Asus RT-AC68U Merlin DNSFilter + 2 PiHole's?

[ColinTaylor]

Now it is a matter of finding how to get OVPN traffic to also send add-mac and add-subnet and respect the dnsmasq flags.

It's not a matter of "respecting" the dnsmasqs flag. As I said above, when you're using conditional routing for the VPN clients and a dedicated VPN DNS server it doesn't use dnsmasq at all. The only scenario where this worked in the past (with policy routing) was a special case where ALL LAN clients were being directed through the tunnel. For this to work with selective VPN clients you would need to run a separate instance of dnsmasq just for the VPN tunnel.

 

[gspannu]

It's not a matter of "respecting" the dnsmasqs flag. As I said above, when you're using conditional routing for the VPN clients and a dedicated VPN DNS server it doesn't use dnsmasq at all. The only scenario where this worked in the past (with policy routing) was a special case where ALL LAN clients were being directed through the tunnel. For this to work with selective VPN clients you would need to run a separate instance of dnsmasq just for the VPN tunnel.

Understood.

Is there any guide or some links or reading material (or if you can assist) in getting a separate instance of dnsmasq on an Asus RT-AX88U router for VPN Client 1?

Thanks...

 

[ColinTaylor]

Understood.

Is there any guide or some links or reading material (or if you can assist) in getting a separate instance of dnsmasq on an Asus RT-AX88U router for VPN Client 1?

Thanks...

Sorry, no idea if that's feasible. All I can suggest is you use the search function to see if any other forums members have done this. Good luck.

 

[SomeWhereOverTheRainBow]

Update:
2 reasons cannot do that.

1) The DNS server (is a private address) and is only accessible once the OVPN is connected.
2) Even if I made PiHole accessible as a public resolver [which I do not want to do] and put up the address as the WAN server; this means that other devices that are not supposed to go through the VPN tunnel will also be using this DNS address and will also then use PiHole blocking. <These are the very clients that I do not want to be blocked, hence they are not routed through the VPN>

I can confirm though that by setting the WAN DNS to public PiHole server address; I am able to see the clients IP addresses & MAC addresses. So it does prove that my setup (at the router and PiHole end) is working.​

Now it is a matter of finding how to get OVPN traffic to also send add-mac and add-subnet and respect the dnsmasq flags.

You can use it in the wan, using the strict-order option. When the VPN is down wan will use a secondary dns server that you specify such as 1.1.1.1 or whatever. When all traffic is routed to vpn, the pihole will be the used server.

 

[gspannu]

You can use it in the wan, using the strict-order option. When the VPN is down wan will use a secondary dns server that you specify such as 1.1.1.1 or whatever. When all traffic is routed to vpn, the pihole will be the used server.

Thanks…
But how do I prevent certain clients (the ones I want to exclude from the VPN) from using this WAN DNS (i.e. the PiHole server)?
Is there any way to exclude certain clients from using this WAN DNS and have them use the standard ISP provided WAN DNS instead?

 

[SomeWhereOverTheRainBow]

Thanks…
But how do I prevent certain clients (the ones I want to exclude from the VPN) from using this WAN DNS (i.e. the PiHole server)?
Is there any way to exclude certain clients from using this WAN DNS and have them use the standard ISP provided WAN DNS instead?

With strict order, the clients that are not using the VPN should use the wan dns that is not pihole, because the client will switch to using the other dns once it realizes it cannot use the VPN dns. You may have to play with it and test it out to figure out which spot i.e. wan dns 1 or wan dns 2, to use as the pihole dns and which one to put the regular dns server. It behaves differently on merlin firmware versus johns fork. You also need to make sure strict order is use within dnsmasq.conf.

 

[josh3003]

Sorry for resurrecting this thread but am running a cloud instance pihole thinking is it possible to get the Mac address from it to add to the dnsfilter on my router to allow it through? It'd be good to have my local Pi's and then one in the cloud as a backup incase it goes down but not sure how it'd be implemented with the current method of using dnsfilter. I enjoy that it forces all requests through the pihole and pesky google devices can't reroute traffic. Or has the config or best practice changed since this thread was made and is there now a better way to implement this? Cheers again and bit of a long time no see!

 

[SomeWhereOverTheRainBow]

Sorry for resurrecting this thread but am running a cloud instance pihole thinking is it possible to get the Mac address from it to add to the dnsfilter on my router to allow it through? It'd be good to have my local Pi's and then one in the cloud as a backup incase it goes down but not sure how it'd be implemented with the current method of using dnsfilter. I enjoy that it forces all requests through the pihole and pesky google devices can't reroute traffic. Or has the config or best practice changed since this thread was made and is there now a better way to implement this? Cheers again and bit of a long time no see!

Highly unlikely unless your cloud services reside within one hop of your router.

 

[josh3003]

Is it possible to still force the traffic through the pihole on local network/cloud without using dnsfilter and using iptables?

 

[josh3003]

I would like to use my high availability IP for my local piholes and my cloud pihole for redundancy if required. Is there a way to use both and force redirect the traffic without dnsfilter? E.g. for pesky devices with hard coded DNS like a Chromecast etc. It's been a while lol.

 

[josh3003]

So just to clarify, not really anyway to force redirect network requests to a cloud hosted rpi service with a public IP address? Is there any workaround if I used 1 local pihole and 1 public pihole and disabled dnsfilter to retain force redirection perhaps through iptables or anything like that? If its too much I'll just keep my current setup.