Hi, I'm new to the whole OPNsense forum and also to firewalls. I'm currently running pi-hole on a raspberry, but without unbound. I would like to use pi-hole with it's feature to see who requested what domain, because it will be easier for me to block certain domains this way. My OPNsense is a custom x86/64 based system with a dual port intel nic. I was looking at solutions on different websites, but my main concern was that i won't be able to see the IP/mac address of the device who requested it, only the firewall's (OPNsense) IP address, which isn't ideal for me. I would also like to block any other traffic for hardcoded dns servers on not safe devices, so nothing is getting around the pi-hole. Also is there a way to block or force DoT/DoH to go through port 53 to my pi-hole? Any help would mean a lot to me since i won't be able to deploy the new system until i figure this thing out, because my current setup is working with pi-hole (I want to minimize the level of tracking inside the network).
			
			
			
				I think this guide has all info you need: https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/ (https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/)
I did use pi-hole in the past, but switched to Adguard Home, Also available as pluging for opnsense: https://www.routerperformance.net/opnsense-repo/ (https://www.routerperformance.net/opnsense-repo/)
I like Adguard Home more, just mention it here for you to have multiple options :-)
			
			
			
				Thanks for the quick response! I haven't found this tutorial before! Also what about the DoT/DoH blocking? I find it now default on newer phones to enable google DoH by default on android.
			
			
			
				take a look at e.g. zenarmour plugin: https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.html (https://docs.opnsense.org/vendor/sunnyvalley/zenarmor.html)
and https://www.sunnyvalley.io/zenarmor-next-generation-firewall (https://www.sunnyvalley.io/zenarmor-next-generation-firewall)
or setup firewall block rules, there are some lists mentioned in this (long) thread:
https://forum.opnsense.org/index.php?topic=9245.0 (https://forum.opnsense.org/index.php?topic=9245.0)
			
			
			
				In the meantime i found this website (https://labzilla.io/blog/force-dns-pihole) claiming to do what i want exactly but it's for pfsense, and the namings are a bit different. Are these features present in OPNsense? If so how do they differ from pfSense?
			
			
			
				you should be able to get it into opnsense, the principle is the same and OPNsense started as a fork of pfSense® and m0n0wall in 2014 https://opnsense.org/about/about-opnsense/ (https://opnsense.org/about/about-opnsense/)
			
			
			
				I only have one question in the tutorial, the 3rd rule mentions the unexpected source errors in certain devices and gives this setting (Network for the outbound NAT mapping) as a solution, but it only says that "your internal LAN network". What is he referring to? 192.168.1.0 or 192.168.1.1 for the default gateway? I know this is not the appropriate place to ask this question, but the op doesn't want to answer this question. This is the link again if somebody here knows the answer (https://labzilla.io/blog/force-dns-pihole)