Pfsense with pihole

Networking & Firewalls
1

Hi, was wondering if anyone had setup the following, and any gotcha’s might encounter…

  1. pfsense running virtualized (on proxmox) host

  2. pihole running in a container on same host (debian bullseye)

  3. pfsense has pfblockerNG installed but only using the geo blocking element (free maxmind key installed)

  4. dhcp disabled on pihole and configured with unbound for local resolution

  5. pfsense running dhcp with DNS resolver service disabled and DNS forwarder configured to point to pihole IP address

  6. pfsense WAN rule to block all outgoing port 53 udp traffic, apart from pihole’s IP

Thanks

2

  1. Virtualizing pfsense is always a bad idea and will most likely cause random weirdness and not a supported way to run it.

  2. Running pihole in a container should be fine if you are exposing the IP for a non-virtualized pfsense box

  3. Should be fine for the IP side of blocking

  4. Yes

  5. Yes

  6. Yes

Added note: If it were me I would use the pihole block lists you get from pihole and use it in pfblockerng and eliminate a complicated setup so you have an all-in-one solution on your firewall. Is there something pihole can do that pfblockerng can’t?

3

thanks for the feedback

Its more of a “cosmetic” issue really, i just prefer the pihole front end

I dont mind vitualizing pfsense at home, found that if i auto reboot my proxmox laptop nightly it works fine with no issues (even whilst using a USB ethernet adaptor for the WAN side) :slight_smile:

4

Ah, a forbidden router setup like Wendell on Level1Techs. First, if you haven’t seen those videos, I’d suggest checking them out. He’s thought of way more gotcha’s than I can come up with.

Second, what you are attempting to do is the very definition of hubris. I won’t try to dissuade you, because nothing would have dissuaded me when I wanted the try this same thing. There’s really nothing wrong with virtualizing pfsense, it works fine, it’s just not recommended because virtualizing “critical infrastructure” leads to pain. You will learn this pain, so my recommendation is have a cold backup router. Be it a SG-1100, old computer loaded up with pfsense, or an old linksys whatever box. HAVE A BACKUP. Something you can just move your cables over, and be up and running again after a boot cycle. This is doubly the case if anyone else in the household has to connect to your Frankenstein’s Monster.

Good luck and have fun. :smile:

(In case you’re wondering why I attempted the forbidden router, it was because support ended for the 32-bit processors like the one in the laptop was was using. Newer 64-bit laptops didn’t have PCMCIA slots for the second NIC I had and USB NICs just didn’t work well for some reason.)

5

4, 5, 6 > If pihole container stops, you will lose internet.
Better approach is to use pfsense as dns resolver, ask pihole to use pfsense for local resolution and configure DHCP to use both DNS servers (pihole first DNS and pfsense second DNS). Don’t block port 53.

6

thanks for headsup I’ll check out the forbidden router docs

the couple of business’s i support all run only bare metal pfense (old dell 860’s still going strong after all these years)

For my home setup I already have an old (switched off) ancient athlon pc with promox on it and confgured with the same core CT’'s/VM’s (including pfsense) as my main proxmox laptop (as an emergency temp backup system), I’ll add the pihole CT to it once its fully setup on the laptop

7

cheers for that, def a better way of doing it, thanks :slight_smile: