I have one pihole on my default LAN. I am using pfsense. I want the other vlans to also do DNS lookups through this pihole server. How do I configure this?
I was thinking to do this: In DHCP for each VLAN, to add the IP of the pihole to DNS server (but the IP is of a different scope than the VLAN,)
In what places in pfsense do I need to change?
Firewall rules? If so what would the rule be like?
Intervlan routing? I am not sure how to configure this.
Setup a shared Vlan for the pihole, which can be reached by all other vlans for DNS lookups?
Just add an allow rule on the relevant interfaces of the subnets that should be able to use the Pi for DNS. You may also want to block traffic to other destinations in order to prevent clients to use other DNS servers than the Pi. See here: DNS for with mutliple interfaces - #2 by bb77
you could also replace pi hole and use pfBlockerNG inside of pfSense instead. I believe it uses all the same filters. Then all your VLANs will be covered (if you want…it is selectable) without poking holes in your firewall rules.
So I was previously using pfBlockerNG and agree how similar it is. However it became so hit or miss for me and after about 1 year I decided to try pihole instead. I have also tried AdGuard Home on my Pi4 and to be honest I prefer it to Pihole, but essentially its a DNS sinkhole and it works well.
I have tried all three as well. None of them really worked better than a browser plugin in my opinion, and I was spending too much time figuring out what to whitelist when stuff broke, that I just gave up on the concept altogether. But in general, whenever possible, I am pushing more tasks to my pfsense box versus standing up separate devices or VMs.
I am not sure what it uses by default (Does it come with any default lists?), but you certainly can manually add the same lists that Pi-hole comes with.
Well, one big disadvantage of the browser plugin is of course that it only works for the browser
If you only allow the relevant ports to the pi-hole’s IP address, this is certainly not a concern, especially in a home network. And if you want to be extra safe, just put the pi-hole on its own VLAN.
That’s of course fine, but In the end, it’s a personal decision that depends on your own needs and preferences. In IT there are usually many ways to solve a problem, simply using a different product can be one of them. However, in this case this doesn’t seem necessary, since already multiple ways have been posted how OP can achieve what he wants.
If there is a debate on pihole versus pfblocker, then it’s probably psychological. PiHole looks much prettier, it appears to block things from places, so does pfBlocker but the reports are not as nice. You can of course use the same lists.
I use pfblocker, with browser add-ons in Firefox. Try using youtube with that and it moves like a dog. Now I view YT in Brave to stop their ads.
Yes, I agree, what matters in the end are the block lists, and you can use the same lists on both. But I like Pi-hole and the extra effort to host a separate thing doesn’t bother me. Of course, from a purely practical point of view, it makes sense to use pfBlocker because you already have it if you use pfSense.
And of course, I also use uBlock Origin in my browser, but not everything on my network is a browser.
Yes, but at the end of the day this is true for all “security” measures, and I don’t expect a DNS blocker to protect me from every possible threat or give me perfect privacy, but it does block the majority of known advertising, tracking and malware domains, which is good enough for me, and makes using the internet much more enjoyable.
I’m not personally knowledgeable enough on security regarding surfing sites and any implications. However, if you are just browsing news sites etc. I would think any risk is low. The moment you are looking for “dodgy” stuff then the risk grows, I don’t recall a site being blocked by pfBlocker but it does seem to block lots of things that I no idea if they are malicious or not.
It’s a big effort to really understand this, mostly I want to watch YT ad-free
I get that idea, however I only have one NIC on the Pihole (Raspberry Pi4). I could add some USB NICs, but would rather keep a single NIC and add rules on Pfsense
So it seemed to block sites sometimes, on some computers (I run IT for a k-12 school). Noy sure why it sometimes wouldnt block anything. When I stumbled on Pihole and AdGuard Home, they seemed to block categories, and blocked ads and malware sites literally right after install. It could have been an assue with how I setup PfblockerNG, but I honestly dont really care that its not all centralized inside of Pfsense now.
Perhaps these clients, or certain apps and browsers on these clients, are using DoH (DNS over HTTPS), in which case the requests will bypass the DNS servers configured in the operating system, and for the firewall, it’s just normal HTTPS traffic so it won’t be blocked by any DNS blocking rules.
