How to run an external pi-hole with Firewalla

Follow

Comments

2 comments

  • Avatar
    Fr

    Just wanted to share my experience applying this to Adguard Home. I have a Raspberry Pi 3b+ with the DietPi OS installed and Adguard Home with Unbound. This also works with Pi-hole with Unbound but there are a few extra steps.

    - Created a new network on its own dedicated Firewalla port and plugged in the Pi

    - Created standard rules for this network to Block Traffic from & to All Local Networks and Block Traffic from Internet.

    - In the Firewalla phone app, under the Network Manager settings for each LAN network, set the Primary DNS Server address to the IP of the Pi. I did this for two networks and two VLANs that I wanted to route through the Pi/AdGuard/Unbound.

    It appears the DNS Booster function will intercept the DNS requests, and the Firewalla box will then forward the DNS request to the Pi without having to create any rules to allow DNS traffic between local networks. I did have to create a rule to allow my management machine to access the Pi machine so that I could see the Adguard Home web interface: Allow [IP of Pi]:[port], outbound only. Similar rule to use PuTTY to connect.

    2
    Comment actions Permalink
  • Avatar
    StaN

    I’ve run across some issues when using an external AdGuard Home with Firewalla, so I thought I’d share how to get different features to work on AdGuard Home.

    If you want to have AdGuard Home to resolve the .lan domain on the same network, add the following in Settings -> DNS settings -> Upstream DNS servers:

    [/lan/]192.168.1.1

    For reverse DNS and resolving client IP Addresses to hostnames, add the following under Private reverse DNS servers:

    192.168.1.1

    Note: It seems that the Firewalla IP address in the DNS settings should be a LAN IP that is outside of the network that the server is in. If my AdGuard Home is in the 192.168.0.1/24 network, then the upstream DNS of 192.168.0.1 doesn’t work, but 192.168.1.1 works. This can be tested with the ‘Test upstreams’ button at the bottom of the Upstream DNS section.

    According to https://help.firewalla.com/hc/en-us/articles/1500002445242 and looking through my query logs, non-existent .lan lookups get forwarded to AdGuard Home, which then get forwarded to the upstream servers. This also seems to happen with valid HTTPS queries. To fix this we can add some Custom filtering rules under Filters -> Custom filtering rules.

    If you set the Firewalla as an upstream DNS server, then add the following rule:

    ||*.lan^$client=192.168.1.1,dnsrewrite=NXDOMAIN;;

    Otherwise, you can add the following rule to rewrite all .lan requests:

    ||*.lan^$dnsrewrite=NXDOMAIN;;

    If you have ‘Use private reverse DNS resolvers’ enabled in your DNS settings, then you should set custom filtering rules for reverse DNS lookups on all the LAN IP address ranges that you have set up.

    ||*.168.192.in-addr.arpa^$client=192.168.1.1,dnsrewrite=NXDOMAIN;;

    This regex rule for all Private IP Addresses should also work:

    /.*((1[6-9]\.172)|(2[0-9]\.172)|(3[0-1]\.172)|(168\.192)|(\d*\.10))(\.in-addr\.arpa)/$client=192.168.1.1,dnsrewrite=NXDOMAIN;;

    Without these rules you can experience problems and network slowdowns due to a loop where Firewalla queries AdGuard Home, and AdGuard Home forwards the query to Firewalla.

    0
    Comment actions Permalink

Please sign in to leave a comment.