This guide is only for Firewalla Red or Blue. Firewalla Gold users should run Pi-Hole in docker containers. Here is the beta guide for running Pi-Hole on Gold: https://help.firewalla.com/hc/en-us/articles/360051625034
Firewalla is a full Linux distribution, so it is possible to install many different services running alongside Firewalla. Here is a quick tutorial on bringing one of the open-source projects to Firewalla in less than 5 mins.
- This tutorial is only for Pros.
- This tutorial will only work with Firewalla version 1.965 or greater
- Please make sure you know how to reset firewalla, in case things blow up.
- Please only try this on the Firewalla Blue. The red may not have enough RAM.
- Pi-hole won't work with the following features of Firewalla on the same device. Firewalla's features always have a higher priority. These features include:
- Family Protect
- DNS over HTTPS
- You should not enable conditional forwarding in most cases or it might create DNS loop.
- Pi-Hole query database may eat up all left space on Firewalla disk if it is not managed well. Reference: https://docs.pi-hole.net/database/ftl/
Warning: The conflict of DNS blocking between Pi-Hole and Firewalla
If you install Pi-Hole on Firewalla, Pi-hole will become the upstream DNS server of Firewalla. All DNS traffic will route through Firewalla first then to Pi-Hole, so that you will only be able to see localhost and Firewalla on the Pi-Hole portal.
Devices -> Firewalla -> Pi-Hole -> further upstream DNS servers
To get individual stats on devices, you will have to install Pi-Hole on a separate device and use it as DNS server in your router DHCP setting. But in this way, you will lose all the per-device DNS features (Family Protect, Ad-Block, Safe search, etc.) on Firewalla, because Firewalla will only see DNS traffic from Pi-Hole.
Devices -> Pi-Hole -> Firewalla -> further upstream DNS servers
How to run Pi-Hole on Firewalla in 5 mins
Step 1. Get Firewalla SSH password from Firewalla App (Settings-> Advanced -> Configurations -> SSH Console -> tap the password to reveal it).
Step 2. Login Firewalla by ssh, the user account is pi. Then install Pi-Hole with this command:
curl -sSL https://install.pi-hole.net | bash
Step 3. On Firewalla app, go Settings -> Advanced -> Network Settings. Change the DNS of primary network (if you are in simple mode) or overlay network (if you are in DHCP mode) to Firewalla's IP address in PRIMARY network.
Step 4. Reboot Firewalla ( Settings-> Advanced -> Reboot), and it's done.
- Firewalla may take longer to complete the reboot process when pi-hole is installed, so please be patient.
- If you enabled web interface when installing Pi-Hole, you can access by http://<firewalla_ip>. If you see Firewalla pairing page when accessing the site, it means the pairing service is running, just wait for 10 minutes and try again.
- Pi-hole will only show Firewalla as the device, not individual devices from your network.
I'm not sure how to correctly set it up, what needs to be set up on firewalla.
Pihole + pihole-FTL is running, it shows connections, but just by localhost and firewalla. No other devices.
I need to set on my computer to use DNS (IP of firewalla) to go through pihole. I've tried with Ad-Block and DNS boost on/off. Without any effect. But I didn't restart firewalla between config changes.
It's been working for a while, when I set on firewalla app -> network settings to use primary DNS IP of firewalla itself.
Looks working again. Now I have it set up this way in firewalla app:
"I need to set on my computer to use DNS (IP of firewalla) to go through pihole."
"It's been working for a while, when I set on firewalla app -> network settings to use primary DNS IP of firewalla itself."
This is all related to the iptables NAT table doing a DNAT from port 53 (pihole-ftl) to 8853 (local dnsmasq) for sources not 127.0.0.1. Your incoming traffic hits iptables then gets DNAT'ed to 8853 which forwards your query to 127.0.0.1:53 which does not get DNAT'ed to port 53 (pihole-ftl). The non-authoritative lookup makes all your queries to pihole-ftl appear to be originating from localhost.
So my question to the Firewalla team is... how can i have the result from the following be applied forever and always?
sudo iptables -t nat -D PREROUTING -s 0.0.0.0/0 -d 0.0.0.0/0 -j PREROUTING_DNS_DEFAULT
I needed the Beta Firewalla app to see the DNS Boost function which adds entries to an ipset (no_dns_caching_mac_set) for devices to be excluded from the rules in the PREROUTING_DNS_DEFAULT chain.
@Jeremy, thanks for theinfo.
The rule will automatically be added if Firewalla service restarts. What you can do is adding a cronjob to root account to execute this delete command periodically.
Do not add to pi's cronjob, as its cronjob will be flushed when service restarts.
Hello there, I have tried to use pi hole on my firewalla blue but after one day it has blocked all my local network. I have disabled the dhcp server on my router and I have used the pi hole dhcp service. What is the problem ? could you help me? Now I have done a reset of firewalla ... where is the problem?
We didn't use the dhcp service on pi-hole. This may cause Firewalla can't get IP allocated for itself. Maybe after one day, your box's IP address is expired.
What's the reason did you want to use PiHole DHCP service?
@Melvin, thank you for your reply. There is not a good reason for my decision. I have understood this operation could block all my lan.
Are you using Simple or DHCP mode?
I'm only seeing traffic from localhost, firewalla, and anything plugged into ethernet in the pihole logs. Have tried a few permutations that gave me varying results. No matter what I do (probably doing something wrong) I can't get Pi-hole and Firewalla to see traffic (and block ads) at the same time. Any tips?
I'm using Simple mode. And currently, I have on my router set primary DNS to point to IP of firewalla and in firewalla Primary DNS Server set to firewalla IP too.
