How to setup Pi-hole to work with Merlin?

[shabbs]

No worries... I should have provided more backdrop on why I was implementing it.

And I should also say that I'm using a RPi 4B/8, a RPi 4 because of the 1G ethernet port. Even though the 3B has a '1gb' ethernet port, its limited by the USB2 chipset it pipes thorugh to ~300mb actual throughput. The 960mb throughput I'm seeing on router speedtest is through the RPi 4 1gb port. I'm still amazed it can achieve this throughput on a single port... I'd guessed it would hit ~450mb because it the single port handles both in and out-bound traffic - internet in from WAN --> through Pi-Hole --> screened internet back out to the LAN. I even went sofar as to purchase a 1gb USB3 ethernet adapter (if you do this read up, certain chipsets will give full 1gb, some dont) that I was planning to add as either in/out pipe, but looks like I don't need to. Pretty amazing little thing and application.

Is it just DNS traffic going to the pi though? Even a lowly Pi Zero has plenty of juice/capacity to handle a good amount of clients if it's only running Pi-hole.

 

[bennor]

And I should also say that I'm using a RPi 4B/8, a RPi 4 because of the 1G ethernet port. Even though the 3B has a '1gb' ethernet port, its limited by the USB2 chipset it pipes thorugh to ~300mb actual throughput. The 960mb throughput I'm seeing on router speedtest is through the RPi 4 1gb port. I'm still amazed it can achieve this throughput on a single port... I'd guessed it would hit ~450mb because it the single port handles both in and out-bound traffic - internet in from WAN --> through Pi-Hole --> screened internet back out to the LAN. I even went sofar as to purchase a 1gb USB3 ethernet adapter (if you do this read up, certain chipsets will give full 1gb, some dont) that I was planning to add as either in/out pipe, but looks like I don't need to. Pretty amazing little thing and application.

If one is only running Pi-Hole (and if using Unbound), it is way over kill to use a Pi 4 or even a Pi 3. Nothing wrong with doing so but its overkill and there are significantly cheaper Raspberry Pi device options. Pi-Hole (and Unbound) will run perfectly fine on a Pi Zero W or similar low end/older Pi's. The amount of network traffic generated by DNS requests tend to be generally very small so network speed isn't really an issue. One can run a headless Raspberry Pi Zero W powered by the Asus router's USB port and either use Zero W's integrated WiFi (minor latency issues), or use a 10/100 USB to Ethernet adapter for the Pi Zero W. There is even a way to run a Pi Zero W in Ethernet Gadget mode to run power and Ethernet over a single USB cable to an Asus-Merlin router. Some basic older directions posted here on setting up Ethernet Gadget mode on a Pi Zero W and Asus-Merlin.

Couple of comments about setting up and using Pi-Hole with Asus-Merlin if they haven't been mentioned already. Do not use the Pi-Hole device IP address in the router's WAN DNS fields like some online directions may indicate. Doing so may cause a feedback loop with DNS requests that will flood the local network with DNS requests causing network issues. (Been there, done that.) A number of popular block lists (updated frequently) are maintained on https://firebog.net/. There are ways to automate the updating/syncing of the FireBog.net lists on the Pi-Hole using this script: https://github.com/jacklul/pihole-updatelists. Make sure to uncheck "Advertise router's IP in addition to user-specified DNS" in the Merlin DHCP section so the router's IP address isn't included as a DNS server which allows the bypassing of the Pi-Hole. And one can further enable the DNSFilter option in Merlin, set "Global Filter Mode" to "router", add the Pi-Hole(s) to the Client MAC Address section and set the client "Filter Mode" to "No Filtering", to force DNS requests to the Pi-Hole.

 

[ShagBark]

Do not use the Pi-Hole device IP address in the router's WAN DNS fields like some online directions may indicate. Doing so may cause a feedback loop with DNS requests that will flood the local network with DNS requests causing network issues. (Been there, done that.) A number of popular block lists (updated frequently) are maintained on https://firebog.net/. There are ways to automate the updating/syncing of the FireBog.net lists on the Pi-Hole using this script: https://github.com/jacklul/pihole-updatelists. Make sure to uncheck "Advertise router's IP in addition to user-specified DNS" in the Merlin DHCP section so the router's IP address isn't included as a DNS server which allows the bypassing of the Pi-Hole. And one can further enable the DNSFilter option in Merlin, set "Global Filter Mode" to "router", add the Pi-Hole(s) to the Client MAC Address section and set the client "Filter Mode" to "No Filtering", to force DNS requests to the Pi-Hole.

Agree with all the above. If I could add anything, run two PiHoles. A backup PiHole recently became useful use when a cheap micro sd card died on my primary Rpi.

 

[shabbs]

Yep. I run Dual Pi-holes at home and hand them out as DNS1 and DNS2 with the DHCP handout.

Actually, I run three Pi-holes. The third is an old Raspberry Pi and I use that for testing software updates and new block lists before rolling out to the home network. It also runs PiVPN for my mobile phone to connect to while I'm out and about. Ad-blocking on the go!

 

[eightiescalling]

Yep. I run Dual Pi-holes at home and hand them out as DNS1 and DNS2 with the DHCP handout.

Actually, I run three Pi-holes. The third is an old Raspberry Pi and I use that for testing software updates and new block lists before rolling out to the home network. It also runs PiVPN for my mobile phone to connect to while I'm out and about. Ad-blocking on the go!

How well does the 2 pi-hole approach work when the first one fails and is non-responsive?

Was wondering on a similar setup but if failure of the primary pi-hole means all lookups have to timeout before trying the second it could be just as painful. Not sure if there is a way to configure a virtual IP with health probes to back end targets on the router but that would help nicely.

 

[bennor]

Yes, running two Pi-Holes is a good way to go so one has a roll over ad block server when one goes down. More than once I've had the main Pi-Hole go down and the backup took up the slack.

 

[shabbs]

I had an SD card on my very first Pi die and as a result, no one at home could access the internet. Family was not happy with Mr. Tech Dad. That's when I moved to a dual Pi-hole setup. I have not had an issue like that since (knock on virtual wood) but at least I'm in a better position and can roll out updates "seamlessly" when needed. I do observe a rough 80/20 split between the two with DNS1 taking the lion's share of queries from my network. Some OS's will randomly choose DNS2 it seems even if DNS1 is up and responding quickly.

 

[eightiescalling]

Yes, running two Pi-Holes is a good way to go so one has a roll over ad block server when one goes down. More than once I've had the main Pi-Hole go down and the backup took up the slack.

I had an SD card on my very first Pi die and as a result, no one at home could access the internet. Family was not happy with Mr. Tech Dad. That's when I moved to a dual Pi-hole setup. I have not had an issue like that since (knock on virtual wood) but at least I'm in a better position and can roll out updates "seamlessly" when needed. I do observe a rough 80/20 split between the two with DNS1 taking the lion's share of queries from my network. Some OS's will randomly choose DNS2 it seems even if DNS1 is up and responding quickly.

Fair point not to under estimate the logic of the clients. Must admit though if I set an order for dns that's the order I want so not sure on the DNS2 behaviour you've seen.

I did see some write ups for pi-hole on a multi-node kubernetes cluster and as appealing is it sounds from a "because we can" perspective it does start to feel a tad overkill!

 

[shabbs]

I do not believe there is any strict enforcement for the order in which DNS1 and DNS2 are processed as far as any spec goes (please correct me for those that have deeper knowledge). They're referred to as Primary and Secondary but it seems different OS's treat that differently. In general it does seem DNS1 gets used most of the time by default.

There are options to setup a Pi cluster with a VIP in front of two Raspberry Pi's to achieve a true HA setup. I've not gone there yet but would be a neat project for sure and an opportunity to get hands-on with Docker, Kubernetes etc...

 

[Wisiwyg]

Is it just DNS traffic going to the pi though? Even a lowly Pi Zero has plenty of juice/capacity to handle a good amount of clients if it's only running Pi-hole.

If one is only running Pi-Hole (and if using Unbound), it is way over kill to use a Pi 4 or even a Pi 3. Nothing wrong with doing so but its overkill and there are significantly cheaper Raspberry Pi device options. Pi-Hole (and Unbound) will run perfectly fine on a Pi Zero W or similar low end/older Pi's. The amount of network traffic generated by DNS requests tend to be generally very small so network speed isn't really an issue. One can run a headless Raspberry Pi Zero W powered by the Asus router's USB port and either use Zero W's integrated WiFi (minor latency issues), or use a 10/100 USB to Ethernet adapter for the Pi Zero W. There is even a way to run a Pi Zero W in Ethernet Gadget mode to run power and Ethernet over a single USB cable to an Asus-Merlin router. Some basic older directions posted here on setting up Ethernet Gadget mode on a Pi Zero W and Asus-Merlin.

