Usg vlan pihole. 1- Network type: Should I be using Bridge, Host, br0 or Custom? And why? (please explain what this means. • I want to reuse pihole for ad blocking • I want to use DDNS somewhere to register local clients into a namespace to query machines by FQDN in scripts, etc. I am wondering now though how I can now limit the amount of access a specific OVPN client has when connected - currently they can ping everything on the network once a connection is established - I'd like to have different levels of access Can Pihole GUI support VLANs Yes and no. 19). Then PiHole is the main DNS server for all my devices (firewall rule to allow from other VLANs), and uses PfSense as its DNS server, and then PfSense has the public DNS (cloudflare) for internet lookups. 61. . Inter-VLAN routing is enabled by default on the USG. But you should probably change the write interval to the SSD so it doesn't get pounded so hard. Ubiquiti USG This guide was developed using a Ubiquiti Cloud Key v2 with UniFi Network v7. I recently reconfigured my home network with VLANs to separate the different kinds of devices on my network. Are you using VLAns with docker? And can you tell me what those trainer wheels are? :-) What I don't quite understand yet, if I have several VLANs, which VLAN does my DNS server get? Currently it's my USG, but if I put the pihole IP as DNS server in the USG settings and pihole is in one of the VLANs, will this work without additional Firewall Depending on the systems you have connecting, you may benefit from appending --reject-with tcp-reset to the command above. IoT Device requiring DNS resolution lives at 10. (Which is counter to how most routers treat VLANs, so you may want to address that. Do a static IP assignment for the Pi's MAC to ensure that it will get a specific IP, rather than some random one from the available pool of that subnet. I just setup vlans to segment IoT devices and then deployed pihole. Did you try to set the VLAN 2-4 DNS to the piholes IP and then allow traffic to be routed from those VLANs to the piholes IP in the USGs firewall? I feel like enabling dnsmasq on the USG is overkill. Currently the vlans created have FW rules on the USG that works perfectly. As a next step, I'd like to change the DNS server for the USG to be the Pi-Hole. IoT which needs access to the internet, but is untrusted by man LAN. 80 votes, 50 comments. Not sure exactly what’s going wrong for you but how about simplifying - use USG for DHCP. This does work, however, on VLANs, the client&hellip; Sure enough, if you create an empty VLAN and point the destination DNAT traffic to the UDM-Pro interface on this VLAN, the traffic is routed and will be redirected to the UDM-Pro. In the settings for the network, just tell the USG to specify a DNS server and use the Pi Hole's IP. Everything is working great but the only issue is the the piHole is seeing/logging all requests as USG and not the actual client that made the DNS request. We now use … Since the Unifi USG handles L3 routing pretty darn efficiently and by default with a network and VLAN creation, I am using the SG500 in L2 mode for simplicity. The guides I find are missing most of these fields. To get all the DNS traffic from multiple VLANs to Pi-Hole, the VLAN controller will need to bridge port 53 traffic between VLANs. Everything works and is connected by pointing each VLAN DHCP Name Server to PiHole DNS within USG. So my devices tell the PIH their NETBIOS names which it records for the admin panel instead of just IPs then ask my PIH, it filters then asks the gateway, and the gateway just uses Google DNS. Otherwise you can't be certain what server a client will use (it isn't a failover setup, but uses servers based on response time, and can fluctuate). Untrusted Wired and Wireless VLAN which is non routable the outside world. true I have mine set on the LAN dns (DHCP name server, manual and enter the ip of the pi hole) with the pi hole address so the dhcp clients all query that instead of the USG directly. In Pihole, when defining the Local Network in the Conditional Forwarding section, would I use the /16 CIDR notation that encompasses the entire range of the VLAN-tagged networks I created in the Unifi Controller (even though the "LAN" is really only defined as a smaller /24 network?) (I'm not 100% sure what the implication would be if the Local Usg (Unifi gateway) Dnat rule for pihole Hello fellow piholers, i would appreciate your help in setting a proper dnat rule so i can force all the devices in my network to use the pihole instead of some rogue dns (im looking to you android devices! ) . The only thing needing to be done is to create a separate PiHole DNS server for each segment to avoid leaking information between the VLANs, but for now my DMZ and Guest VLANs have their own, and the LAN/Gadgets/Kids VLANs share one. Make sure you setup all your