I must say one of the best video about Pihole in combination with UniFi and multiple VLAN's. Thank you very much of sharing your knowledge, very appreciated.
This is an excellent and informative video. I would be interested in how the pfBlockerNG and pfsense DNS with unbound works with different VLANs and what additional customisation is possible, such as block ads on one VLAN but allow certain to another VLAN, for example guest or entertainment related VLANs and SSIDs. Thank you for making such detailed and informative contents.
Thanks for the great work. Keep going I love it. For the last step changing the configuration file, what address do you use for conditional forwarding in pihole? Thanks.
I don't use conditional forwarding in pi-hole, but in my understanding it should be your router's ip address. In "the last step changing the configuration file", the ip addresses are for pi-hole, so I don't follow the question.
@@hz777 sorry I combined two comments. The last step I configured and it works perfectly. Afterwards I noticed you weren't using conditional forwarding. I will disable and test. Thank you for the prompt reply. Really enjoying your videos. No one else is putting out content like this and it is very much needed.
Hi. Thank you for your insightful videos. My question involves the second approach where you set all the VLAN DNS servers on the ens192 interface: Is there a method to configure this on Bookworm (Debian 12) with the new network manager tool instead of editing dhcpcd conf. file? I assume you are using a raspberry π 4 or earlier and they are running Bullseye.
In the video, I used a debian 12 VM. As long as you change the interfaces configuration file like what I did in the video, the default network manager will not be working and the interfaces config file will be effective.
Another quality video with sufficient technical detail. Well done! Question: How would one use PiHole to also be the DHCP server for all the local vlans? I'm guessing it will be similar to what you defined in the pihole /etc/interfaces.d networks, yes?
it has to be in the similar way as the second approach in this video, because dhcp relies on broadcasting so only works within one vlan. I am working on a dedicated video about dhcp in general, hopefully it can address many general confusions about dhcp.
My Pi-hole is installed on a Proxmox Linux container, and it doesn't have network/interfaces config file. Do you know how can I config like your second approach. Thanks
I am about to start the process to migrate my VMs from ESXi. This Proxmox container topic is interesting to me. Give me some time and I may make a video about Proxmox+Container+Pi-Hole+VLAN.
@EduardoKabello @DamonKwong I am working on a new video about proxmox+container+pi-hole, but I do see the network interface configuration file in the same folder. I am using the debian 12 container. Why don't you see the file in your installation? Do you use a different type of container?
For the new update, when we create a vlan there is something called allow internet access. So we should disable that and then create a firewall rule internet in and then add pi-hole IP?
There will be no single good answer to your question. What the new "allow internet" setting really does is: - remove the firewall rule that allows the vlan to access any; - add 3 new rules: -- allow the vlan to "coporate networks" -- allow that vlan to "guest networks" -- block that vlan internet access So, if you have to disable internet for the vlan that pihole is in, of course you need to add additional firewall rule to allow pihole's internet access.
@@hz777 so, I have 3 vlans default vlan, vlan B and vlan D. All 3 vlans have allow internet checkbox enabled and I also have a firewall rule to block communication between vlan D and B. I have pi-hole running on vlan B. I want traffic from Vlan D to go through pihole running on vlan B. For this to happen should I uncheck the allow internet access on vlan D and create Lan in firewall rule and also Internet In and Out rules saying whatever is coming to vlan D go through pihole ?
@@WAMNZ to allow vlan d to access internet or not is irrelevant in your case. what you need to do is to create additional firewall rules to allow communication between vlan d and pihole. Of course what I said above is to purely make the dns resolving possible. I understand mostly later the clients in vlan d need to access internet, then you need to adjust more firewall rules accordingly.
Is it related to the standard firewall rule for "internet in"? Or your own custom firewall rule? If former, it sounds like a problem because there was traffic initiated from internet and it tried to connect to your pihole, instead of of the other way. If latter, you may have to troubleshoot by yourself.
When you set the DNS in Unifi pointing to the PiHole IP, will the clients in the Pi's query logs appear under the same IP, or each device to it's IP address? I'm asking this because i want to buy a UDR, and couldn't find out if it displays clients properly, since my current router makes it display all devices under a single IP (WAN)
@Volgin. Sorry I misunderstood your original question. I thought you were asking about dhcp. If the question is about in UniFi Network Controller, under DHCP settings for each network, you set the DNS server to pi-hole, then the answer is: - for a client, it's dns server will be pi-hole; - the whole dns name resolving process will have nothing to do with unifi router's DNS server - in the pi-hole logs, you should see individual clients.
