Can Pi-Hole be installed on Firewalla Gold running in router mode?

Richard Jacobs

July 17, 2020 15:28

I'm running Pi-Hole on Firewalla Blue at the moment, but I'm planning to upgrade the Blue to Gold.

Can Pi-Hole be installed on Firewalla Gold running in router mode?

Regards,

Comments

23 comments

Firewalla

July 17, 2020 17:08
Pi-hole needs to be installed in a docker container when in router mode for the Gold. The out of the box configuration for pi-hole docker may not work, our engineers are working on a solution now. The problem is the firewalla firewall's are pretty sensitive to the new docker network ...

Should have a fuller installation guide in a couple of weeks.
1

Comment actions Permalink
Charles Morris

July 23, 2020 00:01
Awesome, looking forward to the guide.
0

Comment actions Permalink
Alexander Kl.

August 18, 2020 06:38
is there any new information for installing pi hole?
0

Comment actions Permalink
Firewalla

August 18, 2020 16:32
Not yet. To manipulate the docker network needs a new release. So once 1.971 enters beta (in a week or two from this message), we should be able to build a how-to-guide.

Sorry about the wait
1

Comment actions Permalink
Chris Hewitt

August 29, 2020 14:02
After extensive effort we gave up on trying to install PiHole through the default installation approach on our Gold. We broke some firewall rules in some really cool ways! Trashed the available free drive space too!

Best part is, after all the work, even if we would have been successful, remember that the Gold resets to a default known configuration on reboot (this is great for folks like us who can’t have nice things because we constantly break them).

Hey, Melvin, wanna try the docker solution on our Gold? We’ve got 512GB of free SATA SSD disk space (remember)? First get it working then figure out how to optimize it.
0

Comment actions Permalink
Firewalla

August 29, 2020 16:41
@chris join the early access program https://help.firewalla.com/hc/en-us/community/posts/360046872134-Early-Access-Onboarding

When 1.971 release, we will likely write up quick instructions for pi-hole on the Gold. 1.971 also has a hook that will allow you to trigger anything after reboot, so it will give your gold some memory between reboots.
0

Comment actions Permalink
Danny Natale

August 31, 2020 13:18

Edited
@Firewalla Does the Gold work with a Pi-Hole when the Gold is in router mode? My Pi no longer blocks ads, I have it set up on a separate device. I can telnet on 53 to the Pi, but I am wondering if something is blocking or dropping requests.
0

Comment actions Permalink
Firewalla

August 31, 2020 20:49
@Danny, we just add the reasons here https://help.firewalla.com/hc/en-us/articles/360051284214-Firewalla-Gold-FAQ-and-Known-Issues

```

If client DNS is set to pihole's IP address

Since client and pihole are in the same network, the DNS traffic is directly sent to the pihole and will not go through layer 3 (IP layer) of Gold. Therefore, DNS interception on Gold will not take effect and DNS-based features will not work.

If client DNS is set to Gold's LAN IP

DNS traffic from the client will first be sent to Gold. All kinds of DNS-based features will work and if DNS cache is not hit on Gold, it will be further forwarded to pi-hole in the local network for resolution.

Here is an alternative way to make domain block work with pihole in the network:
1. Create another local network segment on Gold
2. Move the pihole to the newly created network
3. Change the DNS server in the old network's DHCP options to the new IP address of pihole
This way, all DNS traffic from other devices to pihole will go through Gold and DNS-based features will work properly.

```
0

Comment actions Permalink
Joel Zimmerle

August 31, 2020 21:35
Can confirm this works as well. Put pi on another lan (port) or even vlan, then point a LAN or VLAN's Primary DNS to the IP of the pi. Then create a rule that certain devices or vlan's can't access the pi unless you want all DNS to be sent there then there's no need for that rule.
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:20

Edited
I can't get to the pi-hole from my clients, no matter what I try. I think the Firewalla is injecting DNS somehow and bypassing the pi-hole, because even when I set the LAN segments to the Pi, the DNS resolves without going through the pi. I even tried setting my clients to static IPs to a bogus DNS that does not exist, it resolves.

I know my pi-hole works because it will dig correctly from the server.

This is from one of my clients: The server 192.168.1.1 does not exist on my network, yet google resolves. I've rebooted and flushed any cache.

; <<>> DiG 9.10.6 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48151
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 139 IN A 172.217.3.68

;; Query time: 33 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Sep 05 10:00:53 EDT 2020
;; MSG SIZE rcvd: 59
0

Comment actions Permalink
Joel Zimmerle

September 05, 2020 14:20
What version of the app are you running?
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:40
I am on 1.970
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:41
beta program
0

Comment actions Permalink
Joel Zimmerle

September 05, 2020 14:42
Are you on beta app 1.40? That's the only way I could get my vlans primary dns to point to my pi. Didn't work with the production release app.
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:43
Here is the dig from the pi-hole - resolves back to 0.0.0.0 as expected. I just cant get my clients to hit it.

dig flurry.com

; <<>> DiG 9.16.1-Ubuntu <<>> flurry.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;flurry.com. IN A

;; ANSWER SECTION:
flurry.com. 2 IN A 0.0.0.0

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Sep 05 10:32:34 EDT 2020
;; MSG SIZE rcvd: 44
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:44
Interesting and no, I will update my app version (1.37) to 1.40.
0

Comment actions Permalink
Joel Zimmerle

September 05, 2020 14:46
You don't have to point your clients to the pi, just download testflight and ask Firewalla to send you an invite for the beta app. Then set your pi to have a static IP, and point your lan or vlan primary dns to the IP of the pi and it should work.
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:49
Okay, that is how I had it set up. I did see even in 1.37 you can add a DNS entry to another LAN/VLAN of the Pi (which I did) but maybe it's just ignoring that or something. I'll ask for an update because my testflight only shows 1.39.
0

Comment actions Permalink
Joel Zimmerle

September 05, 2020 14:56
Yeah I couldn't get it to work in 1.39. I think it's an app side bug. In 1.40 Primary DNS setting for lan/vlan works for fine me.
0

Comment actions Permalink
Danny Natale

September 05, 2020 14:57
Thanks Joel. Do I put in a ticket with them to request 1.40?
0

Comment actions Permalink
Joel Zimmerle

September 05, 2020 14:58
Yeah that should work.
0

Comment actions Permalink
Danny Natale

September 05, 2020 15:44

Edited
I figured it out. I had to go in and set a port forward rule in the Firewalla app on 53 to the pi-hole.
0

Comment actions Permalink
Firewalla

September 05, 2020 17:10
Here are the (beta) instructions for pi-hole on the gold. The part regarding persisting the configuration is pending 1.971 early access release (which should be soon)

https://help.firewalla.com/hc/en-us/articles/360051625034
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?