Pi-Hole with multiple Subnets (solved)

Firstly it needs to be stated at the outset that subnetting your network does not provide much in the way of addition security. Any device can simply change its netmask and talk directly to any other device on the network segment.

However, having said that, it is convenient for applying different firewall rules and shaping bandwidth for different collections of devices.

What is a subnet and why would I want more than one?

A LAN segment is essentially a piece of wire with all computers connected to it. They can all "talk" to each other (a single subnet - which is most likely your home setup).

When the network is "subnetted" computers are grouped so that they can only "talk" to other computers in the same group or subnet, even though they are all connect physically the same way.

It is possible to go crazy....

Getting PiHole and the underlying DNSMASQ to play nicely

Initial attempts to get PiHole's dnsmasq to play nicely were met with "No network range available" messages. After considerable searching it turned out nobody really knew the answer to this. And so here are the electricbrain findings which solved problem.

The first thing that became apparent was the default logging settings are not helpful in this scenario. The solution there came from this post on the PiHole message board. The key is to disable the default setting and enable dhcp logging (see the additional settings listing below).

The second thing, which really is the crux of the matter, is that dnsmasq won't consider a subnet range available for allocation unless it reckons PiHole is connected to the ethernet adaptor in question. To get PiHole's dnsmask to consider itself connected to a new subnet, the "shared-network" clause must be involked. Only after reading the dnsmasq "man page" in detail did this become clear.

While dnsmasq itself is a wonderful piece of software, it is somewhat let down by the documentation. Pretty much the only doc is that man page, and it does explain all - provided you're a network engineer.

The essential concepts needed to subnet your network using PiHole are the notion of dnsmasq's "tags" and how it threads configuration lines together into groups based on the said tags. Once you've mastered that the only real piece left is the above mentioned shared-network configuration setting.

###############################################################################
#  DHCP SERVER CONFIG FILE additional settings go here. PiHole doesn't manage #
#            these settings.                                                  #
###############################################################################
log-dhcp
shared-network=192.168.0.254,192.168.1.0
tag-if=set:work,tag:known
tag-if=set:home,tag:!known
dhcp-range=tag:work,192.168.0.1,static,255.255.255.0,192.168.0.255,1h
dhcp-range=tag:home,192.168.1.129,192.168.1.253,255.255.255.0,192.168.1.255,1h
dhcp-option=tag:work,option:dns-server,192.168.0.254
dhcp-option=tag:home,option:dns-server,192.168.1.254
dhcp-option=tag:work,option:router,192.168.0.254
dhcp-option=tag:home,option:router,192.168.1.254
dhcp-option=tag:work,option:ntp-server,192.168.0.254
dhcp-option=tag:home,option:ntp-server,192.168.1.254


 

This being the first attempt at segregating groups of machines, the division is essentially around groups or work and home machines and associated devices. The objective is to get stuff like sound bars and Apple TV and such like in to their own subnet. Work machines all have their MAC addresses assigned to static leases. Dnsmasq magically tags these with "known". [update: Over time two additional subnets have grown up. These are the visitor's subnet and the MQTT gadgets subnet (lights, switches, power measurement and so on)].

For the time being all the "unknown" MACs are declared to be home devices. Dnsmasq provides some simple tagging functionality that allows some basic boolean logic.

From a gui perspective the IP allocation range was set to be a single IP on the 192.168.1.0 subnet since it becomes more or less unused. Since it's allowed to have as many subnets as desired the actual subnet range is set in the 11-additional-dnchp.conf file.

Clearly there's lots of stuff not mentioned here like how to alias the network adaptor to listen on two subnets, how to setup firewalld zones and attach the address ranges to those zones etc. etc. but if you're reading this then you're most likely pretty adept at that sort of stuff anyway.

The advice from the above mentioned post about testing and watching the logs is defintely needs to be followed.