In pi-hole I see only `localhost`, `firewalla`, and `gateway`. But I see that what's marked as firewalla are the requests from devices on my network
Thanks @Rastislav Švarba!
In playing around with settings I ended up with DHCP mode with the overlay network's DNS server pointed to Pi-hole (primary set as the primary address and secondary set to 192.168.218.1, Firewalla's IP in the overlay). With the exception of the primary and secondary DNS + DHCP mode, I've mirrored your settings and I'm able to see traffic from the Pi-hole and Firewalla side.
Looks like TTL was the thing getting me; making changes but everything is cached. Got reacquainted with `dig` in the past few hours :)
I have tried looking in using SSH but keep getting a wrong password error even though I know it correct. It didn't ask me for username. Any suggestions as to what I can do.
The username is pi. If still getting the wrong password error, please reload the data from the main screen and try again.
`So I was setting a a rpi todo this and thought great I can get my firewalla to do it one less device and socket to find but when a ssh in it takes ages and often times out and if I do get to enter the curl command it doesn't like the url so I think it must be down to the slowness of the subnet but that confuses me the sub net is small and short why does this happen?
I loaded Pi Hole and can see the dashboard. However, the DNS service is not running and the FTL service is offline. What kind of edits to either my NETGEAR Nighthawk R6700v3 or my Firewalla Blue should I make? Thanks in advance.
@Eli1,log in to the pihole via ssh
run from command line: "pihole restartdns"
sometimes my DNS will not work after restart or power failure. It comes up so quick that it does not see default interface, which is still coming up.
here are some useful commands :
pihole restartdns <--- fixes DNS reboot problem
pihole status <--- pihole server check
pihole -c -e <--- terminal display on overall status
pihole -v <--- checks if update are available
pihole -up <--- this will update pi-hole application
pihole -g <-- updates the blocklists
hope this helps
I installed Pi-hole and it seems working.
However, Pi-hole Dashboard shows no query count, no blocked count.
Is something wrong?
My firewalla blue Version 1.966 Beta
Ad Block ON
Family Protect OFF
DNS Booster ON
Can you try to configure the box primary IP address as the DNS server of Primary Network and Overlay Network?
Settings -> Advanced -> Network Settings
See if you can see the queries in pihole after the change.
Thank you @Melvin
I change my firewalla blue DNS server setting to IP address itself.
Pi-hole Dashboad shows queries and counter up.
I have a Firewalla Blue and followed the directions and can see the admin panel fine but it only shows local host and queries from only local host which are mainly ubuntu. There are no other queries. I also tried to add the firewalla's IP address as DNS for both Primary and Overlay Network and still nothing, I do have ad block on and family protect off.
I installed Pi Hole services and the dashboard loaded for onetime. As per instructions did a reboot and nothing is loading now. Even cannot access the dashboard and firewalla app is slow on phone. It is been an hour how to fix this?
Update: after an hour of time from the app it is showing the device is unreachable.
If you can still ssh to the box, try to restart the pihole service by
sudo systemctl restart pihole-FTL
And check if it's coming back.
Which monitoring mode do you employ? Thanks!
For some reason pi-hole stops for no reason every few days. Sometimes a reboot helps, sometimes not. Any idea what I can do to stop this happening?
i got this (Firewalla) $ pihole -t
[i] Press Ctrl-C to exit
01:19:14: query[A] 1.ubuntu.pool.ntp.org from 127.0.0.1
01:19:14: config error is REFUSED
01:19:14: query[AAAA] 1.ubuntu.pool.ntp.org from 127.0.0.1
01:19:14: config error is REFUSED
01:35:23: read /etc/hosts - 7 addresses
01:35:23: failed to load names from /etc/pihole/custom.list: No such file or directory
01:35:23: read /etc/pihole/local.list - 2 addresses
01:50:12: read /etc/hosts - 7 addresses
01:50:12: failed to load names from /etc/pihole/custom.list: No such file or directory
01:50:12: read /etc/pihole/local.list - 2 addresses
02:14:29: read /etc/hosts - 7 addresses
02:14:29: failed to load names from /etc/pihole/custom.list: No such file or directory
02:14:29: read /etc/pihole/local.list - 2 addresses
any solution please
Same issues as others above. Everything installed and appears to be running fine. I set the DNS Server for both primary and overlay networks to be the FW IP and that seemed to work for a day. Now dashboard shows nothing blocked and a handful of queries. Setting DNS Server to FW IP only on the overlay seems to have no effect at all. Any suggestions for troubleshooting?
FWIW, the solution for me appears to be going into the router settings and changing its DNS server to point to the FW. So with FW in DHCP mode, both the overlay DNS server and the router are pointed to the FW IP address. That seems to be working although the blocked queries are still very low (1% or less), which is surprising.
PH still stops blocking after about 24 hours. PH folks suggest the issue is on the FW side since PH appears to be functioning normally. At this point, PH is blocking zero DNS requests so its doing nothing but slowing down the FW box.
Turn DNS over HTTPS on FW OFF. Otherwise it will push requests around the pi-hole and you’ll see little to no activity in pihole. You can install DNS over HTTPS on the pi-hole via instructions in pi hole documentation. Works perfectly now, even using the troublesome google mesh router that won’t let you turn off native DNS.
Was not so smooth but I made it commenting the PiHole install line that was making a check and resulting in an error on the APT-GET UPDATE. Since.. a long reboot and it's smooth !
Anyone had any luck removing Pihole from the Firewalla without resetting it?
i get stuck here:
pi@Firewalla:~ (Firewalla) $ pihole uninstall
[?] Are you sure you would like to remove Pi-hole? [y/N] y
[✓] Root user check
[✗] Update local cache of available packages
Error: Unable to update package cache. Please try "apt-get update"
Please sign in to leave a comment.