pfsense+pi-hole setup

I have used pi-hole for a while and love its amazing “just works” factor but I missed some real DHCP features // some proper packet filtering / blocking features that only a proper firewall can do so here goes:

I want to use pfsense as my router/firewall but keep using pi-hole as DNS resolver – the adblocking of pfblockNG is just not the same finesse as pi-hole.

Assumption here: Static IP for LAN interfaces of firewall and the pi-hole

pfsense

standard install, LAN and WAN, source NAT/PAT – so far so good. So the Firewall advertises itself as DNS via DHCP and gets fed by upstream DNS. let’s fix that.

change upstream DNS to pi-hole and disable local DNS

next step would be to disable the DNS resolver inside the firewall but I kinda use it for registering reverse DNS records for DHCP leases.. which the pi-hole then queries (more about that later) – so let’s leave it on and just add this (Services > DNS resolver)

(Caution: Apparently this breaks things when operating the firewall in python mode.)

register DHCP clients in the DHCP resolver

Now we have a setup, we just need to tell our DHCP server to not announce itself but the pi-hole as DNS resolver. This is done here (Services > DHCP server)

Default is to advertise its own LAN interface.. so let’s change that. Why 2 IP adresses? I found out that some (all?) Android mobile phones add 8.8.8.8 (google) if you only adverise one single DNS resolver. so that’s that. But more on Google later.

Pi-Hole

pi-hole is surprisingly easy to use and set up, it works out of the box. All there is to do is to change/set up the upstream DNS servers and the reverse DNS lookup for LAN IPs.

opendns for me. you can also use the “safe” DNS servers – see here
let the pi-hole know what your local subnet and what your router is (the pfsense)

that will take care of one thing: in the “query log” window, you will not see the IP adresses of the client but the hostnames from DHCP – see previous chapter ^ ^

pi-hole.. is pi-holing

This is where the nice things stop. Till now we have been friendly and allowed our friends at Google and Cloudflare and whatnot to gather our data and sure.. with emerging technologies like DNS over TLS, DNS over HTTPS, QUIC and what not.. it is important to ask yourself a few questions:

  • what do I want to achieve here?
  • why am I doing this?
  • do I just want ads blocked or browse securely / not give away my data to X to do Y

here is my take on this: Block as many ads as possible while still allowing privacy to exist. DNS over HTTPS allows Firefox to bypass censorship and control by a totalitarian regime.

But also Google Chrome can use UDP to port 443 and tunnel DNS through, bypassing my DNS server and the entire thing was for nothing. (Remember: Google is not your friend, they harvest your data (LOTS of it) for profit. Make it as hard as possible for them, they don’t pay you after all)

Advanced DNS / Firewall stuff (here be dragons)

https://en.wikipedia.org/wiki/Here_be_dragons

Step 1: redirect all DNS traffic to the firewall.

Anyone who is trying to bypass the pi-hole’s adresses (manual DNS, hardcoded DNS resolvers (Android, I am talking about you!) will bypass our solution, let’s redirect those back to the firewall. sneaky. from the pfsense manual

Firewall > NAT > Port Forward.

Create a rule for TCP/UDP trying to reach port 53 EXCEPT when it’s on the LAN, AND NOT the pi-hole itself. Redirect that to the firewall’s IP and disable reflection. (wonderful application of inverted matches :)

the filter rule will be created automatically

Step 2: Firewall Rules

it is important to set the rules in the right order, remember: Top to bottom, once there is a match, the filtering stops.

Firewall > Rules > LAN

rules – use logging to verify

So what have I done here?

  • allow pihole to access the internet unfiltered
  • allow all DNS traffic from LAN to the firewall (created by the NAT policy before)
  • reject all other DNS traffic
  • reject DNS over TLS (port 853)
  • reject DNS over HTTPS to Google and Cloudflare (8.8.8.8, 8.8.4.4, 1.1.1.1, etc…)
  • reject UDP traffic to port 80 or 443 (used by chrome/QUIC)

see the pfsense manual for more information on blocking external DNS

So now I have achieved (I think) the best of both worlds. I enjoy near-perfect ad blocking while using a real firewall for my LAN. sure. pfblockNG is amazing (and I use it for IP blocking!) but the adblocking is just sub-par.

Step 3: pfblockNG

That one is a litte more tough to set up. I used a lot of reddit posts and blogs to get it working as there a ton of settings. I ended up using the Tier1 IP blocklists and the DNS blocklists of BBcan177 (thanks, whoever you are!)

basically it can make pi-hole redundant but I am using VMs so… why bother? :)

return to monkey island

At my age I am not often surprised or hyped but this caught me off guard. Oh so many memories and legendary swordfights. This is definitely one of the things, that strongly shaped my character and my life. Also: Grog is bad for you :P

Source: https://grumpygamer.com/rtmi_trailer

Thank you. Ron. You are a legend.
We will celebrate with grog and red herring <3