Haha! I just had this feeling that Jeff Geerling needed this video! Actually I haven’t covered Pi-hole in a while so I thought I’d do a video on how I would implement it on my network should I use it again. I know Pi-hole is a beloved software among homelabbers so I definitely wanted to cover it. I’ve been building out a separate lab environment (both physical and virtualized hardware) where it’s becoming much easier for me to try out new things without screwing up my main network for my family. You know, I don’t want support tickets for that!
Hi, I’m dipping my toes into OpnSense and this video was something I was hoping to find so thanks a lot for this, I’ll love to see the same thing done with Adguard home, maybe an idea for a future video! 😅 Love the video content after following the different posts on your website.
Thanks! I try to be straightforward in my explanations. It can be difficult to stay on topic sometimes (I suppose I should take the time to write up a script to help make it better).
Thank you very much for your videos. I've been planning a do-over and my last question before commencing the build was DNS across multiple networks. And of course you covered it. I've learnt a lot.
Very helpful! Just configured my Proxmox/OPNsense/Pi-hole combo with your easy to follow steps and I'm good to go. Will try the multi-network config in the future.
Thanks mate. After geeting mad with Adblocker, PiHole seems much easier for me. And that's the way to use it with your opnsense installation and your firewall rules!
Thanks for this video. It is much appreciated. I have switched to opn sense because I was able to get ahold of a nice 4 core device with QAT and 10gbe spf+ and rj45 for under 90$
Glad you were happy to see it! You can certainly run Pi-hole on anything but I thought it would be interesting to do it in a container on Proxmox without using Docker. I have older written guides on my website setting it up using Portainer in Docker on a Raspberry Pi but those are out of date.
Hey my friend, thanks again... I've been following your network advices and everything work great! In my Proxmox setup I have 3 ethernet ports, 1 onboard and 2 on a PCIe card. The ones on the card are assigned to OPNsense VM with PCI passthrough, so I guess I can't use the LAN port for Pihole LXC. In this case, would it be better to just use Adguard inside OPNsense OR rebuild the OPNsense VM with only the WAN port as PCI passthrough and LAN as virtual bridge? Using the onboard virtual NIC (which is used by Proxmox itself, Home Assistant VM, etc) probably wouldn't be efficient/optimal, right?...
Nice! Since you’re using Proxmox, you could set up AdGuard on Proxmox separately from OPNsense if you want assuming you are ok having it on the same interface as your Proxmox management interface. Otherwise you can do it in OPNsense if you want to use the community repository. I personally would run it on Proxmox so I wouldn’t have to use the community repo (sometimes issues can be had during upgrades). Also if you’re using Pi-hole you don’t need AdGuard and vice versa. I wouldn’t use both.
Thanks for doing a Pi-Hole one with Proxmox. Been following the whole Proxmox journery with you as I'm transitioning to a Vault and all the goes along with this. Can you please advise on the whole Pi-hole recursive setup using Unbound. Are their any other things you should do that are not covered in this video?
If you have all your network clients use Pi-hole and then use Unbound DNS in OPNsense as the upstream DNS server for Pi-hole, you will be using the recursive DNS features of Unbound in OPNsense. If you are only using Pi-hole as your DNS server and not using Unbound in OPNsense, you can configure Pi-hole to do recursive lookups but it takes some configuration work: docs.pi-hole.net/guides/dns/unbound/
Not sure if you still see these comments, but i hope so. I have a spare laptop with Proxmox running bare metal. One VM with Home Assistant and now ran a script for PiHole and am trying to follow your guide. PiHole running but im at 9:27 and you jump to configure Unbound.. but.. when did you set that up? I dont think i have it or know how to access it and didnt see that part of your set up?
This guide assumes you are running OPNsense which uses Unbound DNS. If you’re using a different router, you would need to configure it to hand out the Pi-hole DNS server IP address of Pi-hole (assuming your router is handing out DHCP leases to all of your clients on your network). It’s up to you if you want to forward the DNS requests from Pi-hole to your local router or not. When I used Pi-hole, I liked to do that because I could still have local name resolution for all of the clients on my network.
A quick question on the firewall rules in a VLAN setup - is the 'allow port 56 from all networks' rule a candidate for being defined once as a floating rule?
Yes that should work as a floating rule. I didn’t think of that at the time. I use similar rules to allow SSH and iperf3 everywhere on my network so I can log into anything or run performance tests anywhere on my network. The only reason you may want to do it on each individual interface (or firewall groups, etc) is if you don’t want all of your VLANs to use the Pi-hole DNS (perhaps in a lab environment or where you want to have less filtering for a particular VLAN).
Really appreciate everything you do; small question is presently I have Unbound DoT setup to use Clean Browsing DNS. If I go towards Pihole route / method, would I have to disable any / all settings in Unbound?
If you configure DNS such that your DHCP client devices receive the Pi-hole DNS server IP as the DNS server and then configure Pi-hole to use Unbound DNS as its upstream DNS server, you will be able to leave your Unbound DNS configuration as it is. TLDR;: client > Pi-hole DNS > Unbound DNS > Clean Browsing DNS.
