Pi-hole Only Showing OPNsense WAN IP instead of Client IPs

Started by ijamiej, February 25, 2025, 10:16:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 25, 2025, 10:16:02 PM
Hey everyone,

I have set up Pi-hole as the primary DNS resolver in my home network, with Unbound running on OPNsense. However, in the Pi-hole query log, I only see requests coming from the local WAN interface of OPNsense (192.168.1.2) instead of individual client IPs.

My Network Setup
  • Pi-hole running on a Synology NAS (Docker) with IP: 192.168.1.100
  • OPNsense running on OPNsense (acting as the only upstream resolver for Pi-hole) with IP: 192.168.1.1#53
  • Clients are configured in KEA DHCP to use Pi-hole as their DNS

DNS Settings in Pi-hole
  • Listen on all interfaces, permit all origins
  • Never forward non-FQDN A and AAAA queries disabled
  • Never forward reverse lookups for private IP ranges disabled
  • Use DNSSEC disabled
  • Conditional forwarding is disabled

OPNsense Unbound Settings
  • Network Interfaces: All but WAN
  • DNSSEC Support enabled
  • Register ISC DHCP4 Leases enabled
  • Register DHCP Static Mappings enabled
  • Do not register IPv6 Link-Local addresses enabled
  • TXT Comment Support enabled
  • Flush DNS Cache during reload enabled
  • Hide Identity enabled
  • Hide Version enabled
  • Prefetch DNS Key Support enabled
  • Harden DNSSEC Data enabled
  • Aggressive NSEC enabled
  • Strict QNAME Minimisation enabled

General Settings OPNSense
  • No DNS servers configured (as I'm using Unbound)
  • Do not use the local DNS service as a nameserver for this system enabled
  • Disable DNS Rebinding Checks enabled

Perhaps this behavior is to be expected because Unbound on OPNsense is ultimately the only source passing the DNS resolution results to Pi-hole (Client -> Pi-hole -> Unbound -> Pi-hole -> Client). A potential workaround might be enabling DHCP on Pi-hole, which could temporarily store the client information. However, this is not a viable solution since Pi-hole's GUI does not natively support DHCP for multiple VLANs.

Additionally, I prefer to keep it as much as possible within OPNsense. It would be ideal if the client IPs could somehow be forwarded so that Pi-hole can register them correctly. This would give a better insight into which clients are making which and how many DNS requests.

I've tried a lot, but unfortunately, I haven't been able to solve it. I also came across a similar issue in another post on this forum, but that was a slightly different situation where hostnames were not being displayed of IP addresses.

Hopefully, someone with expertise in this area can help me out, and maybe this post will help others as well with this same 'issue'.
February 25, 2025, 10:42:00 PM #1
Your description is a bit incongruent.
Client -> Pi-hole -> Unbound -> Pi-hole -> Client. Is not what I would expect from your description, which is also very strange.
This is the most important part right now:
  • Pi-hole running on a Synology NAS (Docker) with IP: 192.168.1.100
  • OPNsense running on OPNsense (acting as the only upstream resolver for Pi-hole) with IP: 192.168.1.1#53
  • Clients are configured in KEA DHCP to use Pi-hole as their DNS
Are you running both Unbound and Pihole on the same port #53 ? Not in your post but to get it out of the way, you shouldn't.
I don't understand from this why your OPN WAN interface is a) an internal ip 
QuoteI only see requests coming from the local WAN interface of OPNsense (192.168.1.2)
and b) why would that local ip is in the same range as your LAN, apparently.

All that said, if you set it up according to your -assumed- description, it should work fine.
That is dhcp service dishing out the ip of your internal dns server (pi-hole), then pi-hole having Unbound (on a different port) as its upstream dns resolver. With that pi-hole should be seeing in the pi-hole query log the individual ips of the LAN clients.
Can you revise your setup or your post?
February 25, 2025, 11:23:16 PM #2
Hey Cookiemonster,

I understand the confusion regarding my setup. Pi-hole runs in a Docker container on my Synology NAS. The NAS itself has the IP address 192.168.1.100, which is also the assigned IP for Pi-hole. There are no other Docker containers installed. However, I have installed VMM on the NAS, where OPNsense is running as a VM. Within this VM, Unbound is running. So, it's as follows:
  • Synology NAS: 192.168.1.100 (running Pi-hole in a Docker)
  • OPNsense (running in a VM on the NAS): 192.168.1.1 (essentially the gateway)
  • Pi-hole's upstream resolver is configured to 192.168.1.1#53. If Unbound were also running in a Docker container, then I needed to use a different port like 5335, but since it runs in a VM, port 53 is fine
  • OPNsense's local WAN IP is an internal IP since the Synology NAS sits behind the modem. Unfortunately, I cannot bypass the modem due to certain required functionalities. The modem's gateway is 192.168.1.254

Does this clarify the setup?
February 25, 2025, 11:46:05 PM #3
It does thanks but only to a point for me. I don't use docker so I'm unfamiliar with the way it does networking.
I don't yet understand why you have two pictures with top clients telling a different story though.
So if all queries in pi-hole are appearing coming from Unbound, when dhcp server has told them to go to pi-hole directly, something is wrong for sure.
Leaving firewall rules to redirect next steps, would you be willing to change from Kea to ISC for the DHCP server for a test?
And can you have a look in the firewall live logs? Should be easy to spot behaviour there.
February 26, 2025, 12:08:22 AM #4
You cannot have OpnSense's WAN (192.168.1.2) and LAN IPs (192.168.1.1) in the same subnet, which is literally what you wrote.

Draw a network diagram with subnets and you will soon see why this cannot work, if it is like you describe (or at least, what I understand from it).
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 26, 2025, 12:14:12 AM #5
I have pointed it out. He clarified why it is internal, assumed it was a typo and was on a different net.
February 26, 2025, 01:45:14 AM #6
When Cookiemonster mentioned it, I immediately started testing to move the local WAN out of the 192.168.1.0/24 subnet. Here's what I've done:
  • Created a new VLAN with tag 178 on the switch
  • Changed the modem's IP address from 192.168.1.254 to 192.168.178.254
  • Kept the Synology NAS in the existing VLAN (192.168.1.0/24), but moved the modem from this VLAN to VLAN 178. Also, gave the Synology NAS access to VLAN 178 so that I could relocate the local WAN IP to the new 192.168.178.0/24 subnet.
  • Changed the local WAN IP in OPNsense from 192.168.1.2 to 192.168.178.1, with the gateway set to the modem (192.168.178.254)

And now, it's working perfectly! Another lesson learned.

Initially, I thought that since it was separated from the main infrastructure (Docker + VM), it wouldn't be an issue. The fact that everything seemed to work fine as well confirmed my assumption that it was correctly set up, hehe. But after re-thinking to what you said, I now understand that OPNsense could get confused and NAT might not always function as expected. WAN traffic should indeed always come from a different subnet and require NAT. Otherwise, a packet might leave OPNsense via LAN but return via WAN, potentially causing issues.

See attached "Result.png" for the outcome!

Big thanks to you guys for your help, I truly appreciate it ;)
Print
Go Up Pages1
User actions