Interesting ac-68 guest network devices behavior with pi-hole

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

new_berlin

Occasional Visitor
I am running stock fw on ac-68 and connected a pi-hole into the router. The whole setup overall works as intended and does what I want.

However, in addition to the LAN and main wifi ssid, I have a guest wifi ssid that runs the tv and a iphone, neither of these devices show up in the pi-hole logs -- I was not surprised by this because that's what googling led me to expect. After all, the guest network devices are supposedly kept away from the main network. But then how to explain the following:

(1) The iphone browser cannot access ads when it runs on the ac-68 guest ssid but successfully sees the same ads when I switch to my wireless phone provider's lte service. i.e., the pi-hole is indeed killing ads (googleads in fact). In addition, many (but not all) ads on smart tv programming also are not showing (basically blank screen for duration of ad and then the programming starts up again.) These are behaviors not seen prior to pi-hole.

(2) The IP addresses on the ac-68 guest ssid also begin with 192.168.1.* (same as all the devices connected to the main wifi ssid). Are the guest wifi devices not supposed to have ip addresses that are on a different subnet?

In summary, how/why is pi-hole suppressing ads on my guest network devices? And if my guest network is somehow mis-setup to mingle with the main network why don't the IP addresses show in pi-hole?

Also NOTE: The pi-hole is NOT connected wirelessly to the 5Ghz guest wifi ssid. The 3b raspberry pi in any case lacks the radio to connect to 5 ghz.
 
Last edited:

ColinTaylor

Part of the Furniture
(1) This is not unexpected, but it depends on how you have setup your network with regards to the router's WAN DNS settings, LAN DHCP DNS settings and PiHole DHCP/DNS settings. Too many unknown variables to say any more.

(2) This is normal behaviour. From what I've read the next firmware version (which is currently in beta) will likely change this and put guest networks on their own subnets.
 

new_berlin

Occasional Visitor
(1) This is not unexpected, but it depends on how you have setup your network with regards to the router's WAN DNS settings, LAN DHCP DNS settings and PiHole DHCP/DNS settings. Too many unknown variables to say any more.

(2) This is normal behaviour. From what I've read the next firmware version (which is currently in beta) will likely change this and put guest networks on their own subnets.

Thank you.

In case (1) is not abnormal behavior, is there any way for me to view/understand what (urls, when/what) from the TV is being suppressed? I'm glad to have the tv under the pi-hole umbrella but some visibility would be nice particularly when the IP addresses are in the same subnet. Fwiw, i have both lan and wan dns pointing to the pi-hole (with a static IP) while dhcp remains with the the ac-68.

Also if next firmware version will put guest networks on a different subnet, will the guest devices drop out of pi-hole?
 

ColinTaylor

Part of the Furniture
To understand what is happening with the TV you'd probably have to do some packet capture. All I can say is that in my experience IoT devices (particularly those based on Android) have hard-coded DNS IP addresses which are used in some circumstances, ignoring those set in DHCP.

Also if next firmware version will put guest networks on a different subnet, will the guest devices drop out of pi-hole?
I think it's too early to know what changes will make it into the release version.
 

new_berlin

Occasional Visitor
To understand what is happening with the TV you'd probably have to do some packet capture. All I can say is that in my experience IoT devices (particularly those based on Android) have hard-coded DNS IP address which are used in some circumstances, ignoring those set in DHCP.
Would I gain any more insight than possible currecntly if I used a pi-hole that could also connect to the 5ghz guest ssid? (because I've seen many posts stating that to get pi-hole benefits for guest ssid devices, a separate pi-hole must monitor the guest-ssid). That said clearly that traffic is in any case going through the pi-hole, so will any more granularity emerge?
 

ColinTaylor

Part of the Furniture
Hard to say. Too many unknown variables.

IIRC (in the past at least) the guest network isolation worked by blocking TCP packets to the LAN. As DNS primarily uses UDP this blocking would be ineffective for it.

P.S. I'm assuming your guest network has Access Intranet disabled.
 

KsWoodsMan

Regular Contributor
I am running stock fw on ac-68 and connected a pi-hole into the router. The whole setup overall works as intended and does what I want.

However, in addition to the LAN and main wifi ssid, I have a guest wifi ssid that runs the tv and a iphone, neither of these devices show up in the pi-hole logs -- I was not surprised by this because that's what googling led me to expect. After all, the guest network devices are supposedly kept away from the main network. But then how to explain the following:
...

If your router DNS is set to the Pi-hole (instead of an external DNS server) to resolve DNS and the TV and Iphone go to the router for DNS the Pi-hole logs should show this as connections from the router instead of from those clients.
 

new_berlin

Occasional Visitor
If your router DNS is set to the Pi-hole (instead of an external DNS server) to resolve DNS and the TV and Iphone go to the router for DNS the Pi-hole logs should show this as connections from the router instead of from those clients.
Yes thanks, I did end up finding those entries with status "ok forwarded" under 192.168.1.1 -- i suppose i can surmise which device the traffic is from based on the contacted domains but it doesn't appear possible to search/list traffic exclusively from tv (intent is to selectively blacklist). I would like to know if people are successful in generating IP based entries from guest networks IF they connect pi-hole (mine doesn't have the radio currently to test) wirelessly to the guest network in parallel.
 

KsWoodsMan

Regular Contributor
Among a lot of other info and available options , issuing dnsmasq --help at the CLI of your ASUS router should return

--add-mac[=base64|text] Add requestor's MAC address to forwarded DNS queries.
--add-subnet=<v4 pref>[,<v6 pref>] Add specified IP subnet to forwarded DNS queries.
--add-cpe-id=<text> Add client identification to forwarded DNS queries.

You should be able to edit your dnsmasq.conf file in the ASUS router to include add-mac to forward your clients M.A.C. addr's to the Pi-hole with forwarded requests. If the router is sending DNS requests outside your LAN this wouldn't exactly be ideal.

Then issue killall -9 dnsmasq && dnsmasq --log-async

You are going to need something to add that option to the dnsmasq.conf file when you reboot and also to restart dnsmasq so it restarts with your options configured.
 

new_berlin

Occasional Visitor
Among a lot of other info and available options , issuing dnsmasq --help at the CLI of your ASUS router should return

--add-mac[=base64|text] Add requestor's MAC address to forwarded DNS queries.
--add-subnet=<v4 pref>[,<v6 pref>] Add specified IP subnet to forwarded DNS queries.
--add-cpe-id=<text> Add client identification to forwarded DNS queries.

You should be able to edit your dnsmasq.conf file in the ASUS router to include add-mac to forward your clients M.A.C. addr's to the Pi-hole with forwarded requests. If the router is sending DNS requests outside your LAN this wouldn't exactly be ideal.

Then issue killall -9 dnsmasq && dnsmasq --log-async

You are going to need something to add that option to the dnsmasq.conf file when you reboot and also to restart dnsmasq so it restarts with your options configured.
Thank you for the suggestions, appreciate your taking the time. Will try them out this weekend.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top