@@hz777 That's exactly what I wanted to know. Like I said, with my current setup, all clients in PiHole show under the same IP, that IP being my routers IP, instead of, for example, my desktop or phone's IP. That way it's impossible to set groups on PiHole for specific clients. Thanks for the reply :)
@777 what is the difference between adding the vlan as you did into the /etc/network/interfaces and add virtual nic to the vm? which you think is best?
The way in the video guarantees all interfaces are based on one physical interface. The vm way as you described is up to the vm config to decide, so you have chances to use multiple physical interfaces.
When it comes to routing, UniFi routers are good enough for home or small business users. But for me, pfSense supports more routing protocols so is more fun to play with.
I purchased a Dream Machine pro SE; Coming from a Netgate 6100 - thinking of returning the DM, I can’t get over the way Unifi handles firewall rules. Anyway, love the videos!
Do you know how to make the second option (no firewall changes in UniFi) work for Raspberry Pi by chance? Copied your info into the interfaces file but it did nothing. Tried a few variations in the /etc/dhcpcd.conf file as well where I have my current network config and nothing worked.
@@Kehf27 I am running an older Lite version I can't remember which. Just running a couple Pi 4B's for redundant Pi-hole/Unbound and a couple for camera surveillance feeds and a Pi 5 for Home Assistant which does have whatever the latest OS Lite is. As for the VLAN package install, I used this command on all of them with no issue: sudo apt install vlan I found some tutorials online when searching RPi and VLAN setup. You might just be able to search the command above and find a tutorial. You have to add a file and edit an existing one but it wasn't too bad even for me. I am not a Linux person at all. LOL Hope that helps.
I must say one of the best video about Pihole in combination with UniFi and multiple VLAN's. Thank you very much of sharing your knowledge, very appreciated.
Another great informative video. Thanks again for making such detailed and easy to understand content.
This is an excellent and informative video. I would be interested in how the pfBlockerNG and pfsense DNS with unbound works with different VLANs and what additional customisation is possible, such as block ads on one VLAN but allow certain to another VLAN, for example guest or entertainment related VLANs and SSIDs. Thank you for making such detailed and informative contents.
Thanks for the video idea. I've added it to my backlogs.
Thank you very much, sir. This is exactly what I needed.
Thanks for the great work. Keep going I love it. For the last step changing the configuration file, what address do you use for conditional forwarding in pihole? Thanks.
I don't use conditional forwarding in pi-hole, but in my understanding it should be your router's ip address. In "the last step changing the configuration file", the ip addresses are for pi-hole, so I don't follow the question.
@@hz777 sorry I combined two comments. The last step I configured and it works perfectly. Afterwards I noticed you weren't using conditional forwarding. I will disable and test. Thank you for the prompt reply. Really enjoying your videos. No one else is putting out content like this and it is very much needed.
Hi.
Thank you for your insightful videos.
My question involves the second approach where you set all the VLAN DNS servers on the ens192 interface:
Is there a method to configure this on Bookworm (Debian 12) with the new network manager tool instead of editing dhcpcd conf. file?
I assume you are using a raspberry π 4 or earlier and they are running Bullseye.
In the video, I used a debian 12 VM. As long as you change the interfaces configuration file like what I did in the video, the default network manager will not be working and the interfaces config file will be effective.
Thanks much for your response. I’ll try this on a raspberry π 5.
thank you! this is exactly what I was looking for!
Another quality video with sufficient technical detail. Well done!
Question: How would one use PiHole to also be the DHCP server for all the local vlans? I'm guessing it will be similar to what you defined in the pihole /etc/interfaces.d networks, yes?
it has to be in the similar way as the second approach in this video, because dhcp relies on broadcasting so only works within one vlan. I am working on a dedicated video about dhcp in general, hopefully it can address many general confusions about dhcp.
excellent video
My Pi-hole is installed on a Proxmox Linux container, and it doesn't have network/interfaces config file. Do you know how can I config like your second approach. Thanks
I am about to start the process to migrate my VMs from ESXi. This Proxmox container topic is interesting to me. Give me some time and I may make a video about Proxmox+Container+Pi-Hole+VLAN.
@@hz777 Thanks!
@@hz777 did you get a chance to make a video showcasing pihole working on multiple vlans through proxmox via containers instead of ESXi?
I don't use containers a lot and I just switched to Proxmox, but this was already in my backlogs, I just need to find some time to work on it.
@EduardoKabello @DamonKwong I am working on a new video about proxmox+container+pi-hole, but I do see the network interface configuration file in the same folder. I am using the debian 12 container. Why don't you see the file in your installation? Do you use a different type of container?
