Help with firewall - trying to setup LAN, VLAN10 & VLAN20

[meazz1]

This is what I'm trying to setup but I think I need to do something in the firewall to allow PiHole DNS and other devices from Lan to VLAN10 access.

LAN 192.168.4.0/24 -MGT
VLAN10- 10.0.10.0/24 -0 family use, laptop, PC etc
VLAN20- 10.0.20.0/24 - IoT
PiVPN 192.168.4.0/24 subnet. I want to open port for 51826 in the firewall and port forward to PiVPN IP address.

I have the following setup using static IP in 192.168.4.0/24 network - Route, Unifi switch, 2 Unifi AP-AC Lite access points, Pihole, printer.
2X Unifi access points have already been setup with Vlan10 & Vlan 20 profile. One SSID for home use another for IoT.

I want to use the Pihole from my management subnet to Vlan 10 for it's DNS and ad blocker. The Lan and Vlan10 can talk to each other, I don't need to restrict this. I'm trying to make it simple.
IoT Vlan20 will use DNS 8.8.8, no need for PiHole access.

Now, what would be the most simplest way i Can implement this? I probably need some firewall rules but not sure how to.

[liceo]

Well, if you want to have an simple setup, i would not create a Mgmt LAN only for PiHole. Just put the PiHole into your VLAN10 and assign the PiHole as the primary DNS to all clients.

On the firewall, create two roles on your VLAN10 interface (in this order, before the allow any internet rule)

• Allow Port 53 UDP/TCP from PiHole IP address to any
• Block Port 53 UDP/TCP from VLAN10 network to any

This allows only the PiHole to send DNS queries towards the internet and the local clients must use the PiHole as their DNS. Alternatively you could also use opnsense as your local DNS and from opnsense forward all DNS traffic to the PiHole (Resolver).

[Wyrm]

Hi,
better is to think of SENSEI plugin for OPNSENSE - it is very good for content and ads filtering.
Web about SENSEI: https://www.sunnyvalley.io/sensei/
This forum about SENSEI: https://forum.opnsense.org/index.php?board=38.0

[meazz1]

My main concern is to use the devices that already have static IPs in 192.168.4.0/24  network. I don't want to change the IP addresses to new Vlan10's IP.
Not only Pihole but devices like, printer, AP-AC lite, switches etc that are 192.168.4.0/24 static addressed.
If I can keep these 10 192.168.4.0/24 and still access from my VLAN10 I am ok with that.

[liceo]

My main concern is to use the devices that already have static IPs in 192.168.4.0/24  network. I don't want to change the IP addresses to new Vlan10's IP.

Ok, but which DNS server you have configured for those devices today?

[meazz1]

My DNS server is Pihole in 192.168.4.0/24 address.

[spetrillo]

Well, if you want to have an simple setup, i would not create a Mgmt LAN only for PiHole. Just put the PiHole into your VLAN10 and assign the PiHole as the primary DNS to all clients.

On the firewall, create two roles on your VLAN10 interface (in this order, before the allow any internet rule)

• Allow Port 53 UDP/TCP from PiHole IP address to any
• Block Port 53 UDP/TCP from VLAN10 network to any

This allows only the PiHole to send DNS queries towards the internet and the local clients must use the PiHole as their DNS. Alternatively you could also use opnsense as your local DNS and from opnsense forward all DNS traffic to the PiHole (Resolver).

I would like to do something close but with a twist, and hopefully you can recommend the rules to be set.

Right now I have Pi-Hole on my network and all devices are setup to use Pi-Hole via DHCP's DNS configuration. Any IoT device, and I got a few of them, that do not adhere to this DNS setup I have taken care of with a DNS hairpin rule that forces them to use Pi-Hole. I know this is working, bc when I had a power failure last week and my Pi-Hole vm did not come back up, all the IoT devices I suspected were not adhering were down. Once Pi-Hole came back up they began to work. Pi-Hole then pushes DNS upstream to my Unbound on my OPNsense firewall, and then out to the Internet. DHCP also resides on my OPNsense firewall.

What I would like to do is allow devices from one vlan talk to the IoT devices on the other vlan. I do not want the IoT devices to see any other vlans. IoT should only be able to talk to DHCP(192.168.1.1) and Pi-Hole(192.168.30.8).