Networking

pfSense, Pi-hole, and VLANs

Do you have pfSense, Pi-hole, and VLANs? Are you having trouble getting them to work together? So did I. This article is about how I got them to play together. Read on!

pfSense, an excellent router

A brief background…

I’ve been using pfSense for a couple of years for my home router solution. I’ve found the software to be very robust and very powerful. That can be daunting, but once you get in there it is very easy to navigate around and use.

At first I used an old PC to run pfSense, but that first generation i3 was an energy hog. I decided to buy the pfSense box SG-3100 from Netgate. It was a good blend of power and affordability. I don’t have a massive home network, but I knew that it would handle any upgrades I would add in the future.

Why do I need pfSense and Pi-hole and VLANs?

After my wife started her home business, I decided to offer free wi-fi for her customers. While I was at it, I figured my boys would appreciate having a network their friends could use while they visited. At the time I had an Asus router that I converted to an access point, but it lacked the enterprise features I needed to make this work.

Here is when Ubiquiti enters into the mix. After doing a lot of research, I decided that their UniFi AC PRO line would do everything I needed. I picked up two of the AP AC PRO units and installed them for maximum coverage. As my home is already completely wired for Ethernet, I opted to use PoE to supply both power and network connectivity.

I found setting up VLANs to be a snap in both pfSense and UniFi. There are plenty of excellent guides for doing that, so I won’t bother to put in my two cents. But if anyone wants to know how I did it, just let me know and I can write it up.

Pi-hole stops ads dead in their tracks
Pi-hole, where ads reach a dead end

Pi-hole to the rescue

In the last six months I discovered Pi-hole. It’s a great piece of software that does a much needed job. It blocks ads and pretty much any other website you want from being requested by apps, IoT devices, browsers, etc. Throwing it into the network was pretty easy, but I just couldn’t get it working with VLANs unless I set up the DNS server settings under pfSense -> System -> General Settings. While that worked, there was no way to see what each host was requesting. It only showed the router making every request. And if I entered the Pi-hole as the DNS server in pfSense -> Services -> DNS Server, my main LAN worked great but then none of the VLANs could connect to the internet.

I did a fair share of internet sleuthing, and tried a few solutions, but none of them worked for me. I cobbled together a bunch of different solutions together to get my setup working. So, to help others out, here are my settings for Pi-hole and pfSense. I am not listing how I configured the VLANs in pfSense or in UniFi, or how I configured my switch for VLANs. The only thing I’ll note here is that your Pi-hole needs to be on a network switch port that has all VLANs enabled. In my case, that means enabling the port to have VLANs 1, 88, and 98. I did not do any VLAN configurations on the Pi-hole itself via SSH, like adding any packages or doing anything in ifconfig.

Time for the guide!

The guide…

Ok, on with the actual guide!

Pi-hole settings

In Pi-hole, configure the Advanced DNS settings to use conditional forwarding. Since the Pi-hole isn’t the DHCP server, all local requests should be sent to pfSense to determine the names of the devices on the network. If you don’t do this, you will just get IP addresses instead of hostnames. If that doesn’t matter to you, you can skip this step.

pfSense settings

In pfSense, go to System -> General Setup, and make sure the DNS Server Settings aren’t filled in. We will use the DNS Server to handle all queries.

Now, go to Services -> DHCP Server, and make sure you enter your Pi-hole IP address in the DNS servers block for all of your LAN and VLAN networks. If you forget to add that pointer to a VLAN, it won’t be able to route DNS requests and your network will complain that it can’t connect to the internet.

Next, switch to Firewall -> Rules and enter the following rules for each VLAN. Note: if I don’t list a section/block, just leave the default entries for those.

First rule: Pass

  • Action: Pass
  • Protocol: TCP/UDP
  • Destination: Single host or alias. Enter the IP address of Pi-hole in the next block.
  • Destination Port Range: 53 (DNS)
  • Description: Allow internal DNS

Second rule: Block

  • Action: Block
  • Protocol: TCP/UDP
  • Destination Port Range: 53 (DNS)
  • Description: Block external DNS

Arrange the rules as follows: Pass, then Block, then your VLAN traffic rule.

Finishing up

Once you’ve completed everything, fire up a client on your different networks and test to verify you have network access. Also verify that Pi-hole is blocking requests that are on your various blacklists.

Final thoughts

And that is all I did to get pfSense and Pi-hole working with my VLANs on my home network! I now have every host on my local LAN and my VLANs displayed in the query log in Pi-hole. The long term data query log definitely comes in handy to see what requests are being made on my different networks. If you have children, this may be a big help in policing where they visit.

I hope this helps. If you have any questions or comments, feel free to leave them below.

If you are interested in cameras and video, check out my DSLR camera setup!

Leave a Reply

Your email address will not be published. Required fields are marked *