Couple of comments about setting up and using Pi-Hole with Asus-Merlin if they haven't been mentioned already. Do not use the Pi-Hole device IP address in the router's WAN DNS fields like some online directions may indicate. Doing so may cause a feedback loop with DNS requests that will flood the local network with DNS requests causing network issues. (Been there, done that.) A number of popular block lists (updated frequently) are maintained on https://firebog.net/. There are ways to automate the updating/syncing of the FireBog.net lists on the Pi-Hole using this script: https://github.com/jacklul/pihole-updatelists. Make sure to uncheck "Advertise router's IP in addition to user-specified DNS" in the Merlin DHCP section so the router's IP address isn't included as a DNS server which allows the bypassing of the Pi-Hole. And one can further enable the DNSFilter option in Merlin, set "Global Filter Mode" to "router", add the Pi-Hole(s) to the Client MAC Address section and set the client "Filter Mode" to "No Filtering", to force DNS requests to the Pi-Hole.

Yes, running two Pi-Holes is a good way to go so one has a roll over ad block server when one goes down. More than once I've had the main Pi-Hole go down and the backup took up the slack.

Thank you all for the info that the Pi4 is overkill, and the suggestion for using a Dual-Pi solution.

I just happen to have 2 Pi3's that are itching for something to do. I'll be 'playing' with them on a dual Pi3 setup over the weekend, like early Sat/Sun morning when everyone else is still in bed. Cheers!

 

[cptnoblivious]

How well does the 2 pi-hole approach work when the first one fails and is non-responsive?

Was wondering on a similar setup but if failure of the primary pi-hole means all lookups have to timeout before trying the second it could be just as painful. Not sure if there is a way to configure a virtual IP with health probes to back end targets on the router but that would help nicely.

It's seamless.

I have no issue rebooting either of the during the day, and both my wife and I work from home currently. With WFH I wouldn't have a single point of failure when it's so easy to have a 2nd (I run a 4B and also have pihole running in an Ubuntu VM)

 

[cptnoblivious]

Fair point not to under estimate the logic of the clients. Must admit though if I set an order for dns that's the order I want so not sure on the DNS2 behaviour you've seen.

I did see some write ups for pi-hole on a multi-node kubernetes cluster and as appealing is it sounds from a "because we can" perspective it does start to feel a tad overkill!

"The order you want" isn't up to you. It's up to the client, depending on how the client is implemented.

 

[WRobertE]

I had an SD card on my very first Pi die and as a result, no one at home could access the internet. Family was not happy with Mr. Tech Dad. That's when I moved to a dual Pi-hole setup. I have not had an issue like that since (knock on virtual wood) but at least I'm in a better position and can roll out updates "seamlessly" when needed. I do observe a rough 80/20 split between the two with DNS1 taking the lion's share of queries from my network. Some OS's will randomly choose DNS2 it seems even if DNS1 is up and responding quickly.

I also had an SD card fail on my Pi4 so I set it up to use an SSD instead of an SD card. Works great.

It's critical to use an enclosure that the PI will recognize properly in order to get the best storage speed and to be able to enable TRIM. I use the UGREEN enclosure for the SSD (see below).

Here's Jeff Geerling's post that explains the TRIM setup.

Enabling TRIM on an external SSD on a Raspberry Pi | Jeff Geerling

www.jeffgeerling.com

 

[WRobertE]

Why not just run Unbound on your raspberry pi along with Pihole?

I also tried running Unbound on the PI vs Pihole and I found web pages loaded much faster under the Pihole approach.

 

[WRobertE]

I also had an SD card fail on my Pi4 so I set it up to use an SSD instead of an SD card. Works great.

It's critical to use an enclosure that the PI will recognize properly in order to get the best storage speed and to be able to enable TRIM. I use the UGREEN enclosure for the SSD (see below).

Here's Jeff Geerling's post that explains the TRIM setup.

Enabling TRIM on an external SSD on a Raspberry Pi | Jeff Geerling

www.jeffgeerling.com

View attachment 35779

Sorry ... one more thing. Depending on the SSD you use, you may have to use a separate powered USB hub instead of relying on the PI for power. It all depends on the SSD you're using and how much power it requires. I had an old Crucial M4 that works fine directly connected to the PI.

 

[bennor]

I also had an SD card fail on my Pi4 so I set it up to use an SSD instead of an SD card. Works great.

Yes, SD cards will fail so its a good idea to back it up from time to time (various ways to do so) and to have a spare on hand just in case. For new Pi users, there are certain things one can do to try and reduce the amount of writes to the SD card. Log2RAM (https://github.com/azlux/log2ram/) is one script that is typically recommended when using an SD card on the Pi.