Hi; for some reason I'm not able to find your video about hte OPNSense DNS Confusion (i.e. the multitude of options). Wanted to ask; that if I were to setup Pi-Hole as DNS using Services -> DHCP -> Lan/Vlan and DNS Servers, the assumption here is that this will be the DNS that will be used. Question: If I were to add a few Static IPs (using the Static Mapping Option), and then add a "different" DNS Server, would those Static IPs then use this "different" DNS, or will it use the DNS defined under Services/DHCP/Interface.
I made that video private cause I need to redo it to make it more accurate like my website. Although someone mentioned to me I may need to correct a few things on there too. So many knobs and dials for DNS it’s hard to keep it straight. Haha. I haven’t tried it but I’m assuming the settings in the static mappings will take precedent over the interface DNS setting.
What I configured is DHCP for the various networks to use the Pi-hole as the DNS server for all of the clients on the networks, but then Pi-hole itself is configured to use Unbound DNS on OPNsense as its upstream DNS provider. Unbound DNS can be configured the same way as you normally would for your network (leave at the default settings to use your ISP DNS servers on the WAN interface or you can use DNS over TLS, etc). So basically the flow of DNS lookups is the following: client device > Pi-hole DNS > Unbound DNS > External DNS server (ISP DNS, Cloudflare, Quad9, Google, or other DNS server you configured).
I have a setup where PiHole+Unbound are running inside a Proxmox LXC container and have dual virtual NICs for each of my Home and IoT VLANs. PiHole listens on all interfaces so I can respond to IoT DNS queries without a need for additional firewall rules. Working through one issue - I'd like to have Unbound respond with different resolution based on the source IP, so that if a device on the IoT network asks for my reverse proxy it gets back the reverse proxy's IoT IP.. But with unbound set to the upstream DNS provider of PiHole it just sees all requests coming in on localhost. Any thoughts on approaches I could take to resolve this?
That’s a good idea about using multiple interfaces. I didn’t think about that at the time because I was mimicking my old Raspberry Pi setup long ago which only had 1 physical interface so I had to do it that way to share it across networks. I should do an updated version of this video. Haha. As for what you’re asking, it sounds like you could make use of split DNS using Unbound DNS overrides. It allows your local DNS requests to use the local IP address of your reverse proxy instead of using your external IP address. Some people like to use NAT loopback but I prefer Unbound DNS overrides.
Nice video. I switched to adguard home a while ago, mostly because I want my dns server to run on my OpnSense box. I basically want to be able to bring other things down and still have internet. I am using it with unbound, but dont know why. Same with your setup, you probably can put in the upstseam DNS resolver in pi-hole and get rid of unbound. In my case, AGH supports DoH and DoT, so really not sure why I have unbound! :) You probably know this and skipped it to keep the video short, but maybe create an alias for the DNS server. A rule to forward all queries on port 53 and a rule to block queries to known public DNS servers is nice (as some devices ignore the advertised DNS server). Thanks for the video again, it was done well!
Thanks! I don’t actually use Pi-hole AdGuard currently. Just Zenarmor and CrowdSec so I don’t have to check several places if something is blocked (at one point I had to check Zenarmor, Pi-hold, and Suricata- now I just check Zenarmor). I was simply doing this video as a demonstration for Pi-hole so it’s not a representation of my own network). I also was trying to stick to a single topic. Haha. I thought I mentioned you can create an alias for Pi-hole but I just used the IP so you can see it clearly in the example. I personally like to keep Unbound DNS in the mix because of local hostname resolution (yes if you make Pi-hole handle DHCP as well, you can have that). I like to manage my static IP reservations in OPNsense since it’s centralized so it’s easy to register those static IP hostnames in Unbound. Also I can configure Unbound to use DoT (which is what I do on my network). This is one of those areas where you can do it a number of ways. I just pick one way and did it as an example. 🙂
@@homenetworkguyjust getting started on migrating from PF since to OPN sense. Was planning on doing zen armor anyway, are you saying that takes the place of pie hole/ ad guard?
@@firefon326 You can block ads/trackers/etc via DNS blocks with Zenarmor in addition to the other security features it ships with. You can still do blocklists via the built-in Unbound DNS if you like (there is a reports page similar to Pi-hole so you can still have a web interface). There may be some specific features Pi-hole or AdGuard have that Zenarmor doesn't but overall, I love having one product handle those sorts of tasks. It has lots of graphs and charts to look at the data too. I also use CrowdSec which uses crowd-sourced blocklists. CrowdSec doesn't require extra maintenance so it's good just to have as an extra layer of protection (since it can help protect the OPNsense web interface itself as well as the SSH service running on OPNsense so it does more than just block malicious IPs for your entire network).
Recursive resolver is the default behavior of Unbound, but what do you mean it doesn’t send DNS to the Internet? A recursive resolver reaches out to the root DNS servers if the DNS lookup is not cached locally.
i am bit confused by this video. what upstream DNS servers are being used to actually resolve domain names? also which DNS overrides apply in this setup? the ones set in PiHole or in OPNsense under Unbound overrides?
Pi-hole is using Unbound DNS on OPNsense as the upstream DNS and Unbound DNS is using whatever you have configured for Unbound DNS (the default settings of Unbound is a recursive resolver but you can configure it to use alternate DNS servers like Cloudflare and also use DNS over TLS, etc).
This video came at the perfect timing. In the firewall rule for iot, you have the default rule to allow access to dns on 53. Does protocol matter whether it’s tcp/upd or can it just be upd? Also, what would a rule be like if I wanted to block external dns access?
