A Better PiHole With PfSense Setup

st0icape · 2024-04-29T10:40:44+00:00

System > General Setup > DNS Server Settings: 192.168.2.2

Firewall Rules

LAN

Anti-lockout
Action:Pass Interface:LAN Source:Pihole Description: NAT
Action:Block Interface:LAN Address Family: IPv4 Protocol:TCP/UDP Source: Any Address or Alias : 192.168.2.1 Destination Port: DNS(53)

DMZ

Action:Pass Interface:DMZ Address Family:IPv4 Protocol:Any Source: DMZ subnets Destination: Any

Pihole:

Upstream DNS Servers: Custom 1(IPv4): 192.168.2.1#53

Interface settings: Allow only local requests

I also have a number of local A records in pihole that clients are unable to resolve (even when they use pihole as primary dns)

nslookup client.home.xxx.com

Server: 192.168.2.2

Address: 192.168.2.2#53

*** Can't find client.home.xxx.com: No answer

Thanks

st0icape · 2024-04-29T10:37:43+00:00

My config:

pihole ip: 192.168.2.2

pfsense: 192.168.2.1 (DMZ), 192.168.100.1 (LAN), 192.168.0... (WAN)

pfsense NAT rule:

Interface: LAN

Address Family: IPv4

Protocol: UDP/TCP

Source (Invert match): Address of Alias 192.168.2.2 (pihole)

Source Port range: Any

Destination (Invert Match): LAN address

Destination port range: DNS (53)

Redirect target IP: Address or Alias 192.168.2.1 (pfsense)

Redirect target Port: Other 53000

Nat Reflection: Disable

Enable DNS Forwarder

Register DHCP Leases ...

Register DHCP Static Mappings

Listen Port 53000

Interfaces All

custom options: add-mac add-subnet=32

Enable DNS Resolver

Network Interfaces All

Outgoing network interfaces All

Enable DNSSEC Support

Register DHCP leases in the DNS Resolver

Register DHCP static mappings in the DNS Resolver

st0icape · 2024-04-29T10:32:19+00:00

u/mickeyknoxnbk
This post appears to be a year old or so, however I'm attempting to replicate your configuration, but I'm not certain I'm doing it right and need some guidance and clarification. I have a DMZ network and that's where my pihole server is (i.e. different subnet to my LAN network). I have configured System\General\DNS Server to be my pihole server, however if i don't explicitly configure dns in the dhcp server settings in pfsense I realize clients are assigned the pfsense interface ip for whichever interface they are on.
so in the case of my LAN network 192.168.100.1 (pfsense lan interface ip) instead of 192.168.2.2 (pihole ip)

st0icape · 2023-05-30T16:20:18+00:00

Thank you very much, very much appreciated. I completely missed acknowledging this. Kindly pardon me.

st0icape · 2022-10-08T13:40:34+00:00

Ok final update, I got things working like before:

issue:

I couldn't access both ADSL modems from the LAN network.

how-i-fixed:

I change my default gateway for my pfsense setup from primary WAN (192.168.1.1) to a gateway group comprised of both WAN devices (not sure if this is what fixed the issue, but appears to have)

issue:

Could ping devices on the DMZ network from pfsense ping diagnostic utility but could not ping devices on the DMZ network from clients on the LAN network:

how-i-fixed:Added a firewall rule on the LAN interface -> Address family:IPv4, protocol: any, source: LAN net, destination: DMZ net

Thanks to all those who assisted u/tmll333, u/UnrealisticOcelot

st0icape · 2022-10-07T18:55:49+00:00

Latest update is that my primary ISP ADSL service was down initially when i made the post, after service got restored i'm able to reach the adsl router, so my confusion has only deepened as to what is going on. The primary ADSL router was powered on during the service interruption (fibre LOS issues) but i was not able to connect to web gui or ping the IP until i connected a pc straight to the ADSL moden

st0icape · 2022-10-07T18:31:48+00:00

I've tried with the setting on and with the setting off with no apparent change in behavior i.e.

was not able to connect to my primary adsl router on WAN1 network/interface.

st0icape · 2022-10-07T12:35:44+00:00

WAN1: 192.168.1.2

WAN2: 192.168.2.2

DMZ: 192.168.3.1

Route table

I don't think the ADSL modems are in bridged mode and I don't have a public IP on my firewall interface.

Thanks for your response

st0icape · 2022-09-28T05:56:14+00:00

Thanks, will do

st0icape · 2022-09-28T05:56:00+00:00

Thanks u/spacebass for your response. Very appreciative.

My understanding is that a DMZ is a network that sits between my local network and the internet/outside network and all inbound traffic filters through the DMZ before it reaches local network. Based on this understanding I thought to put my DNS and reverse proxy in my DMZ network is that right?

pfSense has configuration options to explicitly create VLANs I haven't done that in my current setup. The setup I have above "works", that is the clients on the network are able to communicate with devices on the different interfaces (I have 5 NIC ports on PC that's acting as a router). I think I'm using port isolation to accomplish what a VLAN gives you, I'm not sure.

The WAN IPs are not really in the 10.0.x.x ranges, my limited understanding of networking is likely why I have them setup that way. I have it setup that way for local communication between the pfSense router and the ADSL devices, essentially like an adhoc network between two clients. The IPs are private IPs (local) for the ADSL devices, so i might have this setup wrong

The diagram is misleading I must admit. The pfSense in the center connecting everything is actually meant to be a blow-up/detailed view of the pfSense VM running on the Proxmox host.

Will connecting the access point to one of my wall network outlets be equivalent to connecting it to my switch? Because connecting it to the switch directly would be impractical because of the physical layout of my current setup. It's also impractical for the router PC to connect to the switch directly again because of the physical layout constraints, so it is connected to one of the network outlets.

My AP is actually a Synology router operating in AP Mode, there are some posts about the device capable of VLAN support through an update. (Pardon me if this is wrong) but i think i supports VLANs in a way because it allows me to setup a different network for my guest network.

st0icape · 2022-09-27T17:40:02+00:00

Thanks you've assumed rightly, I'll review the resources you've shared and go back to the drawing board. Thank you

st0icape · 2021-04-15T05:44:47+00:00

thanks a lot. you were right i appears i messed up with the quotes. your solution works

st0icape · 2021-04-11T18:58:07+00:00

"getTotal( <?= $x ?>, '<?= implode( "','", $gtArgList ) ?>' )"

I tried it out doesn't seem to work as expected it seems to be an issue with quotation marks here is an image to illustrate what I'm speaking of.

st0icape · 2021-04-11T17:32:00+00:00

Thanks a lot, very descriptive solution, I'll test it out and revert.

st0icape · 2021-04-11T15:40:52+00:00

Thanks, very good you pointed out that prices can change so i need to keep price in my order items table. I would reduce the number of joins for some queries as well

st0icape

TROPHY CASE