Setup pfSense / pi-hole DNS up properly for multiple VLANs

Hi everyone,

continuing on my quest to rebuild my pfSense infrastructure, I am trying to add my pihole servers back to the mix. They have been working before, but I shut them down some weeks ago, as I had problems with pfSense. Now pfSense works well again and I want to bring the Piholes into the mix again. I have two pihole servers, one running on the pfSense box (via proxmox) and one on my homelab server.

I am using the DNS resolver for the majority of my VLANs and the forwarder for two other VLANs. I would like to use the pihole servers for the two VLANs that actually have “human contact” via devices. Both of those VLANs are using the resolver. I have DNS redirects in my pfSense NAT rules redirecting DNS to the resolver. Previously, I just added the pihole server IPs to the DHCP settings of the VLAN and it worked like a charm. I used the setup recursively, meaning that the pihole servers use pfSense as the DNS server.

Unfortunately, the previous setup does not work anymore. I have not changed anything on the pihole servers. I just booted them up again. When I check the Wi-Fi settings, e.g. on an iPad, the correct DNS server IPs (of the pihole servers) are shown under DNS servers. I have rebooted the DHCP server and the resolver already.

What am I missing? I am sure it is probably a very easy fix, but I am stuck - thanks for some help!

What does “does not work” mean? What is the actual behavior compared to the desired behavior?

Intended behavior:

  • All DNS requests should be redirected to the pfSense resolver or forwarder (depending on the VLAN)
  • DNS traffic should be routed through pi-hole where it is added in the DHCP settings of the respective VLAN
  • DNSLeaktest should only show one server for the resolver gateway and however many (normally 4-6) for the forwarder gateway (goes through quad9)
  • In the best case, I only need to add the pi-hole IPs in the DHCP settings

Actual behavior:

  • Option 1: Resolver and forwarder works, DNSleaks shows the correct servers, but traffic does not go through the pi-hole servers
  • Option 2: Traffic goes through pi-hole, resolver and forwarder works, but DNSleaks shows the “wrong” servers, as the resolver server leaks into the forwarder gateway

Temporary fix (for resolver VLANs): Disable the general DNS redirect NAT rule for resolver VLANs, as I have control over the devices and none of them are going rogue with hardcoded DNS servers, e.g. laptops. iPads, phones etc.

I am still missing a permanent solution for the resolver VLANs and a solution at all for the forwarder VLANs, as forwarding does not work without the NAT rule, as this goes out through a Wireguard tunnel. I have posted my NAT rules below. The pi-hole servers are part of the MGMT VLAN. 10 and 20 are resolver VLANs and 30 is a forwarder VLAN:

My IOT stuff is in another VLAN, which is also a forwarder VLAN (like 30 in the screenshot), so it would be great to have a solution there to make sure that rogue devices go through pi-hole, then through the pfSense forwarder. This way I can block them in pi-hole if necessary

Thanks for your help!