Typically DNS just uses UDP but I allow both TCP/UDP. Don’t think it’s a problem to do so. You could add a block rule that has the destination inverted and use the Pi-hole IP address (or firewall alias for Pi-hole) as the destination so it blocks any DNS server that’s not Pi-hole. You could always redirect DNS lookups to Pi-hole (if it’s unencrypted). That’s a topic I will cover at some point.
Greetings from Germany :) I used your site a lot last year to set up my Opnsense, and it's working great. Now I would like to go to the next step and build my own home lab. Can you tell me if the Opnsense instance, shown in this video, is running on the Proxmox server that you installed Pi Hole on, or is it a separate machine? Thanks for your great work :)
Thanks! Appreciate it. I have OPNsense installed bare metal on my machine for my main network. However for this demonstration everything was virtualized (the beauty of virtualization). I was using Pi-hole in a container connected to a virtualized OPNsense using a bridge interface that has no physical interface assigned (meaning the bridge is a purely virtual and can be used to put VMs and CTs on the same virtual networks). I don’t currently use Pi-hole on my network which is why I simulated an entire example network with Pi-hole deployed. You might like my upcoming video about virtualizing OPNsense on Proxmox and how you could configure the network interfaces.
@@homenetworkguy thanks. I will look into it. I plan to have Opnsense and Proxmox on different machines. The Proxmox (with Docker containers) will be connected via a switch to Opnsense on a specific VLAN. For remote access, I thinking of using Tailcale. For me, this is all new territory, so channels like yours are absolutely awesome!
I find setting up IP per VM or per CT on proxmox (or for bare metal hosts on them) rather than in opnsense - if my opnsense goes down there would be a mess (even for the moment of bringing another router) - all servers must have static IP the moment they start, right?
You don't technically need static IPs if you are using hostnames, but for firewall rules, I find it best to use static IPs. You can decide if it's better to have it all managed in one place (OPNsense) or set up the IP address on every single server, container, VM, etc. I find it much more convenient to assign all the static IPs in OPNsense, but you are correct that if you swap out the router and do not have all the static IP mappings, it could be problem. The problem may not happen right away depending on how quick the DHCP leases are set to expire. I also want to mention that there are a few places where I do set static IPs on the devices themselves: network switch interfaces, and my server management interfaces in Proxmox, TrueNAS, etc. I've heard it recommended that you should manually assign IPs on the device if it's core network infrastructure but for other devices, static DHCP reservations work well. I keep a backup of my OPNsense configuration so if I move to new hardware, I have all of the static DHCP reservations and all my other settings so it's easy to migrate to new hardware without causing a lot of problems.
I managed to get this to work only yesterday after several weeks/attempts, then this video came out (timing). What is the listen port in Unbound set to ? I set mine to 5335 and in pihole set upstream address with #5335 on the end. is this necessary?
Everything can be set to the default port of 53 because Pi-hole is running on a separate container on Proxmox so it has it own IP address. There’s no need to change ports since they’re not running on the same bare metal system (even if you are virtualizing OPNsense on the same Proxmox server, you don’t need to change the default port).
If you’re using OPNsense as a transparent filtering bridge it likely means you are using a separate router on your network so if you want to use Pi-hole you would configure your router’s DHCP server to use the Pi-hole server. The transparent filtering bridge allows all of the traffic that you specify to pass through.
I did an "ip address" in cmd line of Pi-hole container to get ipv6 address of it however Opnsense said invalid. Do you place ipv6 address in ISC DHCPv6 services for your pihole?
If you’re going to be using IPv6 for Pi-hole DNS, you’d definitely want a static IPv6 address (at least the second half of the IP address because you can make use of dynamic IPv6 aliases in OPNsense if you are using dynamic IPv6 addresses provided by your ISP). Don’t use “fe80” IPv6 addresses because they’re intended for link-local connections so wouldn’t work if you want to allow access across your networks. I haven’t tried using IPv6 with Pi-hole. I use IPv6 minimally in my network (mostly only allow external IPv6 connections rather than using it for any of my local servers). Keeps things a bit more simple to deal with (especially since my ISP uses dynamic IPv6 addresses).
You just set up AdGuard Home and make sure the DHCP service in OPNsense is configured to use that as the DNS server for your clients. If you want to resolve local hostnames, then have AdGuard use OPNsense as the upstream DNS server. I may do a video on it at some point, but I have lots of other things I would like to do as well.
I don't currently use any external VPN providers but I have been wanting to write up guides for a while now because I know a lot of users like to use them to protect their privacy or to get around regional restrictions for certain content.
You might find some mini-PCs with 4 2.5GbE interfaces with a N100 CPU off of AliExpress for around that price. You might have to get less RAM and storage capacity to meet that budget but might be doable.
I could do that. I use the MDNS plugin to broadcast my printer across a couple of my networks. I think I tried it with some Apple devices (and also an HDHomeRun box) ,and it didn’t work so well. I don’t know if that plugin in OPNsense handles all types of MDNS. I haven’t explored this area as much as others so results may vary depending on the devices you are using. To make things easier on my network, I put all my media streaming/IoT devices on the same network so I don’t need MDNS other than for my printer.
