How to Use Pi-hole DNS with VLANs

Configure the OPNsense firewall settings for multiple VLANs using the Pi-hole service

Setting up the Pi-hole DNS service is relatively straightforward on your home network. When you have VLANs configured, the setup is slightly more complicated. The issue is that you need to ensure that all of your VLANs have access to the Pi-hole server which is located on a different network (ideally, it should probably be located in your management VLAN to protect it from being accessed by your other network devices).

To fully control your DNS settings for your devices, you will need to only allow access to your local DNS server and block any external DNS servers. This prevents users or devices from setting and using other external DNS servers therefore bypassing your Pi-hole DNS blocking.

Some devices (such as Chromecast perhaps) have DNS servers hardcoded into them and will bypass your local DNS server if you do not block external DNS. You will probably have to forward those DNS requests to your local DNS since you cannot change the hardcoded DNS servers.

Go to Firewall > Rules > [Name of VLAN] where “Name of VLAN” is the VLAN in which needs access to the Pi-hole server (any VLAN that is not the same network where your Pi-hole server is located). Click the “Add” button to add a new rule. Use the following settings:

Option Value
Action Pass
Protocol TCP/UDP
Source any
Source Port any
Destination Pi-hole server IP address
Destination Port 53 (DNS)
Description Allow internal DNS

Note in my example in the image below, I make use of an alias for my Pi-hole server address so that I do not have to enter the IP address for every VLAN firewall rule. It also allows me to change it once and have it apply everywhere the alias is used.

Add another rule below the above rule with these settings:

Option Value
Action Block
Protocol TCP/UDP
Source any
Source Port any
Destination any
Destination Port 53 (DNS)
Description Block external DNS

Your rules should look like the following:


Remember that rules are executed top to bottom so the first rule that is triggered by the particular condition specified by the rule is what is applied. The rest of the rules are ignored after that point. So any DNS traffic that is allowed (the DNS traffic to the Pi-hole server) will trigger the first rule but not the second rule or any of the other rules. Any condition that is not met gets checked by the next rule until it reaches the bottom of the list of rules. Once it reaches to the bottom, it defaults to block the traffic.

If you do not specify any rules in your interface (physical or VLAN), all traffic is blocked by default. Therefore it may be useful to think of all the conditions you wish to allow and not just the data that you want to block. You most likely will create a combination of allow rules followed by block rules because you will allow the specific condition to pass but block all other conditions. Start with the most specific conditions and work your way to the least specific conditions at the bottom of the list.

If you find it a little difficult to wrap your mind around creating firewall rules, you are in good company. It took me a while to learn the basics of writing firewall rules. Even though I knew pretty much what I wanted to allow or deny, I had to learn how to actually express it in the firewall software. I am still learning too!