Entware Pi-hole directly on the router? Yes!

[bibikalka]

...
Why would you swap Pi-hole database on own schedule?
Resourceful kids will learn how to get around DNS "parental control".

Right! Hence I am chasing the other venue to this end to monitor random devices that may pop up:

Regular monitoring of devices connected to the router:

Does anybody care to monitor which devices are connecting to their router? Ideally, I'd like to do something like "arp -a" every few minutes via cron, dump that into a file. Then every day it'd get merged, and the number of identical ethernet entries would be counted. So as the daily output I'd...

www.snbforums.com

 

[jacklul]

Right! Hence I am chasing the other venue to this end to monitor random devices that may pop up:

Regular monitoring of devices connected to the router:

Does anybody care to monitor which devices are connecting to their router? Ideally, I'd like to do something like "arp -a" every few minutes via cron, dump that into a file. Then every day it'd get merged, and the number of identical ethernet entries would be counted. So as the daily output I'd...

www.snbforums.com

Pi-hole does ARP scan automatically, that's how they populate the Network statistics table.
You could simply run queries on the pihole-FTL.db periodically with your logic added.

 

[bibikalka]

Pi-hole does ARP scan automatically, that's how they populate the Network statistics table.
You could simply run queries on the pihole-FTL.db periodically with your logic added.

Is that superior to just regular "arp -a" ? Is there more useful stuff I can pull out of that?

 

[jacklul]

Is that superior to just regular "arp -a" ? Is there more useful stuff I can pull out of that?

I don't think so, the only extra that Pi-hole adds is recognizing MAC vendors so you can determine what kind of device connected.

 

[bibikalka]

I don't think so, the only extra that Pi-hole adds is recognizing MAC vendors so you can determine what kind of device connected.

So while on the subject, do you still run TrendMicro services? It's a real memory hog.
If I could implement semi-lame hours control using PiHole, I'd ditch TrendMicro stuff in a heartbeat.

 

[jacklul]

So while on the subject, do you still run TrendMicro services? It's a real memory hog.
If I could implement semi-lame hours control using PiHole, I'd ditch TrendMicro stuff in a heartbeat.

Never did, I don't like sharing my internet traffic with 3rd party service.
I have anti-malware and anti-phishing lists added to Pi-hole, I think it's sufficient for me.

 

[bibikalka]

@jacklul

OK, I managed to install this and launch. Can see the web interface too!

Now, a few points of confusion. This github link talks about 3 ways to create another IP on br0. The page could use more structuring since I think the first script in there is the same as the later suggestions? Could spell out the syntax a bit more as in "ip addr add 192.168.1.20/24 dev br0"

The main page (link) says "The service might initially not start due to ports being in use - make adjustments in /opt/etc/pihole/pihole.toml when necessary."

So of course for anybody trying this for the 1st time port 53 will be taken by the other DNS already running. So I set it to port 54. But now I am confused where I should specify the PiHole DNS. 192.168.1.1:54 I presume ? How would this go into the DNS director? The web interface is here:
http://192.168.1.20:5080/admin/. Or is this 192.168.1.20 also a bona fide DNS resolver?

P.S. I also had unbound running for a while. So I wonder if it is even used for the regular DNS resolver which is Diversion in my present situation.

P.P.S. So Diversion creates additional IPs for other DNS instances, I guess all of those new IPs listen on port 53. So seems like it'd be ideal to change PiHole listening IP for DNS to the same as its web server (192.168.1.20 in my case), and keep the standard port 53. Is this doable?

 

[jacklul]

This github link talks about 3 ways to create another IP on br0. The page could use more structuring since I think the first script in there is the same as the later suggestions? Could spell out the syntax a bit more as in "ip addr add 192.168.1.20/24 dev br0"

The first one is a generic solution that should work on most Entware supported devices, assuming the user knows how to adjust the command to their device.
The other two are preferred solutions for Asus routers.