For the new to Pi folks, certain recent Pi models (Pi's 3B+ and Pi 4's for example) support booting from USB flash drives or external USB hard drives. Because of the amount of power draw of mechanical hard drives and some SSD drives one may need to use a powered USB hub or powered external drive enclosures. Generally booting from a USB Flash drive or hard drive should be faster (even on the older USB 2.0 Pi's) than using an SD card. Various folks have run tests/benchmarks showing the improvement when using Flash Drives or hard drives.

Raspberry Pi 3B+ MicroSD / SSD Speed Benchmarks

Article examining using solid state drive (SSD) with the Raspberry Pi. Includes benchmarks and the results were so spectacular that I recommend upgrading!

jamesachambers.com

2020’s Fastest Raspberry Pi 4 Storage SD / SSD Benchmarks

The fastest storage devices for the Raspberry Pi 4 including both Solid State Drives (SSD) and Secure Digital (SD / MicroSD). Compiled from benchmarks.

jamesachambers.com

 

[eightiescalling]

Haven't tried it but the idea of SSD boot, more specifically the capacity of SSDs vs SD cards, got me thinking about how to support multiple Pis from a single storage device i.e. network boot.

Turns out you can do that with a Pi too - https://williamlam.com/2020/07/two-methods-to-network-boot-raspberry-pi-4.html.

Could be interesting for those with NAS devices and excess storage. Though (trying to stay vaguely OT!) there is always the fact that simple is best when it comes to something as critical as DNS so maybe a couple of Pis with SD cards is the better option...

 

[WRobertE]

If one is only running Pi-Hole (and if using Unbound), it is way over kill to use a Pi 4 or even a Pi 3. Nothing wrong with doing so but its overkill and there are significantly cheaper Raspberry Pi device options. Pi-Hole (and Unbound) will run perfectly fine on a Pi Zero W or similar low end/older Pi's. The amount of network traffic generated by DNS requests tend to be generally very small so network speed isn't really an issue. One can run a headless Raspberry Pi Zero W powered by the Asus router's USB port and either use Zero W's integrated WiFi (minor latency issues), or use a 10/100 USB to Ethernet adapter for the Pi Zero W. There is even a way to run a Pi Zero W in Ethernet Gadget mode to run power and Ethernet over a single USB cable to an Asus-Merlin router. Some basic older directions posted here on setting up Ethernet Gadget mode on a Pi Zero W and Asus-Merlin.

Couple of comments about setting up and using Pi-Hole with Asus-Merlin if they haven't been mentioned already. Do not use the Pi-Hole device IP address in the router's WAN DNS fields like some online directions may indicate. Doing so may cause a feedback loop with DNS requests that will flood the local network with DNS requests causing network issues. (Been there, done that.) A number of popular block lists (updated frequently) are maintained on https://firebog.net/. There are ways to automate the updating/syncing of the FireBog.net lists on the Pi-Hole using this script: https://github.com/jacklul/pihole-updatelists. Make sure to uncheck "Advertise router's IP in addition to user-specified DNS" in the Merlin DHCP section so the router's IP address isn't included as a DNS server which allows the bypassing of the Pi-Hole. And one can further enable the DNSFilter option in Merlin, set "Global Filter Mode" to "router", add the Pi-Hole(s) to the Client MAC Address section and set the client "Filter Mode" to "No Filtering", to force DNS requests to the Pi-Hole.

If I don't put my Pi's IP address in the WAN DNS field, I get an "exclamation mark" on the Network Map page next to my DDNS address and my router cannot perform an NTP sync. Those issues go away when I reference my Pi in the WAN DNS field.

RT-AC68U on 386.3_2 but I had the same behavior on prior releases so it's not specific to the current release.

 

[bennor]

If I don't put my Pi's IP address in the WAN DNS field, I get an "exclamation mark" on the Network Map page next to my DDNS address and my router cannot perform an NTP sync. Those issues go away when I reference my Pi in the WAN DNS field.

RT-AC68U on 386.3_2 but I had the same behavior on prior releases so it's not specific to the current release.

View attachment 35787

That issue(s) is likely due to your configuration setup. Do you have DDNS Client enabled? (WAN > DDNS)
I don't have DDNS enabled and have CloudFlare's DNS servers in my WAN DNS fields. YMMV

 

[WRobertE]

That issue(s) is likely due to your configuration setup. Do you have DDNS Client enabled? (WAN > DDNS)
I don't have DDNS enabled and have CloudFlare's DNS servers in my WAN DNS fields. YMMV
View attachment 35788

Yes ... I use www.no-ip.com.