Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

pihole with multiple vlans

Post Reply
 
aW50ZXJuZXQ
just joined
Topic Author
Posts: 11
Joined: Mon Mar 21, 2022 5:17 pm

pihole with multiple vlans

Tue Apr 26, 2022 2:06 am

I have set up pihole and it works on all my vlan. However, I do not see my devices in pihole, it only shows my router.

I have read here in forums and seen that pihole-dns should also be added to dhcp-> networks. It is when I do that that the problem arises. My dns requests get no response. However, I can ping my pihole.

It works properly in the vlan where the pihole is located.
Code: Select all


# apr/26/2022 01:05:02 by RouterOS 6.49.6

# software id = FQCH-LUB0

#

# model = RB750Gr3

# serial number = 

/interface bridge

add admin-mac=DC:2C:6E:53:3A:02 auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface vlan

add interface=bridge name=admin-vlan vlan-id=104

add interface=bridge name=family-vlan vlan-id=103

add interface=bridge name=guest-vlan vlan-id=102

add interface=bridge name=iot-vlan vlan-id=101

add interface=bridge name=main-vlan vlan-id=100

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

add name=VLAN

add name=MGMT

/ip pool

add name=main-pool ranges=192.168.100.10-192.168.100.254

add name=iot-pool ranges=192.168.101.10-192.168.101.254

add name=guest-pool ranges=192.168.102.10-192.168.102.254

add name=family-pool ranges=192.168.103.10-192.168.103.254

add name=admin-pool ranges=192.168.104.10-192.168.104.254

/ip dhcp-server

add address-pool=main-pool disabled=no interface=main-vlan name=main-dhcp

add address-pool=iot-pool disabled=no interface=iot-vlan name=iot-dhcp

add address-pool=guest-pool disabled=no interface=guest-vlan name=guest-dhcp

add address-pool=family-pool disabled=no interface=family-vlan name=family-dhcp

add address-pool=admin-pool disabled=no interface=admin-vlan lease-time=23h name=admin-dhcp

/interface bridge port

add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100

add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100

add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=101

add bridge=bridge comment=defconf interface=ether5 pvid=100

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface bridge vlan

add bridge=bridge comment=main-vlan tagged=bridge untagged=ether2,ether3,ether5 vlan-ids=100

add bridge=bridge comment=iot-vlan tagged=bridge,ether5 untagged=ether4 vlan-ids=101

add bridge=bridge comment=guest-vlan tagged=bridge,ether5 vlan-ids=102

add bridge=bridge comment=family-vlan tagged=bridge,ether5 vlan-ids=103

add bridge=bridge comment=admin-vlan tagged=bridge,ether5 vlan-ids=104

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

add interface=main-vlan list=LAN

add interface=iot-vlan list=LAN

add interface=guest-vlan list=LAN

add interface=main-vlan list=VLAN

add interface=iot-vlan list=VLAN

add interface=guest-vlan list=VLAN

add interface=main-vlan list=MGMT

add interface=family-vlan list=LAN

add interface=family-vlan list=VLAN

add interface=admin-vlan list=LAN

add interface=admin-vlan list=VLAN

/ip address

add address=192.168.100.1/24 interface=main-vlan network=192.168.100.0

add address=192.168.101.1/24 interface=iot-vlan network=192.168.101.0

add address=192.168.102.1/24 interface=guest-vlan network=192.168.102.0

add address=192.168.103.1/24 interface=family-vlan network=192.168.103.0

add address=192.168.104.1/24 interface=admin-vlan network=192.168.104.0

/ip dhcp-client

add comment=defconf disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server network

add address=192.168.100.0/24 comment=main-dhcp-network gateway=192.168.100.1

add address=192.168.101.0/24 comment=iot-dhcp-network gateway=192.168.101.1

add address=192.168.102.0/24 comment=guest-dhcp-network gateway=192.168.102.1

add address=192.168.103.0/24 comment=family-dhcp-network gateway=192.168.103.1

add address=192.168.104.0/24 comment=admin-vlan-dhcp-network dns-server=192.168.100.200 gateway=192.168.104.1

/ip dns

set allow-remote-requests=yes servers=192.168.100.200

/ip dns static

add address=192.168.100.1 comment=defconf name=router.lan

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="Allow main-vlan/MGMT access to all router services" in-interface-list=MGMT

add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp

add action=accept chain=input comment="Allow VLAN DNS UDP" dst-port=53 in-interface-list=VLAN protocol=udp

add action=accept chain=input comment="Allow VLAN DNS TCP" dst-port=53 in-interface-list=VLAN protocol=tcp

add action=accept chain=input comment="Allow VLAN ICMP Ping" in-interface-list=VLAN protocol=icmp

add action=drop chain=input

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=accept chain=forward comment="VLAN Internet Access Only" connection-state=new in-interface-list=VLAN out-interface-list=WAN

add action=accept chain=forward in-interface=admin-vlan out-interface=main-vlan

add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT - enable if need server" connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=drop chain=forward comment="Drop all other traffic"

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=redirect chain=dstnat comment="Intercept DNS queries UDP" disabled=yes dst-port=53 protocol=udp src-address=!192.168.100.200 to-ports=53

add action=redirect chain=dstnat comment="Intercept DNS queries TCP" disabled=yes dst-port=53 protocol=tcp src-address=!192.168.100.200 to-ports=53