Pi-hole doesn't have settings to allow you to whitelist a device on your network (but you can create groups and assign clients to groups which have whitelists/blacklists of domain names). So the easiest way to have a device not have anything blocked is simply ensure that it does not use Pi-hole as the DNS server. That would allow the device to bypass the Pi-hole filtering.
It shouldn’t be too jarring since this guide is specific to those who already use OPNsense on the network but want to use Pi-hole on Proxmox (I show what you need to change in a default/base installation of OPNsense). This video would be another 30 minutes longer if I showed how to set up OPNsense too. Trying to find the perfect balance is tricky because everyone has varying amounts of experience and preferences.
hi there great video as usual how does this work with regular plaintext dns using port 53, pihole using port 5335 and unbound in opnsense using port 853 to clouldflare???? also I have 2 proxmox servers, should I install pihole on each proxmox server? thx for all your help
Sure you can have 2 instances running for redundancy (plus when you reboot one of your servers, it doesn't take down the DNS on your network). For the DNS configuration, you could configure the DHCP settings for interfaces in OPNsense to use the Pi-hole DNS server(s). Then have Pi-hole use the Unbound DNS IP address as its upstream DNS server. Then Unbound DNS can be configured to use DNS over TLS to Cloudflare for external DNS requests. So it would be like this: client -> Pi-hole DNS -> Unbound DNS -> Cloudflare DNS over TLS.
@@homenetworkguy thx for the reply, I have 2 more questions: when you say "have Pi-hole use the Unbound DNS IP address as its upstream DNS server" where in opnsense unbound will I find that ip address? are is it the clouldflare dns address? also when I run resolvectl my current scopes show none and your shows DNS, resolv.conf mode shows foreign and your show stub. thx again
Unbound listens on all interfaces by default so the IPs you can use is any of your network interfaces as the upstream DNS server for Pi-hole. If Pi-hole lives on the LAN, use 192.168.1.1 as the DNS server for Pi-hole, for example. Don’t confuse internal DNS with external DNS. You’re basically creating a chain of DNS servers and inserting Pi-hole in the middle. I prefer to keep DNS more simple than that by not using Pi-hole (I use Zenarmor in OPNsense). I created this demonstration for those who like to use it. The more complex you make DNS, the more likely you will have issues if something goes wrong or fails. As for the second question. Not sure what you are saying unless you’re not getting the DNS server appropriately assigned by DHCP. If you’re using a static IP on the device, you would have to specify Pi-hole as the DNS server since it wouldn’t obtain it from DHCP from OPNsense.
funny enough, I went to purge a package and it ran out of memory with 256 so I set it to 512 instead... otherwise the system normally uses like 40mb lol
Yeah you don’t need much resources but it’s always good to set it slightly higher than the normal usage in case resource usage surges doing certain tasks in the container/VM.
I see a lot of videos on running the pi-hole inside a container. This is a very bad idea. All containers share Proxmox's OS kernel which in this case is Debian. If pi-hole is compromised, you will also expose Debian's kernel for attack. Use a VM instead so pi-hole has its own OS. If the vm is compromised, only that VM is vulnerable. As soon as you discover the issue, you trash that vm and recreate it from your last backup.
I am using an unprivileged LXC which will still require an escape to get to the host OS. A VM also has the potential to be escaped so it’s not impenetrable either.
Haha yeah I didn’t think about that but I just created it for the example in the video. It’s not the instance I use since I don’t currently use Pi-hole. Good catch!
![Building The "Ultimate" Router - [PFSense + Pi-hole + PIVPN]](/img/1.gif)
Umm... how did you find this query in my search history and then make a video on it??
Haha! I just had this feeling that Jeff Geerling needed this video! Actually I haven’t covered Pi-hole in a while so I thought I’d do a video on how I would implement it on my network should I use it again. I know Pi-hole is a beloved software among homelabbers so I definitely wanted to cover it. I’ve been building out a separate lab environment (both physical and virtualized hardware) where it’s becoming much easier for me to try out new things without screwing up my main network for my family. You know, I don’t want support tickets for that!
Hi, I’m dipping my toes into OpnSense and this video was something I was hoping to find so thanks a lot for this, I’ll love to see the same thing done with Adguard home, maybe an idea for a future video! 😅 Love the video content after following the different posts on your website.
Thanks! Yeah, that is a possibility! I know a lot of people like using AdGuard Home as well.
Really appreciate your lack of bs & straight forward explanations 👍🏻
Thanks! I try to be straightforward in my explanations. It can be difficult to stay on topic sometimes (I suppose I should take the time to write up a script to help make it better).
Thank you very much for your videos. I've been planning a do-over and my last question before commencing the build was DNS across multiple networks. And of course you covered it. I've learnt a lot.
I'm glad it has helped you learn more!
Have become a fan of yours. Keep up the great work. You are making a difference. Thank you.
Thanks for the encouragement! There is a lot more I want to do but I have to pace it out since I don’t do this full time and also to avoid burnout.
Go slow to go fast.@@homenetworkguy
Thank you very much for these guides. Your setup is so close to my use case (just running OPNSense baremetal) that it's been extremely helpful!
Awesome that it closely matches your use case so that this guide is helpful!
Very helpful! Just configured my Proxmox/OPNsense/Pi-hole combo with your easy to follow steps and I'm good to go. Will try the multi-network config in the future.
Awesome that it worked well for you!
Thanks mate. After geeting mad with Adblocker, PiHole seems much easier for me. And that's the way to use it with your opnsense installation and your firewall rules!
I’m glad you found it useful! Pi-hole is a pretty simple solution.
Thanks for this video. It is much appreciated. I have switched to opn sense because I was able to get ahold of a nice 4 core device with QAT and 10gbe spf+ and rj45 for under 90$
You're welcome! Nice! I am curious if a CPU with QAT will make a difference in OPNsense (perhaps for VPNs?).
This is something on my list so I was happy to see a video on it! I don’t run proxmox or containers but I do have a RPi4 that I could use.
Glad you were happy to see it! You can certainly run Pi-hole on anything but I thought it would be interesting to do it in a container on Proxmox without using Docker. I have older written guides on my website setting it up using Portainer in Docker on a Raspberry Pi but those are out of date.
Thanks so much! I followed this very closely and got it to work using pfsense.
You’re welcome! Glad you got it working!
Hey my friend, thanks again... I've been following your network advices and everything work great!
In my Proxmox setup I have 3 ethernet ports, 1 onboard and 2 on a PCIe card. The ones on the card are assigned to OPNsense VM with PCI passthrough, so I guess I can't use the LAN port for Pihole LXC. In this case, would it be better to just use Adguard inside OPNsense OR rebuild the OPNsense VM with only the WAN port as PCI passthrough and LAN as virtual bridge? Using the onboard virtual NIC (which is used by Proxmox itself, Home Assistant VM, etc) probably wouldn't be efficient/optimal, right?...
Nice! Since you’re using Proxmox, you could set up AdGuard on Proxmox separately from OPNsense if you want assuming you are ok having it on the same interface as your Proxmox management interface. Otherwise you can do it in OPNsense if you want to use the community repository. I personally would run it on Proxmox so I wouldn’t have to use the community repo (sometimes issues can be had during upgrades). Also if you’re using Pi-hole you don’t need AdGuard and vice versa. I wouldn’t use both.
Thanks for doing a Pi-Hole one with Proxmox. Been following the whole Proxmox journery with you as I'm transitioning to a Vault and all the goes along with this. Can you please advise on the whole Pi-hole recursive setup using Unbound. Are their any other things you should do that are not covered in this video?
If you have all your network clients use Pi-hole and then use Unbound DNS in OPNsense as the upstream DNS server for Pi-hole, you will be using the recursive DNS features of Unbound in OPNsense.
If you are only using Pi-hole as your DNS server and not using Unbound in OPNsense, you can configure Pi-hole to do recursive lookups but it takes some configuration work: docs.pi-hole.net/guides/dns/unbound/
Not sure if you still see these comments, but i hope so. I have a spare laptop with Proxmox running bare metal. One VM with Home Assistant and now ran a script for PiHole and am trying to follow your guide. PiHole running but im at 9:27 and you jump to configure Unbound.. but.. when did you set that up? I dont think i have it or know how to access it and didnt see that part of your set up?
This guide assumes you are running OPNsense which uses Unbound DNS. If you’re using a different router, you would need to configure it to hand out the Pi-hole DNS server IP address of Pi-hole (assuming your router is handing out DHCP leases to all of your clients on your network). It’s up to you if you want to forward the DNS requests from Pi-hole to your local router or not. When I used Pi-hole, I liked to do that because I could still have local name resolution for all of the clients on my network.
@@homenetworkguy ok thanks..I e found another source for setting Unbound on my Piehole VM to catch up here ...thanks!
Thank you so much for your time and dedication!!!
You’re welcome!
A quick question on the firewall rules in a VLAN setup - is the 'allow port 56 from all networks' rule a candidate for being defined once as a floating rule?
Yes that should work as a floating rule. I didn’t think of that at the time. I use similar rules to allow SSH and iperf3 everywhere on my network so I can log into anything or run performance tests anywhere on my network. The only reason you may want to do it on each individual interface (or firewall groups, etc) is if you don’t want all of your VLANs to use the Pi-hole DNS (perhaps in a lab environment or where you want to have less filtering for a particular VLAN).
@@homenetworkguy thank you very much for sharing your knowledge!
Really appreciate everything you do; small question is presently I have Unbound DoT setup to use Clean Browsing DNS. If I go towards Pihole route / method, would I have to disable any / all settings in Unbound?
If you configure DNS such that your DHCP client devices receive the Pi-hole DNS server IP as the DNS server and then configure Pi-hole to use Unbound DNS as its upstream DNS server, you will be able to leave your Unbound DNS configuration as it is.
TLDR;: client > Pi-hole DNS > Unbound DNS > Clean Browsing DNS.
@@homenetworkguy once again thank you for all that you!!!
Hi; for some reason I'm not able to find your video about hte OPNSense DNS Confusion (i.e. the multitude of options). Wanted to ask; that if I were to setup Pi-Hole as DNS using Services -> DHCP -> Lan/Vlan and DNS Servers, the assumption here is that this will be the DNS that will be used. Question: If I were to add a few Static IPs (using the Static Mapping Option), and then add a "different" DNS Server, would those Static IPs then use this "different" DNS, or will it use the DNS defined under Services/DHCP/Interface.
I made that video private cause I need to redo it to make it more accurate like my website. Although someone mentioned to me I may need to correct a few things on there too. So many knobs and dials for DNS it’s hard to keep it straight. Haha.
I haven’t tried it but I’m assuming the settings in the static mappings will take precedent over the interface DNS setting.
am a bit confused i though that in Opnsense you were going to setup the unbound
What I configured is DHCP for the various networks to use the Pi-hole as the DNS server for all of the clients on the networks, but then Pi-hole itself is configured to use Unbound DNS on OPNsense as its upstream DNS provider. Unbound DNS can be configured the same way as you normally would for your network (leave at the default settings to use your ISP DNS servers on the WAN interface or you can use DNS over TLS, etc). So basically the flow of DNS lookups is the following: client device > Pi-hole DNS > Unbound DNS > External DNS server (ISP DNS, Cloudflare, Quad9, Google, or other DNS server you configured).
Thank you. Very helpful video.
Glad you found it helpful!
I have a setup where PiHole+Unbound are running inside a Proxmox LXC container and have dual virtual NICs for each of my Home and IoT VLANs. PiHole listens on all interfaces so I can respond to IoT DNS queries without a need for additional firewall rules. Working through one issue - I'd like to have Unbound respond with different resolution based on the source IP, so that if a device on the IoT network asks for my reverse proxy it gets back the reverse proxy's IoT IP.. But with unbound set to the upstream DNS provider of PiHole it just sees all requests coming in on localhost. Any thoughts on approaches I could take to resolve this?
That’s a good idea about using multiple interfaces. I didn’t think about that at the time because I was mimicking my old Raspberry Pi setup long ago which only had 1 physical interface so I had to do it that way to share it across networks. I should do an updated version of this video. Haha.
As for what you’re asking, it sounds like you could make use of split DNS using Unbound DNS overrides. It allows your local DNS requests to use the local IP address of your reverse proxy instead of using your external IP address. Some people like to use NAT loopback but I prefer Unbound DNS overrides.
Nice video. I switched to adguard home a while ago, mostly because I want my dns server to run on my OpnSense box. I basically want to be able to bring other things down and still have internet. I am using it with unbound, but dont know why. Same with your setup, you probably can put in the upstseam DNS resolver in pi-hole and get rid of unbound. In my case, AGH supports DoH and DoT, so really not sure why I have unbound! :)
You probably know this and skipped it to keep the video short, but maybe create an alias for the DNS server. A rule to forward all queries on port 53 and a rule to block queries to known public DNS servers is nice (as some devices ignore the advertised DNS server).
Thanks for the video again, it was done well!
Thanks! I don’t actually use Pi-hole AdGuard currently. Just Zenarmor and CrowdSec so I don’t have to check several places if something is blocked (at one point I had to check Zenarmor, Pi-hold, and Suricata- now I just check Zenarmor).
I was simply doing this video as a demonstration for Pi-hole so it’s not a representation of my own network). I also was trying to stick to a single topic. Haha. I thought I mentioned you can create an alias for Pi-hole but I just used the IP so you can see it clearly in the example.
I personally like to keep Unbound DNS in the mix because of local hostname resolution (yes if you make Pi-hole handle DHCP as well, you can have that). I like to manage my static IP reservations in OPNsense since it’s centralized so it’s easy to register those static IP hostnames in Unbound. Also I can configure Unbound to use DoT (which is what I do on my network).
This is one of those areas where you can do it a number of ways. I just pick one way and did it as an example. 🙂
I might've missed it. Thanks.
I never set up Zenarmor. Not sure if you have a video about it, but it's a reminder for me to take a look at it!
@@homenetworkguyjust getting started on migrating from PF since to OPN sense. Was planning on doing zen armor anyway, are you saying that takes the place of pie hole/ ad guard?
@@firefon326 You can block ads/trackers/etc via DNS blocks with Zenarmor in addition to the other security features it ships with. You can still do blocklists via the built-in Unbound DNS if you like (there is a reports page similar to Pi-hole so you can still have a web interface).
There may be some specific features Pi-hole or AdGuard have that Zenarmor doesn't but overall, I love having one product handle those sorts of tasks. It has lots of graphs and charts to look at the data too.
I also use CrowdSec which uses crowd-sourced blocklists. CrowdSec doesn't require extra maintenance so it's good just to have as an extra layer of protection (since it can help protect the OPNsense web interface itself as well as the SSH service running on OPNsense so it does more than just block malicious IPs for your entire network).
@@homenetworkguydo you have any videos on this setup? I’d love to see something about this
I'm using Unbound as a recursive DNS server, no need to send dns to the internet.
Recursive resolver is the default behavior of Unbound, but what do you mean it doesn’t send DNS to the Internet? A recursive resolver reaches out to the root DNS servers if the DNS lookup is not cached locally.
i am bit confused by this video. what upstream DNS servers are being used to actually resolve domain names? also which DNS overrides apply in this setup? the ones set in PiHole or in OPNsense under Unbound overrides?
Pi-hole is using Unbound DNS on OPNsense as the upstream DNS and Unbound DNS is using whatever you have configured for Unbound DNS (the default settings of Unbound is a recursive resolver but you can configure it to use alternate DNS servers like Cloudflare and also use DNS over TLS, etc).
This video came at the perfect timing. In the firewall rule for iot, you have the default rule to allow access to dns on 53. Does protocol matter whether it’s tcp/upd or can it just be upd?
