Asus RT-AC68U Merlin DNSFilter + 2 PiHole's?

[josh3003]

No. Never run two DHCP servers on the same subnet.

Sorry I meant to say did I need to run it off the router instead of the pihole as when it drops off, so does dhcp server.

 

[ColinTaylor]

Sorry I meant to say did I need to run it off the router instead of the pihole as when it drops off, so does dhcp server.

I don't know what you're doing with DHCP servers as you've never said. I was assuming the router was still acting as the one and only DHCP server on your LAN. If that's not the case then you can probably ignore everything suggested in this tread.

 

[josh3003]

Yeah it's no big deal where I activate dhcp server. Just trying to figure out why it stops working when I disconnect ethernet cable from PiHole and why it isn't falling back.

Do iptable rules reset when router is rebooted? I did try change some settings probably 6-12 months ago but decided to go down DNSFilter route as it's easier.

 

[josh3003]

What’s in /etc/resolv.conf? Found this discussion of strict-order:

I gave up last night and just went with 1.1.1.1 & 9.9.9.9

nameserver 1.1.1.1
nameserver 9.9.9.9

However, I did last night actually confirm it was the same for the pihole being:

nameserver 192.168.1.146 (my pihole ip)
nameserver 9.9.9.9 (Also tried my cloud pihole ip to no avail)

 

[josh3003]

Keen to work this one out if anyone is available to assist.

 

[ColinTaylor]

Keen to work this one out if anyone is available to assist.

You'll have to describe your current configuration (router and pihole(s)) in detail. All we know at the moment is that you started based on some thread on reddit and then made some other changes based on information here. We also don't know anything about how your Piholes are setup.

 

[josh3003]

You'll have to describe your current configuration (router and pihole(s)) in detail. All we know at the moment is that you started based on some thread on reddit and then made some other changes based on information here. We also don't know anything about how your Piholes are setup.

Ok, currently running AC68u I used this guide to force traffic to go to primary pihole (192.168.1.146)

I do have a 2nd local pihole server, otherwise I'd prefer to leverage and run one in GCP that I can access locally through the guide on reddit here. It'd be nice just to see the logs of the requests going through and that I trust its all being forced through my primary pihole with the visual aid.

As mentioned, I think a while back I used this post to look at adding iptable rules to my router to force the traffic through my primary pi. At the time not sure if they are still there or not, perhaps that is why internet goes offline when I disconnect it? That was about my query earlier regarding iptables rules.

Essentially the guide in the first link I posted should give you a fair idea on the setup. Albeit I did obviously change the DNSFilter from 'Router' to Custom #1 as mentioned in the instructions from the old thread. As a test I'd simply disconnect the ethernet cable to simulate the pi going offline and then moments later I'd be unable to resolve anything. I'd get the DNS Bad probe config error. Plugging it back in would suddenly bring it back up online. Not sure if there are any finnicky options in the WAN settings when making the router (192.168.1.1) the secondary LAN dns server or whatnot. I have a static IP address from my ISP. Any other details you need please let me know.

 

[josh3003]

You'll have to describe your current configuration (router and pihole(s)) in detail. All we know at the moment is that you started based on some thread on reddit and then made some other changes based on information here. We also don't know anything about how your Piholes are setup.

FYI

iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N DNSFILTER_DOT
-N FUPNP
-N INPUT_ICMP
-N INPUT_PING
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-N other2wan
-A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD ! -i br0 -o ppp0 -j other2wan
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j NSFW
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -i br0 -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j DROP
-A DNSFILTER_DOT -m mac --mac-source B8:27:EB:51:0E:3E -j RETURN
-A DNSFILTER_DOT ! -d 192.168.1.146/32 -j REJECT --reject-with icmp-port-unreachable
-A FUPNP -d 192.168.1.147/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A FUPNP -d 192.168.1.131/32 -p tcp -m tcp --dport 55555 -j ACCEPT
-A FUPNP -d 192.168.1.131/32 -p udp -m udp --dport 55555 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A INPUT_PING -i ppp0 -p icmp -j DROP
-A INPUT_PING -i eth0 -p icmp -j DROP
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j DROP

 

[ColinTaylor]

Make sure you have it setup exactly as shown in the other post here, not like the reddit post. You should have 2 LAN DNS severs defined. Advertise router's IP in addition to user-specified DNS should be set to No.