For the new update, when we create a vlan there is something called allow internet access. So we should disable that and then create a firewall rule internet in and then add pi-hole IP?
There will be no single good answer to your question. What the new "allow internet" setting really does is:
- remove the firewall rule that allows the vlan to access any;
- add 3 new rules:
-- allow the vlan to "coporate networks"
-- allow that vlan to "guest networks"
-- block that vlan internet access
So, if you have to disable internet for the vlan that pihole is in, of course you need to add additional firewall rule to allow pihole's internet access.
@@hz777 so, I have 3 vlans default vlan, vlan B and vlan D. All 3 vlans have allow internet checkbox enabled and I also have a firewall rule to block communication between vlan D and B. I have pi-hole running on vlan B. I want traffic from Vlan D to go through pihole running on vlan B. For this to happen should I uncheck the allow internet access on vlan D and create Lan in firewall rule and also Internet In and Out rules saying whatever is coming to vlan D go through pihole ?
@@WAMNZ to allow vlan d to access internet or not is irrelevant in your case. what you need to do is to create additional firewall rules to allow communication between vlan d and pihole.
Of course what I said above is to purely make the dns resolving possible. I understand mostly later the clients in vlan d need to access internet, then you need to adjust more firewall rules accordingly.
Hey there. My UDMP logs are showing pihole blocked by firewall rule "invalid state" have you run into this?
Is it related to the standard firewall rule for "internet in"? Or your own custom firewall rule? If former, it sounds like a problem because there was traffic initiated from internet and it tried to connect to your pihole, instead of of the other way. If latter, you may have to troubleshoot by yourself.
When you set the DNS in Unifi pointing to the PiHole IP, will the clients in the Pi's query logs appear under the same IP, or each device to it's IP address? I'm asking this because i want to buy a UDR, and couldn't find out if it displays clients properly, since my current router makes it display all devices under a single IP (WAN)
It will show as the IP of UniFi router.
@@hz777 Is it possible to show each separate client, instead of one big client being the UniFi router?
@Volgin. Sorry I misunderstood your original question. I thought you were asking about dhcp.
If the question is about in UniFi Network Controller, under DHCP settings for each network, you set the DNS server to pi-hole, then the answer is:
- for a client, it's dns server will be pi-hole;
- the whole dns name resolving process will have nothing to do with unifi router's DNS server
- in the pi-hole logs, you should see individual clients.
@@hz777 That's exactly what I wanted to know. Like I said, with my current setup, all clients in PiHole show under the same IP, that IP being my routers IP, instead of, for example, my desktop or phone's IP. That way it's impossible to set groups on PiHole for specific clients. Thanks for the reply :)
@777 what is the difference between adding the vlan as you did into the /etc/network/interfaces and add virtual nic to the vm? which you think is best?
The way in the video guarantees all interfaces are based on one physical interface. The vm way as you described is up to the vm config to decide, so you have chances to use multiple physical interfaces.
@@hz777 thank you!
Do you prefer pfsense to the Unifi routing options?
When it comes to routing, UniFi routers are good enough for home or small business users. But for me, pfSense supports more routing protocols so is more fun to play with.
I purchased a Dream Machine pro SE; Coming from a Netgate 6100 - thinking of returning the DM, I can’t get over the way Unifi handles firewall rules. Anyway, love the videos!
Do you know how to make the second option (no firewall changes in UniFi) work for Raspberry Pi by chance? Copied your info into the interfaces file but it did nothing. Tried a few variations in the /etc/dhcpcd.conf file as well where I have my current network config and nothing worked.
If you use raspberry pi os, you may need to install vlan package first, then configure vlan interfaces.
@@hz777 YES!!! Thank you for the step in the right direction. Got it up and running.
@@URackADisciprinehow did you install a vlan package ?
Which version of raspbian were you running and which the Pi? The new Pi 5 or Pi 4
@@Kehf27 I am running an older Lite version I can't remember which. Just running a couple Pi 4B's for redundant Pi-hole/Unbound and a couple for camera surveillance feeds and a Pi 5 for Home Assistant which does have whatever the latest OS Lite is. As for the VLAN package install, I used this command on all of them with no issue: sudo apt install vlan
I found some tutorials online when searching RPi and VLAN setup. You might just be able to search the command above and find a tutorial. You have to add a file and edit an existing one but it wasn't too bad even for me. I am not a Linux person at all. LOL Hope that helps.
@@URackADisciprinethank you
I found some tutorials
I’ll try this evening