How to set up pi-hole with unifi?

TL;DR Setup networks for devices that you require in Unifi. Ensure the networks have no content filtering in Unifi. Setup appropriate network/firewall rules to allow access to DNS. Install and enable PiHole. Feb 19, 2022

How do I connect my pi-hole to my network?

You install Pi-hole on your server (in this case, we're using a Raspberry Pi) and assign it a static IP address. On your router, you set the DNS primary server to the Pi-hole IP address . When a device connects to your home network, it gets the Pi-hole IP address as its main DNS server from your router.

How do I set Pi-hole as a DHCP server?

There are 2 ways to configure Pi-hole to be used as your DHCP server. Either you can choose to use it when you install the application. Or you can activate the DHCP server afterwards in the "Settings" tab, part "Pi-hole DHCP Server". In this second case, it may be preferable to force the server IP to a static address.

How to use Pi-hole as DHCP server with router?

To do this, you'll need to disable DHCP on your router and enable DHCP on your PiHole. In your router settings, find the DHCP settings and disable [automatic] DHCP. Save these settings, which may require a router restart. On your PiHole, open up a web browser. ... In the bottom right, click Save.

Is Pi-hole a DNS server?

Pi-hole includes a caching and forwarding DNS server , now known as FTL DNS . After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server(s).

What server does Pi-hole use?

Pi-Hole uses DNS servers configured within Linux as its upstream servers, where it will send DNS queries that it cannot answer on its own.

How do I connect my PI to my router?

The easiest way to connect a raspberry pi through a router is via an Ethernet cable (LAN cable) . All you have to do is plug in the Ethernet cable onto your home router, then plug in your raspberry pi using the other end of the Ethernet cable. Once you connect your raspberry pi, the network LEDs should start to flicker.

Can I use the Pi-hole with WIFI?

It enables those devices to connect via ethernet, or wifi, into the router . The router also usually acts as the DNS server for the local network. When you add a Pi-hole to the local network, it's just another device connected to the router.

How do I get my Pi-hole to work with IPv6?

1. Pi-hole supports IPv6, how to set up IPv6 DNS Server? Go to [IPv6] -> [IPv6 DNS Setting], enter Pi-Hole IPv6 IP address on IPv6 DNS server and click [Apply] to save .

How do I set up Pi-hole on UDM pro?

Log Into SSH & Get Unifi-OS Scripts Open Terminal and ssh root@192.168.1.1 -o HostKeyAlgorithms=+ssh-rsa. Jump into Unifi shell with unifi-os shell. Install package dpkg -i udm-boot.deb. Enable boot script with systemctl enable udm-boot. Leave Unifi shell but stay within ssh with exit. Dec 19, 2022

Unifi Network - Setup VLANs including IoT and access to Pi-hole (2024)

Here I describe which networks/VLANs and WiFi networks I have created. And how I configured the firewall and added a rule that allows the Pi-hole from the SERVER-VLAN to be used by devices in other VLANs such as the CLIENT-VLAN and IOT-VLAN.

I replaced my old Unifi Security Gateway (USG) with a Unifi Dream Machine Pro (UDM-Pro) and made the choice to build everything from scratch and not migrate the settings. So all settings are set by default and from there I make the necessary adjustments. The setup below is based on the newest user interface (v7).

I have created the following networks:

LAN (this is the default network and renamed to LAN) - very trusted - this contains all network equipment
SERVER-VLAN - very trusted - this contains servers and a NAS
CLIENT-VLAN - trusted - this contains clients like desktops, laptops, tablets and phones
IOT-VLAN - not trusted - this contains smart(home) devices and media players
GUEST-VLAN - not trusted - this contains not trusted clients including devices from work

Make sure the device you use to configure your Unifi Network remains in LAN until you finish configuring the firewall (see at the very bottom).

Setup Network

First I determined which VLAN ID each VLAN should have. For example for the IOT-VLAN I use VLAN ID 20.

This number will match the Gateway IP/Subnet - 192.168.20.1/24

Perform the following steps to create the IOT-VLAN:

Go to Settings and Networks
Click Create New Network:
- Network Name: IOT-VLAN
- Uncheck Auto-Scale Network and change the Host Address to 192.168.20.1
  Advanced Configuration
- Click Manual - everything is set by default except what I described below
- VLAN ID: 20
- Multicast DNS: please read Unifi Network - Setup Chromecast between VLANs for more information
  DHCP
- DHCP Range Start: 192.168.20.150
- DHCP Range Stop: 192.168.20.254
I have chosen a DHCP range between 150 and 254. This gives me the possibility to use all IP addresses before 150 as fixed IP addresses
- Expand Hide options after DHCP Service Management
  - In my case I enabled the DHCP DNS Server and added the IP address of my Pi-hole
- Domain Name: home.arpa
  
  Home.ARPA has been specifically created to handle “home” or “small business” name queries by shunting it to “black holes” early in the hops.
Click Add Network

Repeat the above steps for any other vlan.

I configured the GUEST-VLAN the same, so Network Type Standard and not Guest Network. I wanted to keep this as simple as possible at the moment, but you can also choose to use the guest portal and hotspot system.
See Also
Secure Home Network - Using HomeKit Devices Across VLANs Why Your Remote Team Should Put IoT Devices on a Separate Wi-Fi Network - C Solutions IT

Port Management

Now that the networks/VLANs have been created, we can adjust the switch port profiles to the correct network. With this we ensure that wired devices use the correct VLAN and, for example, will receive the correct IP address.

Do not change the port profile of ports which are connected to the gateway, other switches or access points, leave it set to All

For wireless devices, we will create the corresponding WiFi networks in the next part

Go to Unifi Devices and click the switch (or any other device with ports such as the UDM)
Go to tab Ports and click Port Management
Now you can select the ports of which you want to change the port profile:

In the screenshot I selected port 8 and changed the following:
- Name: P1Reader - this is the name of the IoT device
- Port Profile: IOT-VLAN
- PoE: Personally, I turn off PoE if the device does not need power

Now click Apply Changes

Repeat this for all ports for which it is necessary to change the port profile.
You can check the device as follows:

Go to Client Devices
In my case I see the P1Reader within the IOT-VLAN network and with the correct IP address:

Optionally you can click on the device and go to Settings and give it a fixed IP address (which I did in this example).

Setup WiFi

To ensure that wireless devices connect to the correct network, I have created three WiFi networks:

WiFi-Client
WiFi-IoT
WiFi-Guest

Go to Settings and WiFi
Click Create New WiFi Network:
- Name: for example WiFi-IoT
- Network: for example IOT-VLAN - or link WiFi-Client to CLIENT-VLAN and WiFi-Guest to GUEST-VLAN
  Advanced Configuration
  - Click Manual - everything is set by default except what I described below
  - Bandwidth Profile: Default - for the WiFi-Guest network I have created a guest profile that limits the bandwidth slightly
  - Multicast Management: please read Unifi Network - Setup Chromecast between VLANs for more information
  - Client Device Isolation: I have enabled this only for the WiFi-Guest network
    Security
  - Security Protocol: use WPA2 for backwards compatibility, so I used WPA2 for WiFi-IoT en WPA2/WPA3 for WiFi-Guest and WiFi-Client. At some point I will completely switch to WPA3
  - Group Rekey Interval: Enable 3600 seconds - for increased security
    Device Filtering
  - MAC Address Filter: I have enabled the filter for WiFi-Client and WiFi-IoT
    
    Personally, I think it’s a good thing to consciously give access to certain devices. That’s why I keep a list of MAC addresses that I give access. About the option to hide the WiFi name: opinions differ that a hidden WiFi network provides more security, it therefore remains a personal choice
Finally click Add WiFi Network

Repeat the above steps for any other WiFi network.

Setup Firewall

There are a number of devices I want to deprive of access to the Internet, which I have described further in this note. This mainly concerns IoT devices.

To make the VLANs work properly the first rule I created is to allow established/related sessions from client devices. And then I make sure that the traffic between all the networks is no longer possible. Disabling inter-VLAN routing is also described by Ubiquiti here.

You can also choose to use Traffic Management to configure the firewall. Personally, I have made the choice to create firewall rules myself.