The main page says "The service might initially not start due to ports being in use - make adjustments in /opt/etc/pihole/pihole.toml when necessary."
So of course for anybody trying this for the 1st time port 53 will be taken by the other DNS already running. So I set it to port 54. But now I am confused where I should specify the PiHole DNS. 192.168.1.1:54 I presume ?

You can either free the DNS port by changing the firmware configuration or change it to something else and then somehow forward the queries to it.
The two approaches are in the wiki - stock one is a forwarding setup and the Merlin one is replacing firmware's DNS port (skipping router's DNS completely).
To support Guest networks you might need DNS director rules.

How would this go into the DNS director?

I have no idea if DNS director supports specifying the port, it might be '192.168.1.1#54' format.

The web interface is here:
http://192.168.1.20:5080/admin/. Or is this 192.168.1.20 also a bona fide DNS resolver?

I see a small mistake I have on the page - it should've been "192.168.1.254:80,192.168.1.254:443s", mistake corrected!
If '192.168.1.20' is your extra IP and assuming you followed the *updated* wiki page then it should be listening on '192.168.1.20:80'.
For the DNS port you must specify an interface to listen on, it will use the interface's main IP.

P.S. I also had unbound running for a while. So I wonder if it is even used for the regular DNS resolver which is Diversion in my present situation.

You can make Pi-hole use unbound.

P.P.S. So Diversion creates additional IPs for other DNS instances, I guess all of those new IPs listen on port 53. So seems like it'd be ideal to change PiHole listening IP for DNS to the same as its web server (192.168.1.20 in my case), and keep the standard port 53. Is this doable?

Should be.

 

[bibikalka]

P.P.S. So Diversion creates additional IPs for other DNS instances, I guess all of those new IPs listen on port 53. So seems like it'd be ideal to change PiHole listening IP for DNS to the same as its web server (192.168.1.20 in my case), and keep the standard port 53. Is this doable?

Should be.

OK!

I tried to provide a port in DNS Director - seems no go. I think that's why Diversion keeps creating new IPs for different cases, in order to always listen on port 53.

Could you provide a configuration guide on how to make PiHole use the newly added IP and port 53 on br0? It seems the easiest it is to run PiHole alongside the regular Asus Merlin, the more people would give it a shot.

 

[jacklul]

Could you provide a configuration guide on how to make PiHole use the newly added IP and port 53 on br0? It seems the easiest it is to run PiHole alongside the regular Asus Merlin, the more people would give it a shot.

As far as I know Pi-hole's DNS server can only bind to interface and use its main IP, I don't think you will be able to make it work with the br0 interface specifically.
I don't run Merlin firmware so I cannot blindly provide working steps to achieve this.

Try this:

ip -4 addr add 192.168.1.20/24 brd + dev br0 label br0:pihole

Then in pihole.toml set:

[dns]
port = 53
interface = "br0:pihole"
listeningMode = "BIND"

 

[bibikalka]

As far as I know Pi-hole's DNS server can only bind to interface and use its main IP, I don't think you will be able to make it work with the br0 interface specifically.
I don't run Merlin firmware so I cannot blindly provide working steps to achieve this.

Try this:

ip -4 addr add 192.168.1.20/24 brd + dev br0 label br0:pihole

Then in pihole.toml set:

[dns]
port = 53
interface = "br0:pihole"
listeningMode = "BIND"

OK, tried this. Another IP is created successfully:

# if addr
19: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 24:4b:fe:bf:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet 192.168.1.17/24 brd 192.168.1.255 scope global secondary br0:alternate_b
       valid_lft forever preferred_lft forever
    inet 192.168.1.16/24 brd 192.168.1.255 scope global secondary br0:ad_blocking
       valid_lft forever preferred_lft forever
    inet 192.168.1.20/24 brd 192.168.1.255 scope global secondary br0:pihole
       valid_lft forever preferred_lft forever

After config changes and starting PiHole got this message:

Aug 12 16:41:15 RT-AC86U-9988 admin: Started pihole-FTL from .
Aug 12 21:41:16 RT-AC86U-9988 dnsmasq[2508926]: failed to create listening socket for 127.0.0.1: Address in use
Aug 12 21:41:16 RT-AC86U-9988 dnsmasq[2508926]: FAILED to start up

The web interface on 192.168.1.20 works.

