OPNsense Forum
English Forums => General Discussion => Topic started by: W0nderW0lf on July 27, 2020, 01:23:53 pm
-
Many folks out there use both (pihole + opnsense) combined, but I wonder what the true benefits are?
Currently I am only using Opnsense as DHCP, DNS and Firewall and it's doing a great job. I am running it on Baremetal and it's running pretty smooth.
I've seen many guides and questions related to Pihole and Opnsense. But I havent found a real pro pihole argument.
From my understanding:
1. Pihole is doing the same job as Opnsense would by using unbound as resolver. If you run pihole as the base DNS Resolver, you have configure dnsmasq on Opnsense as a DNS Forwarder. The only visible Benefit IMO is that all requests are resolved by a raspberry pi. This is just outsourcing of hardware ressources on Opnsense I guess?
2. Opnsense Unbound Plugins provides every feature the Pihole has to offer, is that right?
3. Having Pihole and the opnsense in use, increases the overhead in terms of configuration and troubleshooting.
4. The blocklists from pihole are compatible with opnsense, right?
Is there anything I overlooked or misunderstood?
Whats in terms of Security? Does it improve network security somehow?
-
PiHole's primary use is to use DNS blocklists to block ads from the network. In this sense it's complementary to OPNSense. The main benefit is that it's easier to use than the unbound blocklists and that it gives pretty graphs.
-
Opnsense and Pi-Hole are complementary.
It would be great to have a definitive guide to configure in the correct way for DNS block and mantain in LAN clients name resolving etc...
I quite configured well everithing following this guide: https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/ but I have a lot of PTR (reverse lookup like xx.xx.xx.xx.in-addr.arpa) entries in Pi-Hole dashboard under permitted domain.
-
As @crc32 points out, Pi-hole is great for blocking ads (especially for those with limited infrastructure configuration skills). I have used Pi-hole for two years. I am using OPNsense for two months.
As an RPi fanatic I reluctant to dispose Pi-hole for now until I am comfortable with OPNsense. The Pi-hole, owing to its light load for the primary mission, serves as a secondary replication server for MariaDB rather well (i.e. imperceptible latency). The DHCP features of the Pi-hole server leave a lot to be desired. The development team is doing a good job by incrementally refining DNS features (e.g. CNAME support in the latest release). I haven't done any blocklist management with OPNsense but Pi-hole's functionality is zero maintenance unless one is adding custom lists.
Owing my self-inflicted challenges with learning OPNsense, I keep Pi-hole operational but sincerely all that eye candy is superfluous since we all have to look at logs anyway to have a feel for the state of affairs.
Looking forward to the day when I can state that I have completed OPNsense Boot Camp for Dummies. ;D
Kind regards.