/ip ssh

set strong-crypto=yes

/system clock

/system identity

set name=RouterOS

/tool graphing interface

add allow-address=192.168.100.0/24 interface=ether1

add allow-address=192.168.100.0/24 interface=main-vlan

add allow-address=192.168.100.0/24 interface=iot-vlan

add allow-address=192.168.100.0/24 interface=guest-vlan

/tool graphing resource

add allow-address=192.168.100.0/24

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN
Last edited by aW50ZXJuZXQ on Tue Apr 26, 2022 2:25 am, edited 1 time in total.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12003
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: pihole with multiple vlans

Tue Apr 26, 2022 2:10 am

Don't put the serial number in the export, you use the cloud, so anyone could know the IP of your device...
Top
 
aW50ZXJuZXQ
just joined
Topic Author
Posts: 11
Joined: Mon Mar 21, 2022 5:17 pm

Re: pihole with multiple vlans

Tue Apr 26, 2022 10:59 am

Don't put the serial number in the export, you use the cloud, so anyone could know the IP of your device...
Tnx! I thought that was hidden.
Top
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: pihole with multiple vlans

Tue Apr 26, 2022 11:25 am

Hi,

I think you have wrong NAT rules:
Code: Select all
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" disabled=yes dst-port=53 protocol=udp src-address=!192.168.100.200 to-ports=53
That rule changes the port to 53 for everything not coming from 192.168.100.200 to port 53, so that is a rule to do nothing if matches?
Also it is disabled.
A small sketch would have been useful.
If I understand correctly the RasPI has 192.168.100.200. If so, you must redirect incoming traffic to that IP, like this:
Code: Select all
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" disabled=yes dst-port=53 protocol=udp src-address=!192.168.100.200  to-addresses=192.168.100.200
This will redirect to the IP. Do the same with TCP as well.

W
Top
 
aW50ZXJuZXQ
just joined
Topic Author
Posts: 11
Joined: Mon Mar 21, 2022 5:17 pm

Re: pihole with multiple vlans

Tue Apr 26, 2022 8:36 pm

Hi,

I think you have wrong NAT rules:
Code: Select all
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" disabled=yes dst-port=53 protocol=udp src-address=!192.168.100.200 to-ports=53
That rule changes the port to 53 for everything not coming from 192.168.100.200 to port 53, so that is a rule to do nothing if matches?
Also it is disabled.
A small sketch would have been useful.
If I understand correctly the RasPI has 192.168.100.200. If so, you must redirect incoming traffic to that IP, like this:
Code: Select all
add action=redirect chain=dstnat comment="Intercept DNS queries UDP" disabled=yes dst-port=53 protocol=udp src-address=!192.168.100.200  to-addresses=192.168.100.200
This will redirect to the IP. Do the same with TCP as well.

W


Thank you for response!

I tried to change NAT as you said. It did not give the desired effect.

Right now I have a working PiHole but the problem is that I can not see individual clients. The only client I see is the router (192.168.100.1) when I'm connected to one of the other VLANs. If I connect to 192.168.100.0, the clients are displayed with individual IP addresses and works fine!

Is it possible to get PiHole to view individual clients from multiple VLANs?

ether1 -> VLAN100 (Main Network - 192.168.100.0)
ether2 -> VLAN100 (Main Network - 192.168.100.0) - > Proxmox -> PiHole (192.168.100.200)
ether3 -> VLAN100 (Main Network - 192.168.100.0)
ether4 -> VLAN101 (IoT Network - 192.168.101.0)
ether5 -> VLAN101-104 (Main , IoT, Guest, Family, Admin) -> Unifi AP

Main - 192.168.100.0
IoT - 192.168.101.0
Guest - 192.168.102.0
Family - 192.168.103.0
Admin - - 192.168.104.0
Top
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: pihole with multiple vlans

Tue Apr 26, 2022 9:16 pm

Hi,

sry I don´t really understand you: what does it mean, that you can´t _see_ the clients? How do you want to connect to 192.168.100.0 ? If you have 192.168.100.0/24 as a subnet, then 192.168.100.0 is your network address, which you can´t connect to. https://en.wikipedia.org/wiki/Subnetwork
Also you neither have provided a sketch, nor the confirmation what the piholes IP should be.
First, check if you can ping across the router to the pihole.

W
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11624
Joined: Thu Mar 03, 2016 10:23 pm

Re: pihole with multiple vlans

Tue Apr 26, 2022 9:22 pm

Right now I have a working PiHole but the problem is that I can not see individual clients. The only client I see is the router (192.168.100.1) when I'm connected to one of the other VLANs. If I connect to 192.168.100.0, the clients are displayed with individual IP addresses and works fine!

This sounds as if there was a SRC NAT rule on router which affects traffic passing router towards PiHole ...
Top
 
alexb1
just joined
Posts: 3
Joined: Wed Feb 09, 2022 12:59 pm

Re: pihole with multiple vlans

Thu Apr 28, 2022 1:43 pm

Hi!

This will be offtopic, as I don't know how to send someone a message.
mkx: could I talk to you directly? My email is aleks1980frelih@gmail.com..


Regards
Alex
Top
Post Reply

Who is online

Users browsing this forum: nhongooi and 45 guests
  4. RouterOS
  5. Beginner Basics