Guest Network Pro Pi Hole

[gp-se]

Hey everyone, I have an issue with DNS resolution that I'm looking for help with. I have a RT-AX88U Pro using Guest Network Pro and a raspberry pi4 running Pi-Hole. The devices on my LAN can connect to the Pi-Hole without issue, however devices on my guest network (VLAN) cannot. In the guest network pro settings I put the ip address of the Pi-Hole in the DNS settings (just like with LAN settings), but the devices cannot connect to it.

When I connect my laptop on the guest network I cannot ping the Pi-Hole, so I assume there is a firewall setting on the router I need to change to allow DNS traffic to the Pi-Hole through the VLAN?

 

[bennor]

Are you using stock Asus firmware or Asus-Merlin 3006 beta?
If you have the Guest Network Pro Profile option Use same subnet as main network set to disabled, you generally won't be able to have Guest Network Pro Profile clients access a Pi-Hole on the main LAN. Depending on which Guest Network Pro Profile you are using you might be able to enable the Access Intranet option and see if that fixes the issue. Or you can reconfigure (or delete and create a new) the Guest Network Pro Profile option Use same subnet as main network to enabled.

If using the Asus-Merlin 3006 Beta firmware you can set the Guest Network Pro Profile to use the Pi-Hole (for example set in the User Defined DNS 1 field) under the Asus-Merlin DNS Director setting while having Use same subnet as main network set to disabled.

 

[bbunge]

There is a way to do what you want with the Asus firmware.
When you set up the RPI, use a wired, Ethernet, connection for your main LAN and set the WIFI to use your guest WIFI. In the RPI do an ifconfig to get the IP address assigned by the guest WIFI. Don't worry that the WIFI is not a static IP address as once assigned the IP address almost never changes. In future releases of firmware it is expected that you will be able to manually assign addresses in Guest Network Pro. You can and should assign a static IP address to the RPI Ethernet connection.
In the Pi-Hole, Settings/DNS Settings check Permit all origins in the Interface Settings. In Settings/All settings/dns.interface add eth0 wlan0
In the Asus router settings - Guest Network Pro/Network/DNS Server click assign, Manual Setting and enter the IP address of the RPI WIFI address.

 

[gp-se]

I am using the latest stock firmware. I rather not use WiFi even for the guest network because of latency. If I use "Use same subnet as main network" would that mean devices on my guest network can communicate with devices on the main network, defeating the purpose of guest network?

 

[bennor]

I am using the latest stock firmware. I rather not use WiFi even for the guest network because of latency.

The topic of latency when using WiFi has been done to death in the Pi-Hole discussion forums elsewhere (both on Reddit's Pi-Hole subreddit, and Pi-Hole's Discourse server). Everyone has their views on it. Some have no issue due, others claim it's an issue. Where using WiFi can be an issue is if your WiFi network/environment is already saturated. Personally I have Pi-Hole running on a Pi Zero W connected to the router via WiFi, it works (YMMV and all that).

If you really don't want to use WiFi on the Raspberry Pi then consider getting a USB to Ethernet adapter (can be had for $10 USD on Amazon or similar) and run a second Ethernet adapter on the Pi. When the second adapter is connected to the router you could configure the LAN > VLAN section to combine the second adapter with the Guest Network Pro VLAN. Using the Pi-Hole's DNS Permit All Origins setting that bbunge mentioned above it should work to allow the Pi-Hole to serve the main LAN at the same time it serves the VLAN clients. Just a thought on another possible way to handle it, if you want Use same subnet as main network disabled in the Guest Network Pro Profile.

 

[bbunge]

The object of a guest network is to isolate clients from the main network. Using the same subnet as the main defeats the isolation. Who cares about latency in an IoT or kids network. Security is or should be the main concern!

Another way to use the Ethernet connection for the main and guest would be to add a virtual interface to eth0 and VLAN tag the virtual port. This will work but can get complicated.

Simple is best! Try the Ethernet and WIFI suggestion I made. It does work but make sure to restart the RPI after making changes.