static reservations in PiHole and then turn off the DHCP server in the USG. I also used separate subnets for each vlan. The main reason for this is not only that the kids are getting smarter to be able to adjust settings on their devices to bypass the Pi-Hole WAN I've set to 8. It sounds like you have the USG getting DNS from Pi-hole and the clients getting DNS from USG. Note Aug 2, 2025 · One solution is to set up the RPI with the Ethernet connected to the LAN and the WIFI connected to the guest WIFI. Then the correct IP address I believe USG also implements dnsmasq which is also a high performance caching dns system - setting all clients to use the usg and the usg to forward to pinhole will be faster imho. I also have it configured with DNS-over-HTTPS using cloudflared for extra security and privacy. I can now see the VLAN traffic count for my VLAN 10 and 20. It also means that on every VLAN there is a DNS available within the same subnet. 4 VLAN 10 is main household LAN VLAN 20 is Kids LAN VLAN 30 is IoT Goals: 1) Run all DNS requests, and re-route all hardcoded DNS requests, for VLAN 10 and VLAN 30 through PiHole, and masquerade the responses so the devices with a hardcoded DNS server are none the wiser I just connected pihole to port with switch profile "all" and configure on pihole itself interfaces with vlans. 55 Raspberry PI 4: PiHole v5. I used method 1: "Distribute Pi-hole as DNS server via DHCP. All you need to do is install the PiHole and point your DNS in your Unifi Config to your PiHole IP address. Why not make your IoT Network function as a guest network purpose. 1/24, VLAN 2), LAN (192. Clients can find the unifi host when I use the USG for DNS. Apr 6, 2020 · Currently the vlans created have FW rules on the USG that works perfectly. I'm using br0 for Pi-Hole but I don How I used a [UniFi Dream Machine](#the-router---unifi-dream-machine), [VLANs to segment IoT](#using-vlans-to-segment-low-trust-devices), [Pi-Hole to block ads](#pi-hole-to-block-ads-and-trackers), [cloudflared for DNS over HTTPS](#cloudflared-for-dns-over-https), and [Cloudflare Gateway to block malware/phishing](#cloudflare-teams-to-block-malicious-sites) to (over) optimize my home network For the Guest WiFi, I believe that in addition to the LAN_IN fw rule you'll need to update Guest Control to allow pre-authorization access to the pihole IP. Hi, Can someone with experince with UniFi USG router and a pi hole walk me through setting it up as my dns server? I’ve tried a few times and it’s either resulted with the the pi hole not functioning (blocking) or no internet? Any help would be awesome. Thanks for the responses I managed to get it to work now. However, I have added several additional Networks in the Unifi controller with VLAN tags, effectively making my home network range a /16. Make it authoritative (if that is a thing with a USG, no idea). And then just specify pihole IP address as DNS in DHCP settings. 0. Use VLAN feature in UniFi to get your trusted SSID to tag traffic to that. Contribute to pi-hole/docs development by creating an account on GitHub. 0 on the Unifi UDM/UDM Pro, podman is no longer available, so we had to use another method to create a container. good thing is that you dont have to play with 13 votes, 16 comments. ONLY the Pihole. Power down For the USG WAN DNS, only use the Pihole. In my LAN DHCP settings, I have supplied my Pi-hole IP address. Currently most everything is on the default VLAN 1. - Unifi Controller / Settings / Network / LAN --> Edit. The USG primarily is a DNS forwarder, exposing itself by an IP (v4 and v6) address on every VLAN. My PiHole is on the trusted network and I would like to have all of the devices on the IoT VLAN to be able to use it for their DNS resolution. I was looking for a way to force all DNS queries on my network to be pushed to my Pi-Hole no matter what hardcoded DNS servers were set up on the device. Following the first method below will have you adding your Pi-hole as a DNS server for all devices on your LAN. if you use pihole on raspbian/ubuntu and in most linux distros it is just few commands to create tagged interfaces. That will restrict everything on that VLAN from interacting with other things off the bat. I have my WAN dns set to OpenDNS but you can use google etc since this becomes the default for non-manual networks and I also have the pihole DNS setup (upstream dns server custom) to query I have a guest VLAN for a renter, the PiHole server is running as a docker container on the main (corporate) network. USG Pro 4 (set to forward DNS requests to PiHole) PiHole is 192. ) Where's the best place to put these functions? DHCP from USG?. The VM is primary and gets about 70% of requests under normal circumstances, but the one labeled as secondary in the USG still gets about 30% of the queries even if there is nothing wrong with the primary at all. Set up DHCP service for the VLAN created in step 1. Make sure Pihole is set to "Respond only on interface" instead of the default "Allow only local requests," or you'll find your VLANs aren't able to talk to the Internet. Here's what I've tried: First Attempt - per network DNS Native will always be available once a VLAN is created (step 1). If you have devices with static IPs then you will have to change the DNS settings on those devices as well. 2. 