528 IP pi.hole > router.lan.54563: 50845 2/0/0 CNAME dualstack.reddit.map.fastly.net., A 151.101.37.140 (103)
14:30:09.331623 IP pi.hole > desktoppc.lan.64395: 27934 2/0/0 CNAME dualstack.reddit.map.fastly.net., A 151.101.37.140 (103)
14:30:09.331666 IP pi.hole > router.lan.53769: 44735 2/0/0 CNAME dualstack.reddit.map.fastly.net., A 151.101.37.140 (101)
14:30:09.331719 IP pi.hole > desktoppc.lan.60347: 16678 2/0/0 CNAME dualstack.reddit.map.fastly.net., A 151.101.37.140 (101)
So now I know that when the VPN is activated, there's like a "double-query" of some sort going on. I don't have any special rules applied in my WireGuard config other than DNS = pi.hole. Do you know how I can either stop WireGuard from querying as well or make sure that the query from local LAN is received rather than WireGuard?
Unfortunately i cannot, in the previous post i tagged some gl-inet staff/devs in the hope they have a solution , i guess they are back monday.
What you see here is likely something in their software which they use also as part of the killswitch to avoid dns leaking, however i'd still wish it to be a option because this prevents it for using the dns directly from inside of the vpn tunnel.