And config updates compared to the original:

# diff pihole.toml pihole.toml_o
4c4
< # Last updated on 2025-08-12 16:33:38 CDT
---
> # Last updated on 2025-08-11 16:21:40 CDT
148c148
<   interface = "br0:pihole" ### CHANGED, default = "eth0"
---
>   interface = "eth0"
190c190
<   listeningMode = "BIND" ### CHANGED, default = "LOCAL"
---
>   listeningMode = "LOCAL"
327c327
<       force4 = true ### CHANGED, default = false
---
>       force4 = false
333c333
<       IPv4 = "192.168.1.20" ### CHANGED, default = ""
---
>       IPv4 = ""
663c663
<   port = "127.0.0.1:5080,192.168.1.20:80,192.168.1.20:5443s" ### CHANGED, default = "80o,443os,[::]:80o,[::]:443os"
---
>   port = "80o,443os,[::]:80o,[::]:443os"
812c812
<     pwhash = "$BALLOON-SHA256$v=1$s=1024,t=32$...==$...=" ### CHANGED, default = ""
---
>     pwhash = "$BALLOON-SHA256$v=1$s=1024,t=32$...==$...=" ### CHANGED, default = ""
1196,1197c1196,1197
< # 155 total entries out of which 149 entries are default
< # --> 6 entries are modified
---
> # 155 total entries out of which 154 entries are default
> # --> 1 entry is modified

Any thoughts?

Thanks!

P.S. Current DNS postconfig:

# cat /jffs/scripts/dnsmasq.postconf
#!/bin/sh
sh /jffs/addons/unbound/unbound.postconf "$1"           # unbound_manager
/jffs/scripts/uiDivStats dnsmasq & # uiDivStats

. /opt/share/diversion/file/post-conf.div # Added by Diversion

 

[jacklul]

After config changes and starting PiHole got this message:

Aug 12 16:41:15 RT-AC86U-9988 admin: Started pihole-FTL from .
Aug 12 21:41:16 RT-AC86U-9988 dnsmasq[2508926]: failed to create listening socket for 127.0.0.1: Address in use
Aug 12 21:41:16 RT-AC86U-9988 dnsmasq[2508926]: FAILED to start up

Try adding except-interface=lo to misc.dnsmasq_lines in pihole.toml, if possible try to make this change throught the web interface as that config variable is an array and messing it up can reset the whole config.

However, this can make pihole command unable to run some API related functionality since it's hardcoded to query 127.0.0.1:<DNS port>.
A potential fix would be to configure firmware dnsmasq to forward queries to local.api.ftl to Pi-hole using dnsmasq.conf.add:

server=/local.api.ftl/192.168.1.20

 

[bibikalka]

...
However, this can make pihole command unable to run some API related functionality since it's hardcoded to query 127.0.0.1:<DNS port>.
A potential fix would be to configure firmware dnsmasq to forward queries to local.api.ftl to Pi-hole using dnsmasq.conf.add:

server=/local.api.ftl/192.168.1.20

OK, I'll try later, but this is getting messy

Another thought, could I run PiHole on 127.0.0.1 port 54 in a more typical way, and then remap 192.168.1.20:53 to it? So I could use 192.168.1.20:53 as an alias to it?

 

[jacklul]

Another thought, could I run PiHole on 127.0.0.1 port 54 in a more typical way, and then remap 192.168.1.20:53 to it? So I could use 192.168.1.20:53 as an alias to it?

I suppose you could redirect the port using iptables but it will become messy too.