129 votes, 10 comments. My AD servers obviously maintain a DNS for my domain, and forward unresolvable queries to my PiHole. Set DHCP in the USG to give PiHole as a DNS server to clients, set the USG WAN interface to use Google DNS,and then point the PiHole back to the USG for DNS. It would be nice to physically see all networks using pihole, but not a deal breaker obviously as it still works for everything except for the guest network for unifi. Then pihole back out to opendns family. Expected Behaviour: Unifi DHCP name server set to Pihole&#39;s IP address so the USG can hand out the Pihole&#39;s DNS. I have single firewall DENY rule for all inter-VLAN communication based on RFC1918. I've given my Pi-Hole a static IP address. Network: USG>8Port>Pi I have 2 piholes, a USG and a few local VLANs and I cannot get local dns resolving to work for local hosts that would normally need me to make a manual record on a local DNS server. *. 1 TL;DR The main actions to note are: Setup networks for devices that you require in Unifi. It is also possible to have multiple VLANS. Then under Guest Control settings for Pre-Auth (which the note icon on hovering says its Pre and Post auth allow access) and you can add the IP of the PiHole there. Again, use VLAN feature in Unifi to the untrusted VLAN. No special routes needed. Either option is valid, depending on your specific requirements, but it is How to Pihole across VLANs I've been running a full Unifi set up (USG, USW-16-POE, AP PRO) for almost a year now and it's been great. Thanks! sudo hostnamectl set-hostname homelab-pihole sudo nano /etc/hosts # set localhost to homelab-pihole sudo reboot Pi-hole Install Since this Raspberry Pi is dedicated to Pi-hole I used curl to install after setting the Raspberry pi to have a static IP address in the UDM controller. true Doesnt using a masquerade rule make all requests in PiHole look like they are coming from your USG? Additionally, your pihole (s) should be on its own VLAN, so that traffic on the main LAN must traverse to your pihole (else, any device on your LAN with hardcoded DNS will still not play nice and avoid pihole) See this guide which addresses and resolves both the above Ok, Well at least I know that it isnt something that I did wrong somewhere. Introduction Below are the steps needed to setup PiHole with Unifi UDM Pro. Can I get the VPN clients on their own Vlan and and treat the same Vlan as a FW rule to comingle? Do I have to do something 'special' with how the PiHole is setup since all my Vlans have their own name server which is the PiHole DNS. If you still get slow load times of HTTPS assets, the above may help. This will allow you to force network devices to use the native DNS services of the router rather than needing to host a dedicated Pi-Hole on its own VLAN. Then i pointed the usg to the pihole for dns, the pihole sits only on one subnet. Create a seperate VLAN for the kids and along with a seperate SSID attached to that VLAN. 5. Dec 12, 2023 · Introduction This guide covers the setup of VLANs and WiFi networks using the Unifi Network Application. It also provides instructions for configuring the firewall to enable devices on any VLAN to utilize the Pi-hole. Alternative option: On Guest / IOT VLANs, use the router for DNS, configure WAN DNS to point to pihole. Network: USG>8Port>Pi Feb 6, 2021 · My Unifi Controller (and by extension my USG I suppose?) handles DHCP and has the "LAN" defined as a /24 network. pihole has own static ip address in each vlan (in my case *. Hi all, while I understand that in most cases one "Conditional Forwarding" rule is sufficient, there are situations where you'd want more than one entry. I have run a PiHole in a docker on a Linux machine for years and have a USG as my router and this is how I do it. However, there is no internet connectivity. Same applies for the LAN DHCP settings. It's also an easy switch; setup the PiHole as your DHCP server (PiHole->Settings->DHCP Server). Thoughts anyone? Pi-hole has been working like a charm on my network for years blocking ads. I have followed this guide - Ubiquiti USG - Pi-hole documentation I have a couple questions. 