-

[Smiegol]

-

 

[dave14305]

Only traffic meant for the Internet would be blocked. Your PiHole is in your local network so it’s not subject to the block, since its traffic wouldn’t be routed by the router.

I would have expected once you removed the PiHole from LAN DHCP DNS 1 that the PiHole queries would have stopped and everything would be sent to the router dnsmasq. Did the smart light DHCP renew to “forget” the PiHole IP it was given before?

 

[Martineau]

My issue is that my Philips smart light device still sends DNS queries to the Pihole, despite me having set that device to "Block Internet Access" in Merlin.

On the Pihole I can see it sending requests every few seconds so it's basically filling my Pihole logs.

Would the following work?....i.e. stop filling the Pi-hole logs.

ebtables -t broute -I BROUTING -p ipv4 --ip-src $SMART_LIGHT --ip-dst $PIHOLE -j DROP

 

[dave14305]

With the above settings my smart lights doesn't seem to show up on the Pihole any longer. Also, even if I completely remove the smart light device from DNSFilter page / remove the Custom 3 setting, the smart light queries are still not hitting Pihole at all. Great, but I don't understand why.

The side effect is that Pihole now shows all traffic is originating from the router, not the individual devices.

Since all DNS traffic now appears to be coming from the router IP, are you certain that the smart light traffic is not included? Are you checking which domain names the lights usually send?

Isn't the above change basically the same settings as in my initial post, just done in a different way? Basically same purpose: all devices set to use Pihole DNS, except one of them (smart lights). Just using the DNSFilter to create it, instead of having that IP in DNS LAN Server.

Pihole on the LAN makes DNSFilter harder to use since the router shouldn't normally see the Pihole traffic. Your original config handed out the Pihole IP and the DNS server for DHCP clients. They would go directly to the Pihole, bypassing the router. Your current config hands out the router IP as the DNS server by default and DNSFilter is rewriting those requests to re-route to the Pihole IP (an extra hop).

I don't know what you should do in the short-term, but I believe the next Merlin 384.14 release will allow you to specify a DNS server per DHCP client (a new feature of the ASUS firmware). That might allow you to achieve what you want without DNSFilter rules.

 

[Martineau]

Could you briefly explain what it does?

Q1. Drop the traffic originating from the IP of the smart lights headed towards the Pihole's IP?

Q2. And it shouldn't interfere with its LAN functioniality otherwise?

A1. Yes, but technically, 'ebtables -t broute' doesn't DROP the traffic it simply passes it up to the iptables rules for further explicit processing.

A2. Shouldn't do.

I have successfully used this technique for years using this

Spoiler: BlockWiFiClient script

# Allow blocking of standard WiFi devices (non-Guest) from accessing LAN/WAN resources.
#
#     BlockWiFiClient   [help | -h] | [status [full] | {'from_ip' | 'cidr'[,...]} [['to_ip' | 'cidr'[,...] | lan | wan]] [accept] [del]
#                                     [ {'config_file'} [del] ]
#     BlockWiFiClient   10.88.8.155 10.88.8.197
#                       WiFi Client 10.88.8.155 will be BLOCKED from accessing 10.88.8.197
#     BlockWiFiClient   10.88.8.155 del
#                       All blocking rules for WIfi Client 10.88.8.155 will be deleted
#     BlockWiFiClient   10.88.8.155 lan
#                       WiFi Client 10.88.8.155 will be BLOCKED from accessing LAN (10.88.8.0/24)
#     BlockWiFiClient   10.88.8.155 wan
#                       Wifi Client 10.88.8.155 will be BLOCKED from accessing the (Internet) WAN
#     BlockWiFiClient   10.88.8.128/25 wan
#                       CIDR range 10.88.8.128-10.88.8.255 will be BLOCKED from accessing the (Internet) WAN
#     BlockWiFiClient   Nexus-7 DS-416
#                       WiFI Nexus-7 Client (10.88.8.155) will be BLOCKED from accessing DS-416 (NAS 10.88.8.197) - LAN or WiFI
#     BlockWiFiClient   Nexus-7 DS-416 accept
#                       WiFI Nexus-7 Client (10.88.8.155) ALL LAN access will be BLOCKED except for access to DS-416 (NAS 10.88.8.197)
#                            i.e. ALL previous BLOCK rules for this WiFi Client are deleted
#     BlockWiFiClient   Nexus-7 DS-416 accept del
#                       WiFI Nexus-7 Client (10.88.8.155) will be allowed access to DS-416 (NAS 10.88.8.197) unless the LAN BLOCK rule still exists.
#     BlockWiFiClient   Nexus-7 lan
#                       WiFI Nexus-7 Client (10.88.8.155) will be BLOCKED from accessing anything on the LAN
#     BlockWiFiClient   Nexus-7 del
#                       WiFI Nexus-7 Client (10.88.8.155) will be allowed access to LAN/WAN (all rules deleted for this WiFI Client)
#     BlockWiFiClient
#                       will show status of the 'logical' rules
#     BlockWiFiClient   status
#                       will show status of the relevant ebtables rules (use 'status full' for full ebtable -t broute BROUTING chain)
#     BlockWiFiClient   /jffs/config/Nexus-7
#                       All Peer to Peer DROP/ACCEPT rules are to be read from the file and applied to WiFi Client Nexus-7
#     BlockWiFiClient   /jffs/config/Nexus-7 del
#                       All blocking rules for WiFI Nexus-7 Client (10.88.8.155) will be deleted.
#
#                       NOTE: The name of the file is assumed to be the HOSTNAME of the WiFi Client.
#
#                             Format of config directives: (DROP/ACCEPT cannot be used concurrently - comment either out with #)
#
#                             e.g.  # Peer rules
#                                   DROP         DS-416
#                                   DROP         10.88.8.120-10.88.8.125,RaspberryPiB
#
#                                   or
#
#                                   ACCEPT       CAMERAS
#
#                             For the ACCEPT rule, a LAN subnet BLOCKING (DROP) rule is automatically added and the exception ACCEPT rules are then inserted,
#                                 and ALL BLOCK rules below the LAN Blocking rule are deleted!
#                             Custom IP Groups may be defined/referenced in '/jffs/configs/IPGroups'
#                                    e.g. 'CAMERAS' entry (Uppercase text!)
#                                         CAMERAS  10.88.8.10, 10.88.8.15-10.88.8.20, 10.88.8.50:10.88.8.55   #Comment

Using this script, I can BLOCK the 'KIDS' group from accessing the WAN for a random number of secs up to 300 i.e. 5 minutes; then remove the BLOCK, for a random period of up to 30 secs, then repeat! ;-)

 

[coxhaus]

The first part is networking on how to best configure traffic flows for what results you want. There are always multiple ways to do things.

 

[dave14305]

Oh I can definitely recognize the addresses. The smart lights starts a spam to time1.google.com address and ecidinterface.philips.com more seldom. And it doesn't ever stop, it keeps trying that address every 5 seconds. If I block that address on Pihole, it goes then to try time2, time3, time4... and IIRC it eventually changes to Microsoft's time server. It's probably to check the connection status or something when it can't connect as it should.

If it's trying to sync NTP time with Google NTP servers, you could just allow it to resolve the name normally. Then enable the Merlin NTPD Server (on Administration / System tab) and also set it to Intercept requests underneath that option. Perhaps if it syncs time properly (all without leaving the LAN) it will stop making the DNS queries. If it continues every 5 seconds, that's a poor NTP client design.