First create the IP Group needed for disabling inter-VLAN routing:

Go to Settings and Profiles
Scroll down to Port and IP Groups and click Create New Group:
- Profile Name: RFC1918
- Type: IPv4 Address/Subnet
- Address: add 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
Click Apply Changes

You can now use this group when creating the firewall rule.

Go to Settings and Firewall & Security and scroll down to Firewall Rules:
Rule allow established/related sessions

Click Create New Rule:
- Type: LAN In
- Description: allow established/related sessions
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Advanced
  - Click Manual
  - States: check Match State Established and Match State Related
Click Apply Changes

Rule drop traffic between vlans

Click Create New Rule:
- Type: LAN In
- Description: drop traffic between vlans
- Rule Applied: Before Predefined Rules
- Action: Drop
- IPv4 Protocol: All
  Source
  - Source Type: Port/IP Group
  - Ipv4 Address Group: RFC1918
    Destination
  - Destination Type: Port/IP Group
  - Ipv4 Address Group: RFC1918
Click Apply Changes

Now all VLANs/networks are seperated from each other.

The rules below will make it possible that:

All VLANs has access to Pi-hole DNS
LAN has access to all other networks
CLIENT-VLAN has access to LAN (or make sure that you allow individual devices from the CLIENT-VLAN to manage LAN)
CLIENT-VLAN has access to SERVER-VLAN
CLIENT-VLAN has access to IOT-VLAN
Some IOT-VLAN devices has access to SERVER-VLAN

This seems to me personally a good basis to start with. The next step may be to set up access between the VLANs in more detail.

Rule allow dns from vlans

Click Create New Rule:
- Type: LAN In
- Description: allow dns from vlans
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Source
  - Source Type: Port/IP Group
  - Ipv4 Address Group: RFC1918
    Destination
  - Destination Type: Port/IP Group
  - Ipv4 Address Group: create a new IP Group and add the IP address of your Pi-hole(s)
  - Port Group: create a new Port Group and add port 53
Click Apply Changes

Rule allow lan to all vlans

Click Create New Rule:
- Type: LAN In
- Description: allow lan to all vlans
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Source
  - Source Type: Network
  - Network: LAN
  - Network Type: Ipv4 Subnet
    Destination
  - Destination Type: Port/IP Group
  - Ipv4 Address Group: RFC1918
Click Apply Changes

Rule allow clients to lan

Click Create New Rule:
- Type: LAN In
- Description: allow clients to lan
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Source
  - Source Type: Network
  - Network: CLIENT-VLAN
  - Network Type: Ipv4 Subnet
    Destination
  - Source Type: Network
  - Network: LAN
  - Network Type: Ipv4 Subnet
Click Apply Changes

Rule allow clients to servers

Click Create New Rule:
- Type: LAN In
- Description: allow clients to servers
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Source
  - Source Type: Network
  - Network: CLIENT-VLAN
  - Network Type: Ipv4 Subnet
    Destination
  - Source Type: Network
  - Network: SERVER-VLAN
  - Network Type: Ipv4 Subnet
Click Apply Changes

Rule allow clients to iot

Click Create New Rule:
- Type: LAN In
- Description: allow clients to iot
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Source
  - Source Type: Network
  - Network: CLIENT-VLAN
  - Network Type: Ipv4 Subnet
    Destination
  - Source Type: Network
  - Network: IOT-VLAN
  - Network Type: Ipv4 Subnet
Click Apply Changes

Rule allow some iot to servers

Click Create New Rule:
- Type: LAN In
- Description: allow some iot to servers
- Rule Applied: Before Predefined Rules
- Action: Accept
- IPv4 Protocol: All
  Source
  - Source Type: Port/IP Group
  - Ipv4 Address Group: create a new IP Group and add the IP address of some IoT device(s)
    Destination
  - Destination Type: Port/IP Group
  - Ipv4 Address Group: create a new IP Group and add the IP address of some server(s)
Click Apply Changes

The firewall rules then look like this. A number of things are accepted first and otherwise the traffic will be dropped:

Testing

Test if it works, for example with your mobile phone by temporarily connecting to the IoT WiFi network.

Read other notes

Previous Next

Comments

No comments found for this note.

Join the discussion for this note on this ticket. Comments appear on this page instantly.