I'm not sure where to ask this question, so I figured I'd start here and cross-post to the PiHole forums.
If between one, the other, or both I come up with a working solution - I'll post it in both places.
OpnSense v22.7.*
PiHole v5.*
I've searched and read quite a bit, but the only "HOWTO" or "Cookbook" style guides that touch on all three topics are older (v18 and below), so options, functionality, etc. is quite different and I can't seem to get things working.
I can get to a "no IPv6 connectivity at all" state, or a "IPv6 bypasses PiHole and resolves every advertising and tracking service on the Public Internet" state, but not the desired state where PiHole both filters and allows White/Black -listing by hostname /IP.
Justification for IPv6:
- My modern Android based devices all support IPv6 by default and it cannot be disabled
- Those same Android devices throw all kinds of on-screen, in-app errors, or generally behave "oddly" if they cannot reach IPv6 destinations (apparently some apps only have IPv6 upstream)
- My ISP (Cox) supports IPv6 and it cannot be disabled
- I would like to extend the "goodness" of PiHole advert blocking to mobile devices that currently bypass ad-blocking by using IPv6
- Whether I like it or not, some of the games and streaming services that I enjoy require adverts or ad-related domains to run, so I need DNS to work for both IPv4 and IPv6 so that I can create per-host whitelist entries in PiHole
My existing IPv4 network looks like:
https://i.imgur.com/Q63iMhY.png (https://i.imgur.com/Q63iMhY.png)
and works well to block ads for anything that has IPv4 only addressing.
Because I subscribe to a Static IPv4 address (needed for some work connectivity), Cox cable provides an IPv6 /60 prefix for all internal devices.
The optimal outcome would be for PiHole to serve up both IPv4 and IPv6 addresses and serve as my internal DNS for both hostname resolution and ad-blocking.
A perfectly acceptable outcome would be for OpnSense to manage IPv6 and send hostname registration to PiHole.
Any thoughts? Suggestions? Testing /logs /etc. I can post that will help?
I'm "old" to IPv4, but now I have to learn about IPv6 and if someone can shorten my learning curve, it would be great!
You could add a NAT rule as described here (https://forum.opnsense.org/index.php?topic=22162.0) to forward all traffic destined to port 53 and 853 to go to your Pi-hole. For that rule use of course IPv4 and IPv6. Keep in mind though that DoH will not be affected by this rule because it uses port 443 and you don't want all HTTPS traffic to be sent to your Pi-hole. I doubt these apps use encrypted DNS anyway so you should be fine with just port 53.