Tutorial: Running Pi-Hole on Firewalla Blue in 5 min

Follow

Comments

10 comments

  • Avatar
    Rastislav Švarba

    I'm not sure how to correctly set it up, what needs to be set up on firewalla.

    Pihole + pihole-FTL is running, it shows connections, but just by localhost and firewalla. No other devices.

    I need to set on my computer to use DNS (IP of firewalla) to go through pihole. I've tried with Ad-Block and DNS boost on/off. Without any effect. But I didn't restart firewalla between config changes.

     

    It's been working for a while, when I set on firewalla app -> network settings to use primary DNS IP of firewalla itself.

    0
    Comment actions Permalink
  • Avatar
    Rastislav Švarba

    Looks working again. Now I have it set up this way in firewalla app:

    • Primary DNS to IP of router (xxx.yyy.zzz.1)
    • Turn OFF Family protect
    • Turn ON AdBlock
    • Turn ON DNS Boost
    0
    Comment actions Permalink
  • Avatar
    Jeremy Markle

    "I need to set on my computer to use DNS (IP of firewalla) to go through pihole."

    "It's been working for a while, when I set on firewalla app -> network settings to use primary DNS IP of firewalla itself."

    This is all related to the iptables NAT table doing a DNAT from port 53 (pihole-ftl) to 8853 (local dnsmasq) for sources not 127.0.0.1. Your incoming traffic hits iptables then gets DNAT'ed to 8853 which forwards your query to 127.0.0.1:53 which does not get DNAT'ed to port 53 (pihole-ftl). The non-authoritative lookup makes all your queries to pihole-ftl appear to be originating from localhost.

    So my question to the Firewalla team is... how can i have the result from the following be applied forever and always?

    sudo iptables -t nat -D PREROUTING -s 0.0.0.0/0 -d 0.0.0.0/0 -j PREROUTING_DNS_DEFAULT

    I needed the Beta Firewalla app to see the DNS Boost function which adds entries to an ipset (no_dns_caching_mac_set) for devices to be excluded from the rules in the PREROUTING_DNS_DEFAULT chain.

    1
    Comment actions Permalink
  • Avatar
    Melvin Tu

    @Jeremy, thanks for theinfo.

     

    The rule will automatically be added if Firewalla service restarts. What you can do is adding a cronjob to root account to execute this delete command periodically.

     

    Do not add to pi's cronjob, as its cronjob will be flushed when service restarts.

    0
    Comment actions Permalink
  • Avatar
    Antonio Lopedote

    Hello there, I have tried to use pi hole on my firewalla blue but after one day it has blocked all my local network. I have disabled the dhcp server on my router and I have used the pi hole dhcp service. What is the problem ? could you help me? Now I have done a reset of firewalla ...  where is the problem?

     

    0
    Comment actions Permalink
  • Avatar
    Melvin Tu

    @Antonio,

    We didn't use the dhcp service on pi-hole. This may cause Firewalla can't get IP allocated for itself. Maybe after one day, your box's IP address is expired.

     

    What's the reason did you want to use PiHole DHCP service?

     

    Melvin

    0
    Comment actions Permalink
  • Avatar
    Antonio Lopedote

    @Melvin, thank you for your reply. There is not a good reason for my decision. I have understood  this operation could block all my lan.

    Thank you!

    0
    Comment actions Permalink
  • Avatar
    Adrian✌🏽🎃

    @Rastislav Švarba

    Are you using Simple or DHCP mode?

    I'm only seeing traffic from localhost, firewalla, and anything plugged into ethernet in the pihole logs. Have tried a few permutations that gave me varying results. No matter what I do (probably doing something wrong) I can't get Pi-hole and Firewalla to see traffic (and block ads) at the same time. Any tips?

    0
    Comment actions Permalink
  • Avatar
    Rastislav Švarba

    @Adrian,

    I'm using Simple mode. And currently, I have on my router set primary DNS to point to IP of firewalla and in firewalla Primary DNS Server set to firewalla IP too.

    In pi-hole I see only `localhost`, `firewalla`, and `gateway`. But I see that what's marked as firewalla are the requests from devices on my network

    0
    Comment actions Permalink
  • Avatar
    Adrian✌🏽🎃

    Thanks @Rastislav Švarba!

    In playing around with settings I ended up with DHCP mode with the overlay network's DNS server pointed to Pi-hole (primary set as the primary address and secondary set to 192.168.218.1, Firewalla's IP in the overlay). With the exception of the primary and secondary DNS + DHCP mode, I've mirrored your settings and I'm able to see traffic from the Pi-hole and Firewalla side.

    Looks like TTL was the thing getting me; making changes but everything is cached. Got reacquainted with `dig` in the past few hours :)

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk