Recommended Posts

So I've moved my Pi-hole on to a new dedicated VLAN and have temporarily setup an allow all rule on the interface. I've created more rules that only allow specific movement of traffic based on what made sense to me. I'll actually be surprised if the proposed rules I've set are correct! Sorry, still learning all this! ;)

 

pihole-vlan.thumb.png.ee6063a8e6857fe68065096c3b0437b1.png

 

Also, what should the NAT Redirect rule look like now? Previously there was an invert match on LAN only. Should I leave it like that? I basically want Pi-hole to handle DNS for my primary LAN only. Other networks are using Cloudflare.

By the way, my original problem has now gone away completely. Turns out I was having that issue because I changed something somewhere. No idea what though! A fresh setup of pfSense, and all is well again! :)

where are those rules?

 

You have an any any rule? at the top - any other rules below that mean nothing.  And rules are placed on the interface where traffic would enter pfsense.. If you want to allow lan to your pihole vlan then the rule would be on your lan interface not your pihole interface.

 

Yes your port forward would be on your lan interface and sure !lan address still works.

 

Rules are evaluated on interface where traffic enters pfsense from the network the interface is attached too.  First rule to trigger wins, no other rules are evaluated.

I created these rules on the new Pi-hole interface. Yes, I did make the any to any rule but that was meant to be temporary. Unless that is the only rule required? I created the other rules thinking it could be locked down for specific movement of traffic. Wanted you to vet them before I enabled! I already have a LAN to any rule (the default one). And yes, do know that rules are evaluated from the top. :)

 

Cool, so will change the NAT Redirect rule accordingly!

 

Thanks BudMan for all your help! :happy::beer:

Well if that is on your pihole interface then the dest pihole net is never ever going to be used.. Since the interface would never see such traffic..

Oh ok. So I'll delete them and only keep one Allow to Any rule on the interface then. And of course the NAT Redirect rule.

well you can for sure lock it down if you don't want the pihole vlan to create traffic to your lan - but since its really just a vlan to allow for the redirections of the dns I wouldn't think there are any security concerns.

This topic is now closed to further replies.