Also, what would a rule be like if I wanted to block external dns access?
Typically DNS just uses UDP but I allow both TCP/UDP. Don’t think it’s a problem to do so.
You could add a block rule that has the destination inverted and use the Pi-hole IP address (or firewall alias for Pi-hole) as the destination so it blocks any DNS server that’s not Pi-hole.
You could always redirect DNS lookups to Pi-hole (if it’s unencrypted). That’s a topic I will cover at some point.
Greetings from Germany :) I used your site a lot last year to set up my Opnsense, and it's working great. Now I would like to go to the next step and build my own home lab.
Can you tell me if the Opnsense instance, shown in this video, is running on the Proxmox server that you installed Pi Hole on, or is it a separate machine? Thanks for your great work :)
Thanks! Appreciate it. I have OPNsense installed bare metal on my machine for my main network.
However for this demonstration everything was virtualized (the beauty of virtualization). I was using Pi-hole in a container connected to a virtualized OPNsense using a bridge interface that has no physical interface assigned (meaning the bridge is a purely virtual and can be used to put VMs and CTs on the same virtual networks).
I don’t currently use Pi-hole on my network which is why I simulated an entire example network with Pi-hole deployed.
You might like my upcoming video about virtualizing OPNsense on Proxmox and how you could configure the network interfaces.
@@homenetworkguy thanks. I will look into it. I plan to have Opnsense and Proxmox on different machines. The Proxmox (with Docker containers) will be connected via a switch to Opnsense on a specific VLAN. For remote access, I thinking of using Tailcale. For me, this is all new territory, so channels like yours are absolutely awesome!
I find setting up IP per VM or per CT on proxmox (or for bare metal hosts on them) rather than in opnsense - if my opnsense goes down there would be a mess (even for the moment of bringing another router) - all servers must have static IP the moment they start, right?
You don't technically need static IPs if you are using hostnames, but for firewall rules, I find it best to use static IPs. You can decide if it's better to have it all managed in one place (OPNsense) or set up the IP address on every single server, container, VM, etc. I find it much more convenient to assign all the static IPs in OPNsense, but you are correct that if you swap out the router and do not have all the static IP mappings, it could be problem. The problem may not happen right away depending on how quick the DHCP leases are set to expire.
I also want to mention that there are a few places where I do set static IPs on the devices themselves: network switch interfaces, and my server management interfaces in Proxmox, TrueNAS, etc. I've heard it recommended that you should manually assign IPs on the device if it's core network infrastructure but for other devices, static DHCP reservations work well.
I keep a backup of my OPNsense configuration so if I move to new hardware, I have all of the static DHCP reservations and all my other settings so it's easy to migrate to new hardware without causing a lot of problems.
@@homenetworkguy Perfect. Of course for bare metal servers I set static IP on them, i.e. TrueNAS, Proxmox, even spare Pi-hole on Raspberry.
I assume mostly same steps are aplicable to Adguard Home also, right?
Essentially you can follow similar steps if you’re wanting to use any other local DNS server besides Unbound DNS in OPNsense.
I managed to get this to work only yesterday after several weeks/attempts, then this video came out (timing). What is the listen port in Unbound set to ? I set mine to 5335 and in pihole set upstream address with #5335 on the end. is this necessary?
Everything can be set to the default port of 53 because Pi-hole is running on a separate container on Proxmox so it has it own IP address. There’s no need to change ports since they’re not running on the same bare metal system (even if you are virtualizing OPNsense on the same Proxmox server, you don’t need to change the default port).
Can i also use pi-hole in the same way as in this video on a OPNsense bridged setup?
If you’re using OPNsense as a transparent filtering bridge it likely means you are using a separate router on your network so if you want to use Pi-hole you would configure your router’s DHCP server to use the Pi-hole server. The transparent filtering bridge allows all of the traffic that you specify to pass through.
@@homenetworkguy In the modem i got from the cable company there is also a dhcp server wich i can disable, and than use pihole for it . Thnx!
I did an "ip address" in cmd line of Pi-hole container to get ipv6 address of it however Opnsense said invalid. Do you place ipv6 address in ISC DHCPv6 services for your pihole?
If you’re going to be using IPv6 for Pi-hole DNS, you’d definitely want a static IPv6 address (at least the second half of the IP address because you can make use of dynamic IPv6 aliases in OPNsense if you are using dynamic IPv6 addresses provided by your ISP). Don’t use “fe80” IPv6 addresses because they’re intended for link-local connections so wouldn’t work if you want to allow access across your networks.
I haven’t tried using IPv6 with Pi-hole. I use IPv6 minimally in my network (mostly only allow external IPv6 connections rather than using it for any of my local servers). Keeps things a bit more simple to deal with (especially since my ISP uses dynamic IPv6 addresses).
Consistently prompt and concise reply. Much appreciated.@@homenetworkguy
Hey, how can I get this set up to work with adguard home. Thanks
You just set up AdGuard Home and make sure the DHCP service in OPNsense is configured to use that as the DNS server for your clients. If you want to resolve local hostnames, then have AdGuard use OPNsense as the upstream DNS server. I may do a video on it at some point, but I have lots of other things I would like to do as well.
@homenetworkguy
Thanks for replying, I wouldn't mind a video regardless. I got it work for about 5mins and it wouldn't work again.