You also need to add strict-order as discussed.

Those iptables commands are redundant as that's what DNSFilter is doing. If you just typed them into a terminal session they would have been lost the next time the router was rebooted.

 

[josh3003]

Make sure you have it setup exactly as shown in the other post here, not like the reddit post. You should have 2 LAN DNS severs defined. Advertise router's IP in addition to user-specified DNS should be set to No.

You also need to add strict-order as discussed.

This is exactly what I have setup as of yesterday when I said I disconnect primary pi, it goes offline. I followed the instructions. It isn't working.

 

[ColinTaylor]

Can you post a screen shot of your LAN - DHCP Server page. Those instructions were for John's fork which is what I use, Merlin's firmware may be different.

EDIT: Might as well post screen shots of the DNSFilter and WAN DNS settings.

 

[josh3003]

Can you post a screen shot of your LAN - DHCP Server page. Those instructions were for John's fork which is what I use, Merlin's firmware may be different.

EDIT: Might as well post screen shots of the DNSFilter and WAN DNS settings.

 

[dave14305]

Those instructions were for John's fork which is what I use, Merlin's firmware may be different.

The possibly relevant difference between the fork and Merlin is that Merlin uses no-resolv and servers-file in dnsmasq.conf. The fork uses resolv-file, if memory serves. Behavior might be different.

 

[ColinTaylor]

You don't have the router's DHCP server enabled.

 

[dave14305]

View attachment 27576

Assuming you enable the DHCP server, are you intentionally using a 192 second lease time for testing, or did you assume it was a different unit of time besides seconds (86400 is the default)? Or did you start typing an IP address in there by accident?

 

[josh3003]

DHCP server enabled.

Correct, was using PiHole as DHCP. That's why I asked did it matter if it was on the router or not.

Assuming you enable the DHCP server, are you intentionally using a 192 second lease time for testing, or did you assume it was a different unit of time besides seconds?

OMG, maybe that was causing me to drop out yesterday when I had that enabled. I was using 192 on pihole as it was in hours. Forgot about the router being in seconds..
It was at a much higher number yesterday I did change that though thinking it was in hours it was 87,000 i think or something like that.
EDIT: There you go it would've been 86400. ahaha no I didn't start typing an IP address it was supposed to be 8 days being 192 hours complete coincidence!!

 

[ColinTaylor]

Correct, was using PiHole as DHCP. That's why I asked did it matter if it was on the router or not.

and I said it did matter because you have to use the router's DHCP server. EDIT: Maybe I wasn't explicit enough in saying these instructions won't work if you're using the Pi as a DHCP server.

 

[josh3003]

and I said it did matter because you have to use the router's DHCP server.

Alright, I'll make the changes later today. Though I did try switching them last night and rebooting both devices to ensure DHCP kicked over, didn't make a difference. But I'll make sure I got the static entries in correctly to match my DHCP on PiHole and enable it on the router as I guess it's probs best to have it on the router anyways.

Does everything else look fine? Only other thing I can see is default gateway and domain name but I think they've been blank since day dot.

 

[ColinTaylor]

Does everything else look fine? Only other thing I can see is default gateway and domain name but I think they've been blank since day dot.

Looks OK. But as Dave said there are differences in Merlin's firmware that might be an issue.

After you've made the changes reboot one of your clients and check what DNS servers it has picked up from DHCP. It should have both 192.168.1.146 and 192.168.1.1, in that order.

@dave14305 Do you know where the server-file is and what it usually contains?

 

[dave14305]

Do you know where the server-file is and what it usually contains?

It will contain WAN DNS 1 and 2:

# grep servers-file /etc/dnsmasq.conf
servers-file=/tmp/resolv.dnsmasq
# cat /tmp/resolv.dnsmasq
server=9.9.9.11
server=149.112.112.11