Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - ijamiej

Pages1
#1
General Discussion / Re: Pi-hole Only Showing OPNsense WAN IP instead of Client IPs
February 26, 2025, 01:45:14 AM
When Cookiemonster mentioned it, I immediately started testing to move the local WAN out of the 192.168.1.0/24 subnet. Here's what I've done:
  • Created a new VLAN with tag 178 on the switch
  • Changed the modem's IP address from 192.168.1.254 to 192.168.178.254
  • Kept the Synology NAS in the existing VLAN (192.168.1.0/24), but moved the modem from this VLAN to VLAN 178. Also, gave the Synology NAS access to VLAN 178 so that I could relocate the local WAN IP to the new 192.168.178.0/24 subnet.
  • Changed the local WAN IP in OPNsense from 192.168.1.2 to 192.168.178.1, with the gateway set to the modem (192.168.178.254)

And now, it's working perfectly! Another lesson learned.

Initially, I thought that since it was separated from the main infrastructure (Docker + VM), it wouldn't be an issue. The fact that everything seemed to work fine as well confirmed my assumption that it was correctly set up, hehe. But after re-thinking to what you said, I now understand that OPNsense could get confused and NAT might not always function as expected. WAN traffic should indeed always come from a different subnet and require NAT. Otherwise, a packet might leave OPNsense via LAN but return via WAN, potentially causing issues.

See attached "Result.png" for the outcome!

Big thanks to you guys for your help, I truly appreciate it ;)
#2
General Discussion / Re: Pi-hole Only Showing OPNsense WAN IP instead of Client IPs
February 25, 2025, 11:23:16 PM
Hey Cookiemonster,

I understand the confusion regarding my setup. Pi-hole runs in a Docker container on my Synology NAS. The NAS itself has the IP address 192.168.1.100, which is also the assigned IP for Pi-hole. There are no other Docker containers installed. However, I have installed VMM on the NAS, where OPNsense is running as a VM. Within this VM, Unbound is running. So, it's as follows:
  • Synology NAS: 192.168.1.100 (running Pi-hole in a Docker)
  • OPNsense (running in a VM on the NAS): 192.168.1.1 (essentially the gateway)
  • Pi-hole's upstream resolver is configured to 192.168.1.1#53. If Unbound were also running in a Docker container, then I needed to use a different port like 5335, but since it runs in a VM, port 53 is fine
  • OPNsense's local WAN IP is an internal IP since the Synology NAS sits behind the modem. Unfortunately, I cannot bypass the modem due to certain required functionalities. The modem's gateway is 192.168.1.254

Does this clarify the setup?
#3
General Discussion / Pi-hole Only Showing OPNsense WAN IP instead of Client IPs
February 25, 2025, 10:16:02 PM
Hey everyone,

I have set up Pi-hole as the primary DNS resolver in my home network, with Unbound running on OPNsense. However, in the Pi-hole query log, I only see requests coming from the local WAN interface of OPNsense (192.168.1.2) instead of individual client IPs.

My Network Setup
  • Pi-hole running on a Synology NAS (Docker) with IP: 192.168.1.100
  • OPNsense running on OPNsense (acting as the only upstream resolver for Pi-hole) with IP: 192.168.1.1#53
  • Clients are configured in KEA DHCP to use Pi-hole as their DNS

DNS Settings in Pi-hole
  • Listen on all interfaces, permit all origins
  • Never forward non-FQDN A and AAAA queries disabled
  • Never forward reverse lookups for private IP ranges disabled
  • Use DNSSEC disabled
  • Conditional forwarding is disabled

OPNsense Unbound Settings
  • Network Interfaces: All but WAN
  • DNSSEC Support enabled
  • Register ISC DHCP4 Leases enabled
  • Register DHCP Static Mappings enabled
  • Do not register IPv6 Link-Local addresses enabled
  • TXT Comment Support enabled
  • Flush DNS Cache during reload enabled
  • Hide Identity enabled
  • Hide Version enabled
  • Prefetch DNS Key Support enabled
  • Harden DNSSEC Data enabled
  • Aggressive NSEC enabled
  • Strict QNAME Minimisation enabled

General Settings OPNSense
  • No DNS servers configured (as I'm using Unbound)
  • Do not use the local DNS service as a nameserver for this system enabled
  • Disable DNS Rebinding Checks enabled

Perhaps this behavior is to be expected because Unbound on OPNsense is ultimately the only source passing the DNS resolution results to Pi-hole (Client -> Pi-hole -> Unbound -> Pi-hole -> Client). A potential workaround might be enabling DHCP on Pi-hole, which could temporarily store the client information. However, this is not a viable solution since Pi-hole's GUI does not natively support DHCP for multiple VLANs.

Additionally, I prefer to keep it as much as possible within OPNsense. It would be ideal if the client IPs could somehow be forwarded so that Pi-hole can register them correctly. This would give a better insight into which clients are making which and how many DNS requests.

I've tried a lot, but unfortunately, I haven't been able to solve it. I also came across a similar issue in another post on this forum, but that was a slightly different situation where hostnames were not being displayed of IP addresses.

Hopefully, someone with expertise in this area can help me out, and maybe this post will help others as well with this same 'issue'.
Pages1