Does Pi-Hole support vlan for my guest SSID (dedicated hardware)


#1

Can I install pihole on a vlan?

I always get a little fuzzy when I’m dealing with vlan’s, but I have a guest network on my Ubiquiti WAP. To create isolation the guest SSID is on it’s own vlan and my pfSense router is blocking access from that network to the internal network. I want to put all of the dangerous devices (yeah, like there are any NOT dangerous devices these days), kids phones, tablets, guests etc on the guest WAP.

So effectively I can’t use the pihole that I have on my network unless I start opening things which I don’t want to do. I’d like to just set up another pihole (I have a pile of RPi’s) and put it on that vlan. Does Raspbian or Diet Pi support vlan’s?

Thanks,

Roveer


#2

See if this will help:

https://www.raspberrypi.org/forums/viewtopic.php?t=136719

The Pi-hole would have to be set to listen on all interfaces in order to catch/filter the traffic originating from the VLAN IPs.

If not, the easiest way (to troubleshoot and maintain) would be to dedicate a raspberry for that VLAN IP range and used solely for that VLAN traffic.


#3

I very much want to dedicate a pi-hole to that vlan (in my case vlan11). So is it just a function of setting up the RPi to communicate on vlan11 and pi-hole will follow along? I’ve seen some other information (including the one in your post) about getting RPi on vlan. I guess that’s the way to go? Certainly something I can test before putting devices on the guest SSID.


#4

The switch/router should handle the vLAN frame tagging, everything coming out of the switchport should have it’s label removed and the Pi-hole will act like any other computer, it doesn’t know about the vLAN, you just assign it an IP within the range of the segment and let the switch/router handle inter-vLAN traffic.


#5

I have basically this exact setup. My router tags the frames with the vLAN label for the proper segment, the switch I have is 802.1q aware and will egress the packet out the correct switchport after removing the label. Ingress traffic to the switch gets a label applied to it and sends it up the trunk to the router. For inter-vLAN traffic I have set rules to apply/remove the proper tag and then route it out.

Or are you sending labeled frames out and having the client devices smart enough that they can handle the frames themselves?


#6

Depends if you like TAGGED or UNTAGGED traffic and which of the two the switch is using ?

In any case Linux can do both so it’s not really a Pi-Hole issue :wink: