What’s about if I have unbound on pihole, so I want to make my pihole be the DNS server in the whole network?
So the clients connect to ipfire and have ipfire as DNS (blue, green) → ipfire has pihole (red) as DNS. Does it makes sense?
Firewall rule: ipfire-red to pihole (red) for 53 (tcp / udp)
The thing is, I have no free ports for DMZ, so I think, the only good solution is to have pihole in the red network (just connected to the provider router).
If I understand what you are asking:
clients – (green) → IPFire – (red) → PiHole → Internet
PiHole is not the most secure device. The IPFire is much more secure since it is a hardened firewall.
So I would not configure things this way. And I would strongly recommend not to have PiHole connected to red (the Internet).
This is what I have:
Client (DNS) → PiHole (DNS) → IPFire (DNS) → to external DNS Server
See this post:
EDIT:
And this is what I did to connect GREEN and BLUE to PiHole.
Hey and thanks!
It’s about, what @trash-trash wrote:
“The right use of Pi-hole, were at eth red side, to resolve IPFire outgoing DNS requests, same idea as if you are using an external DNS service …
So you will be then able to use the benefits of both, of IPFire and of Pi-hole .
Make sure that clients be forced to use IPFire as the DNS and there the Proxy in none transparent too .”
So my network is like this:
Clients (DNS IPFire, with blocking rules for DNS requests to red) → IPFire (DNS PiHole) → PiHole (DNS unbound + hyperlocal / forgot to mention it!) and Router in red network → Internet
So PiHole does not guide the whole traffic through, but the DNS-Requests of the IPFire and has unbound and hyperlocal running.
Bad, bad, bad… Just be careful! If I understand what you are setting up, your PiHole device is NOT protected from the internet by a firewall.
it’s not secured by ipfire, just by the standard router firewall (surely not so good). So it’s not just in the open wide internet.
Maby I can get the old nanobox working. How could I set up the network with the second ipfire for the pihole? Does it make sense?