Has you openvpn client like cyberghost or nordvpn already comfigured? Could you explain that? Thanks in Advanced
I don't currently use any external VPN providers but I have been wanting to write up guides for a while now because I know a lot of users like to use them to protect their privacy or to get around regional restrictions for certain content.
Home security with 200 euros. What router/firewall you recommend?
You might find some mini-PCs with 4 2.5GbE interfaces with a N100 CPU off of AliExpress for around that price. You might have to get less RAM and storage capacity to meet that budget but might be doable.
By the way, Could you please make a video about mDNS between devices running in different subnets? Thanks
I could do that. I use the MDNS plugin to broadcast my printer across a couple of my networks. I think I tried it with some Apple devices (and also an HDHomeRun box) ,and it didn’t work so well. I don’t know if that plugin in OPNsense handles all types of MDNS. I haven’t explored this area as much as others so results may vary depending on the devices you are using. To make things easier on my network, I put all my media streaming/IoT devices on the same network so I don’t need MDNS other than for my printer.
Remember that the MDNS plugin for OPNsense has a maximum of 4 devices requirement/limitation.
How do i keep one laptop selarate on pi hole so it wont get anything blocked?
Pi-hole doesn't have settings to allow you to whitelist a device on your network (but you can create groups and assign clients to groups which have whitelists/blacklists of domain names). So the easiest way to have a device not have anything blocked is simply ensure that it does not use Pi-hole as the DNS server. That would allow the device to bypass the Pi-hole filtering.
5:18 okay... well I guess I have to go setup up opnsense in another video. Kind of a jarring transition
It shouldn’t be too jarring since this guide is specific to those who already use OPNsense on the network but want to use Pi-hole on Proxmox (I show what you need to change in a default/base installation of OPNsense). This video would be another 30 minutes longer if I showed how to set up OPNsense too. Trying to find the perfect balance is tricky because everyone has varying amounts of experience and preferences.
hi there
great video as usual
how does this work with regular plaintext dns using port 53, pihole using port 5335 and unbound in opnsense using port 853 to clouldflare????
also I have 2 proxmox servers, should I install pihole on each proxmox server?
thx for all your help
Sure you can have 2 instances running for redundancy (plus when you reboot one of your servers, it doesn't take down the DNS on your network).
For the DNS configuration, you could configure the DHCP settings for interfaces in OPNsense to use the Pi-hole DNS server(s). Then have Pi-hole use the Unbound DNS IP address as its upstream DNS server. Then Unbound DNS can be configured to use DNS over TLS to Cloudflare for external DNS requests. So it would be like this: client -> Pi-hole DNS -> Unbound DNS -> Cloudflare DNS over TLS.
@@homenetworkguy thx for the reply, I have 2 more questions: when you say "have Pi-hole use the Unbound DNS IP address as its upstream DNS server" where in opnsense unbound will I find that ip address? are is it the clouldflare dns address?
also when I run resolvectl my current scopes show none and your shows DNS, resolv.conf mode shows foreign and your show stub.
thx again
Unbound listens on all interfaces by default so the IPs you can use is any of your network interfaces as the upstream DNS server for Pi-hole. If Pi-hole lives on the LAN, use 192.168.1.1 as the DNS server for Pi-hole, for example. Don’t confuse internal DNS with external DNS. You’re basically creating a chain of DNS servers and inserting Pi-hole in the middle.
I prefer to keep DNS more simple than that by not using Pi-hole (I use Zenarmor in OPNsense). I created this demonstration for those who like to use it. The more complex you make DNS, the more likely you will have issues if something goes wrong or fails.
As for the second question. Not sure what you are saying unless you’re not getting the DNS server appropriately assigned by DHCP. If you’re using a static IP on the device, you would have to specify Pi-hole as the DNS server since it wouldn’t obtain it from DHCP from OPNsense.
@@homenetworkguy it's starting to make more sense now. thanks again
Very handy, thank you!
You’re welcome!
What a legend.
Haha thanks!
Very clear. Thanks
You’re welcome!
thank ....that was helpful
Glad it was helpful!
Hi can you make video tutorial. On how to block facebook app in phone using OPNsense.
I could but the best way to block a particular app/domain is to block it via DNS rather than firewall rules.
funny enough, I went to purge a package and it ran out of memory with 256 so I set it to 512 instead... otherwise the system normally uses like 40mb lol
Yeah you don’t need much resources but it’s always good to set it slightly higher than the normal usage in case resource usage surges doing certain tasks in the container/VM.
I see a lot of videos on running the pi-hole inside a container. This is a very bad idea. All containers share Proxmox's OS kernel which in this case is Debian. If pi-hole is compromised, you will also expose Debian's kernel for attack. Use a VM instead so pi-hole has its own OS. If the vm is compromised, only that VM is vulnerable. As soon as you discover the issue, you trash that vm and recreate it from your last backup.
I am using an unprivileged LXC which will still require an escape to get to the host OS. A VM also has the potential to be escaped so it’s not impenetrable either.
Container ID 312? YOU MONSTER. It should've been 3.14! You're getting a yellow card on your geek license. One more infraction and it's gone.
Haha yeah I didn’t think about that but I just created it for the example in the video. It’s not the instance I use since I don’t currently use Pi-hole. Good catch!