This doc does not apply to Firewalla Red, Blue and Blue Plus.
Common Problems:
If client DNS is set to pi-hole's IP address
Since the client and pi-hole are in the same network, the DNS traffic is directly sent to the pi-hole and doesn't go through layer 3 (IP layer) of Firewalla. Therefore, DNS interception on Firewalla doesn't take effect and DNS-based features doesn't work.
If client DNS is set to Firewalla's LAN IP
DNS traffic from the client is firstly sent to Firewalla. All kinds of DNS-based features work and if the DNS cache is not hit on Firewalla, it is further forwarded to pi-hole in the local network for resolution.
Don't want to set all client's DNS settings?
Here is an alternative way to make domain block work with pi-hole in the network:
-
Create another local network segment on the Firewalla
-
Move the pi-hole to the newly created network
-
Change the DNS server in the old network's DHCP options to the new IP address of pi-hole
-
Never Change WAN DNS on Firewalla to Pi-hole, unless you know what you are doing.
This way, all DNS traffic from other devices to pi-hole go through Firewalla and DNS-based features will work.
But as requests are all forwarded by Firewalla, pi-hole only see one client which is Firewalla and per client rules on pi-hole won't work. We don't have a solution for that right now.
For those who have a local search domain, you might also want to check: Difference between Search Domain and Local Domain
Comments
3 comments
Just wanted to share my experience applying this to Adguard Home. I have a Raspberry Pi 3b+ with the DietPi OS installed and Adguard Home with Unbound. This also works with Pi-hole with Unbound but there are a few extra steps.
- Created a new network on its own dedicated Firewalla port and plugged in the Pi
- Created standard rules for this network to Block Traffic from & to All Local Networks and Block Traffic from Internet.
- In the Firewalla phone app, under the Network Manager settings for each LAN network, set the Primary DNS Server address to the IP of the Pi. I did this for two networks and two VLANs that I wanted to route through the Pi/AdGuard/Unbound.
It appears the DNS Booster function will intercept the DNS requests, and the Firewalla box will then forward the DNS request to the Pi without having to create any rules to allow DNS traffic between local networks. I did have to create a rule to allow my management machine to access the Pi machine so that I could see the Adguard Home web interface: Allow [IP of Pi]:[port], outbound only. Similar rule to use PuTTY to connect.
I’ve run across some issues when using an external AdGuard Home with Firewalla, so I thought I’d share how to get different features to work on AdGuard Home.
If you want to have AdGuard Home to resolve the .lan domain on the same network, add the following in Settings -> DNS settings -> Upstream DNS servers:
For reverse DNS and resolving client IP Addresses to hostnames, add the following under Private reverse DNS servers:
Note: It seems that the Firewalla IP address in the DNS settings should be a LAN IP that is outside of the network that the server is in. If my AdGuard Home is in the 192.168.0.1/24 network, then the upstream DNS of 192.168.0.1 doesn’t work, but 192.168.1.1 works. This can be tested with the ‘Test upstreams’ button at the bottom of the Upstream DNS section.
According to https://help.firewalla.com/hc/en-us/articles/1500002445242 and looking through my query logs, non-existent .lan lookups get forwarded to AdGuard Home, which then get forwarded to the upstream servers. This also seems to happen with valid HTTPS queries. To fix this we can add some Custom filtering rules under Filters -> Custom filtering rules.
If you set the Firewalla as an upstream DNS server, then add the following rule:
Otherwise, you can add the following rule to rewrite all .lan requests:
If you have ‘Use private reverse DNS resolvers’ enabled in your DNS settings, then you should set custom filtering rules for reverse DNS lookups on all the LAN IP address ranges that you have set up.
This regex rule for all Private IP Addresses should also work:
Without these rules you can experience problems and network slowdowns due to a loop where Firewalla queries AdGuard Home, and AdGuard Home forwards the query to Firewalla.
I have a blue plus which still usually seems to work well enough, but as my network has been growing it seems to get overloaded more and more frequently (network appears to be 'down' for monitored devices & webpages fail to load), so I'm looking for ways to reduce its load. I've been removing devices from monitoring which is a little scary to me but support suggested it would reduce the load. Would running a separate local DNS device like pihole take some of the load off my firewalla blue+? (enough to be worthwhile?). I recently switched from simple mode to DHCP mode on the advice of support. My main goal is unsafe website blocking, secondary goals are ad blocking and limiting the kids from too much video games & youtube.
Please sign in to leave a comment.