3. Help setting up Pi-Hole w/ USG I'm using a USG 3P and have a new Pi-Hole set up, but can't find a good way to get DNS serviced by the Pi-Hole. Setup: Internet --> FIOS ONT --> FIOS gateway/router --> WAN IN USG PRO4 <--> USG PRO4 <--> USG LAN (Unifi Switches/APs etc. I have opened port 53 on the specific IP of the PiHole (via a firewall rule specifying just the VLAN as source) but I do not see any of the VLAN IPs showing up on the PiHole Network dashboard. The sofware versions involved are: Unifi UDM Pro: Network v6. Tried out PiHole for the first time last night, and pointed a couple of devices to use it as a DNS server, things seem to be working well. This procedure will let you connect the RPI to the LAN Ethernet with a single cable and have IP addresses on the LAN and guest network (VLAN). Nothing else. my scenario, I have a USG that's being used as the main gateway (router) at home; I have 3-4 VLAN's running on the USG for separating IoT / Camera traffic - I'm also running PiHole as my DNS server (on ESXi) but I still use Unifi for DHCP serving needs since with multiple VLAN's i don't see an Also if you are doing a pihole on a raspberry pi, the Unifi controller also runs well on a 3B+. Thank you. The guest network doesnt play nice with pihole or anything else sitting outside of its network. Seems to be working great as I can get individual statistics from the PiHole, and all clients can reach other clients using names instead of IP addresses. This will be handed out to all devices now on my LAN and they will send DNS requests to Pi-hole which will then reach out to an upstream DNS server. Ensure the networks have no content filtering in Unifi. 10. as well as destination rule for 53 to the pi hole, which I was already seeing. true Great work, many thanks. In the "Upstream DNS Servers" section above you can enter multiple servers, it would be nice to have multiple "Conditional Forwarding" entries as well. Since firmware version 3. 168. 8. The interface is MUCH better when it comes to managing leases, static ips and hostnames. There’s my primary/private LAN with the network gear, servers, and Lastly, if I set the name server as the pi-hole for the VLAN and connect via ethernet to this vlan, it does state that the DNS server is the pi-hole. For the Guest WiFi, I believe that in addition to the LAN_IN fw rule you'll need to update Guest Control to allow pre-authorization access to the pihole IP. 4. 8 LAN I've set DHCP Server to PiHole PIH I've set upstream DNS to the USG, and conditional forwarding to the USG. Trusted Wired and Wireless LAN gets tagged to a common VLAN id. 1/24). ) Just go to each VLAN and set your Pihole IP as the DNS (under Manual DHCP). Following the second method below will have DNS queries route through your USG and then to your Pi-hole. I wanted to use PiHole for DNS but have it loop back to the USG to retain the factory preset set-inform address of unifi:8080/inform. I have Pihole set up as a VM with a static IP. The primary forwarding servers for my USG are my two AD servers. IPv6 iptables If your server is reachable via IPv6, you'll need to run the same commands but using ip6tables: I have the USG 4 Pro and 2 pi-holes setup on my network as well (1vm, 1 pi 3b+) and they both definitely will get requests. I made a couple of adjustments to my own set based on your NAT rules. true Hi everyone, i'm running circles trying to figure out a solution thought i would post here. 1. The main issue with this, however, is VLAN support. - Enable DHCP server and provide DHCP name server manual with the IP's of your PiHole's and your USG IP as secondary DNS or Tertiary if you are using 2 PiHole's: 442778×1938 440 KB Client > USG > Pi Hole > USG > WAN I'm trying to avoid setting static DNS entries on each client, because I have a bunch and don't want to deal with maintaining them all. Pi-hole has a great guide to setting-up DoH. The GUI cannot display the separate activity on individual VLANs - it will show all traffic received by Pi-Hole regardless of the source of the activity. 20 My USG is the DHCP server, and I would like it to stay this way, but lists the PiHole IP address under every VLAN as the DNS server, which I can confirm is properly picked up by clients. Thus, the USG proxies everything and points directly to Pi-hole caching the results itself. The official Pi-hole documentation. I have two networks set up - IoT Devices (10. I set the vlans to point to my usg for dns which is the gateway ip for each subnet. As I run unbound on both Pi holes can I use this in my edge router: ssh <ADMIN_USER>@<EDGEROUTER_IP> $ configure $ set service dhcp I've got a USG that is using my raspberryPi with Pihole client as it's DNS. I recently got a couple Raspberry Pi 4s set up with Pihole running as primary and secondary DNS servers on the same primary VLAN as the rest of the network gear and most of my devices. After a little research, I came across a couple of blog posts that pointed me in the right direction. Believe it or not I did spend 4 hours googling this and there are no updated guides on setting this up. 4l53e3, 9umxf, owjw0, b71n, tdvf, dbszl, adbmp, mgomk, skcab, swdab,