Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Pi-Hole question

Follow
Avatar
Andy brown

I think Ive read almost every post on here on using Pi-hole, but I have a couple of questions.  I have been playing around with installing on another device and Ive installed it directly on the Gold (Router mode), By the way not running at the same time, two different configs.  Both worked with slightly different results in terms of client identification as expected on the gold config.  But I also got slightly different results in terms of how much was blocked, it seemed that the extra device configuration was way way more successful in blocking advertisements including in-game video advertisements, not sure if this is expected or not.  So to my questions

1. What does the community think is a better if any, Pi-hole on the router or another device.  Would you just leave the router for what’s it built for.

2.  Do you have to turn off DNS over HTTPS, I seemed to go round in circles with answers on that question.

3. If you do have it on a separate device, would you put it on a separate LAN or not.

 

Thanks

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Firewalla

    1.  For DNS queries, placing pi-hole inside the box will save you one round trip delay for the first DNS query.  (likely 1 to 3ms +  your pi-hole lookup speed).  And the second query will likely be cached by the OS/Firewalla/ or something else.   In general, it is hard to feel this, but ... some do.

    2. DNS over HTTPS should NOT be turned on Firewalla if you have pi-hole as the DNS server.  Anything send to DoH will be encrypted, pihole can't see any of it.  Here, what you want to do is leave DoH off firewalla and see if DoH is supported on the pi-hole

    3. If you have a separate device, you should put it in a different segment.  See end of this on why https://help.firewalla.com/hc/en-us/articles/360051284214-Firewalla-Gold-FAQ-and-Known-Issues

    0
    Comment actions Permalink
  • Avatar
    KP

    I loaded Pi-Hole on my Gold but with multiple segments it really just didn't work out for me, so that entire experiment only lasted a few hours. Basically what I ran smack dab into is what is mentioned by Firewalla above in points 2 and 3.

    Here's what I did instead:

    1. I left DoH on globally, as I am not willing to trade off DoH for Pi-Hole, especially with things like Oblivious DoH emerging (and guessing Firewalla will be all over it here soon enough).
    2. Firewalla Ad Block is also on globally, so I'm sure it's doing something. :-)
    3. As noted in the above point 3, I moved Pi-Hole over to my Synology NAS (running Docker there as well). I found this to be cleaner and overall easier than running it on my Gold. The NAS is on the same segment as all my hard-wired devices user devices, so they just go direct to that local DNS. The secondary client DNS, should the Pi-Hole fail for some reason, is set to the router itself. Likewise, the router is the upstream DNS server for the Pi-Hole so that it will benefit from the caching there as well as DoH upstream to CloudFlare.
    4. I have another segment for WiFi clients, as they are the ones that move in and out of the house anyway. This is important to me in the context of Pi-Hole because it means I still have to protect myself when I roam. So they have to be configured to block all the trackers and ads when Pi-Hole isn't around. Basically Safari, Firefox, DuckDuckGo, and Tor browsers in use and locked down rather tightly to block all the trackers (various plug-ins and extensions in use, like DuckDuckGo Privacy Essentials, EFF's Privacy Badger, and Cookie AutoDelete).

    Anyway, the point is that security and privacy is still, as always, a layered approach and Pi-Hole, while nice to have, is only used where it fits and doesn't cause me to have to disable other security/privacy layers.

    I also find being as far removed from Google and Facebook as one possibly can helps immeasurably. :-)

    0
    Comment actions Permalink
  • Avatar
    Sukumar Patel

    Hi,

    I have not made any modifications to FWG and have PiHole running on a RockPi S, I anyways have a RockPi S , RPI and a NUC lying around the home. 

    Rock Pi S is connected to port 2 on a separate lan segment 192.168.2.0/24. 

    The rest of my devices are spread across multiple VLAN's. All of them have the RockPi as their DNS server. I have family protect and DOH off on the FWG and have enabled DOH on PiHole using cloudflared.

    Everything works as it should,

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post