Can Pi-Hole be installed on Firewalla Gold running in router mode?

Comments

23 comments

  • Avatar
    Firewalla

    Pi-hole needs to be installed in a docker container when in router mode for the Gold.   The out of the box configuration for pi-hole docker may not work, our engineers are working on a solution now.  The problem is the firewalla firewall's are pretty sensitive to the new docker network ... 

    Should have a fuller installation guide in a couple of weeks. 

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Not yet.  To manipulate the docker network needs a new release.  So once 1.971 enters beta (in a week or two from this message), we should be able to build a how-to-guide.

    Sorry about the wait

    1
    Comment actions Permalink
  • Avatar
    Charles Morris

    Awesome, looking forward to the guide.

    0
    Comment actions Permalink
  • Avatar
    Alexander Kl.

    is there any new information for installing pi hole?

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    After extensive effort we gave up on trying to install PiHole through the default installation approach on our Gold. We broke some firewall rules in some really cool ways! Trashed the available free drive space too!

    Best part is, after all the work, even if we would have been successful, remember that the Gold resets to a default known configuration on reboot (this is great for folks like us who can’t have nice things because we constantly break them).

    Hey, Melvin, wanna try the docker solution on our Gold? We’ve got 512GB of free SATA SSD disk space (remember)? First get it working then figure out how to optimize it.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @chris join the early access program https://help.firewalla.com/hc/en-us/community/posts/360046872134-Early-Access-Onboarding

    When 1.971 release, we will likely write up quick instructions for pi-hole on the Gold.  1.971 also has a hook that will allow you to trigger anything after reboot, so it will give your gold some memory between reboots. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    @Firewalla Does the Gold work with a Pi-Hole when the Gold is in router mode?  My Pi no longer blocks ads, I have it set up on a separate device.  I can telnet on 53 to the Pi, but I am wondering if something is blocking or dropping requests. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Danny, we just add the reasons here https://help.firewalla.com/hc/en-us/articles/360051284214-Firewalla-Gold-FAQ-and-Known-Issues

    ```

    If client DNS is set to pihole's IP address

    Since client and pihole are in the same network, the DNS traffic is directly sent to the pihole and will not go through layer 3 (IP layer) of Gold. Therefore, DNS interception on Gold will not take effect and DNS-based features will not work.

    If client DNS is set to Gold's LAN IP

    DNS traffic from the client will first be sent to Gold. All kinds of DNS-based features will work and if DNS cache is not hit on Gold, it will be further forwarded to pi-hole in the local network for resolution.

    Here is an alternative way to make domain block work with pihole in the network:

    1. Create another local network segment on Gold

    2. Move the pihole to the newly created network

    3. Change the DNS server in the old network's DHCP options to the new IP address of pihole

    This way, all DNS traffic from other devices to pihole will go through Gold and DNS-based features will work properly.

    ```

    0
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Can confirm this works as well. Put pi on another lan (port) or even vlan, then point a LAN or VLAN's Primary DNS to the IP of the pi. Then create a rule that certain devices or vlan's can't access the pi unless you want all DNS to be sent there then there's no need for that rule. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    I can't get to the pi-hole from my clients, no matter what I try.  I think the Firewalla is injecting  DNS somehow and bypassing the pi-hole, because even when I set the LAN segments to the Pi, the DNS resolves without going through the pi.  I even tried setting my clients to static IPs to a bogus DNS that does not exist, it resolves. 

    I know my pi-hole works because it will dig correctly from the server. 

    This is from one of my clients:  The server 192.168.1.1 does not exist on my network, yet google resolves.  I've rebooted and flushed any cache.

    ; <<>> DiG 9.10.6 <<>> www.google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48151
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;www.google.com. IN A

    ;; ANSWER SECTION:
    www.google.com. 139 IN A 172.217.3.68

    ;; Query time: 33 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sat Sep 05 10:00:53 EDT 2020
    ;; MSG SIZE rcvd: 59

    0
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    What version of the app are you running?

     

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    I am on 1.970

     

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    beta program

    0
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Are you on beta app 1.40? That's the only way I could get my vlans primary dns to point to my pi. Didn't work with the production release app. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    Here is the dig from the pi-hole - resolves back to 0.0.0.0 as expected.  I just cant get my clients to hit it.

     

    dig flurry.com

    ; <<>> DiG 9.16.1-Ubuntu <<>> flurry.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48132
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;flurry.com. IN A

    ;; ANSWER SECTION:
    flurry.com. 2 IN A 0.0.0.0

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.53#53(127.0.0.53)
    ;; WHEN: Sat Sep 05 10:32:34 EDT 2020
    ;; MSG SIZE rcvd: 44

     

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    Interesting and no, I will update my app version (1.37) to 1.40.

    0
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    You don't have to point your clients to the pi, just download testflight and ask Firewalla to send you an invite for the beta app. Then set your pi to have a static IP, and point your lan or vlan primary dns to the IP of the pi and it should work. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    Okay, that is how I had it set up.  I did see even in 1.37 you can add a DNS entry to another LAN/VLAN of the Pi (which I did) but maybe it's just ignoring that or something.  I'll ask for an update because my testflight only shows 1.39.

    0
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Yeah I couldn't get it to work in 1.39. I think it's an app side bug. In 1.40 Primary DNS setting for lan/vlan works for fine me. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    Thanks Joel.  Do I put in a ticket with them to request 1.40?

    0
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Yeah that should work. 

    0
    Comment actions Permalink
  • Avatar
    Danny Natale

    I figured it out.  I had to go in and set a port forward rule in the Firewalla app on 53 to the pi-hole. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Here are the (beta) instructions for pi-hole on the gold.   The part regarding persisting the configuration is pending 1.971 early access release (which should be soon) 

    https://help.firewalla.com/hc/en-us/articles/360051625034

     

    0
    Comment actions Permalink

Please sign in to leave a comment.