Thelizardbloke wrote

Under normal circumstances the VLANs should not have access to each other and I've created ACLs that deny TCP and UDP between the VLANs, so I'm just giving them port access for this purpose.

  @Thelizardbloke 

By default in Omada, all VLANs can "talk" to each other already. You have to edit your ACLs to not deny Pi-hole to reach your clients on another VLAN.

  @YuukiA Thank you so much for your prompt reply. Could you clarify to what extent the VLANs actually 'talk' to one another?

in my situation, I created a VLAN for my IoT devices and in the interests of security I wanted to isolate them to prevent a compromised device from accessing my main LAN (except to use the Pi Hole for DNS) so I created switch-based ACLs that block TCP and UDP communications between VLANs. This would, I assume, prevent them from getting access to the Pi Hole in VLAN 1?

I realise I could just use an external ad blocking public DNS but the Pi Hole does a much better job at removing ads from certain devices, such as Amazon Alexa Show. It just seemed logical to create an Allow rule for port 53 for all VLANs to VLAN 1 and place it before the rules that deny TCP and UDP.

best regards

  @Thelizardbloke 

Can you be more specific? Like draw a network diagram so I can tailor the answer to those config.

like where is the Omada Controller, the IoT, and the pi-hole in the network diagram? Are they all on their seperate VLAN?

Indicate which device is their respective network like (192.168.10.1/24), stuffs like that.

and can you screenshot your switch ACL list and their configs?

  @YuukiA 

  @YuukiA  My apologies for the incredibly bad diagram.

What I'm trying to show here is that the Raspberry Pi I want to use for DNS lives in my primary network (VLAN 1). This is the same network that contains the 7206 router and the OC 300 controller. These connect to my IPS Cable modem and go out to the internet.

From there we have a bunch of switches that are on different floors (connected via ethernet drops to the main switch downstairs). I have configured the ports on each switch, depending on what device is connected and what VLAN that device should be in. I have a VLAN for IoT devices, a VLAN for Audio/Video equipment etc., so I'd like ALL VLANs to use the Pi Hole in VLAN 1 for their DNS.

I have created switch-based ACLs that deny TCP and UDP traffic between each VLAN, so if a device in the IoT VLAN is compromised it can only see other devices in that specific VLAN and cannot get to my main network.

What I'm looking to do is to allow devices ineach VLAN to use the Pi Hole in VLAN1 as their primary DNS server, so ONLY ALLOW TCP Port 53 traffic between them. I just don't know how to create an ALLOW ACL for specific port traffic.

Hope this helps.

Thanks

spotlizard wrote

so I'd like ALL VLANs to use the Pi Hole in VLAN 1 for their DNS.

 

I have created switch-based ACLs that deny TCP and UDP traffic between each VLAN, so if a device in the IoT VLAN is compromised it can only see other devices in that specific VLAN and cannot get to my main network.

 

What I'm looking to do is to allow devices in each VLAN to use the Pi Hole in VLAN1 as their primary DNS server, so ONLY ALLOW TCP Port 53 traffic between them. I just don't know how to create an ALLOW ACL for specific port traffic.

 

Hope this helps.

 

Thanks

  @spotlizard 

Screenshots of the switch ACLs within the Omada Controller is needed here. Without it, I don't know if you configure the rule correctly. Topology of the network also shows me exactly where the devices are.

Show me the ping from the client devices to the Pi Hole as well. Is it request timed out?

And ping from the Pi Hole (assumed you installed on the Raspberry Pi) to the client device (IoT).

  @Yuuki A Thank you again for bearing with me. I will post screenshots of the ACL rule once I am back home with the devices.

As regards the PING tests, I can verify that I am able to successfully ping devices across VLANs because my DENY rules are applied to TCP and UDP only, so ICMP can pass through these.

Topology. Probably easier to explain in text as opposed to diagramatically, but it's essentially a TREE structure.

I have a 3 floor townhome, with Cat 6 running between floors, terminating on the bottom floor.

Bottom Floor - ER7206 Gateway Router connected to my ISP Cable Modem (XFinity XB8 running in Bridge mode). OC300 controller connected to the ER7206. The OC300 is connected to a Jetstream 24 port switch. Ethernet drops from other floors connect to ports 21,22,23 and 24 on the Jetstream.

First Floor - 2 Jetstream 8 port switches (1 PoE and one non-PoE) they are in different parts of the room, so a cable from Port 1 on the PoE switch connects to Port 8 on the non PoE. Port 1 on the non PoE switch connects to the Ethernet wall plate for the cable drop to the Bottom Floor and termination at the 24 port switch

Upper Floor - a 16 Port Jetstream switch that I use for my music studio. Port 1 of this switch goes to the Ethernet wall plate and from there down to the 24 port switch on the bottom floor.

Ports on all switches are configured based on the VLAN membership of the device connecting to it.

I have VLAN 1 (my main network), VLAN 10 (AV devices such as receivers, media servers, smart TVs etc.), VLAN 40 (IoT) devices such as fridge, stove, laundry, A/C etc) and VLAN 50 (security devices, such as alarm, cameras etc).

The subnets would be 192.168.1.x for the main LAN, 192.168.10.x for A/V, 192.168.40.x for IoT and 192.168.50.x for security. The Raspberry Pi (Pi Hole) I want to use is 192.168.1.253 in the primary LAN. I can successfully ping devices in a VLAN from any other VLAN as ICMP is passing without restriction.

If I enter 192.168.1.253 as the Primary DNS server for any VLAN other than VLAN 1 then it is not reached because my ACLs DENY TCP and UDP traffic between VLANs.

I have seen a proposed solution which was to:

1. Create a Port Group for DNS (Port 53)

2. Create a Switch-Base ACL that allows the Port Group access to VLAN 1

Since I'm not familiar with Port Groups (or how to set them up) I am not sure if this solution is reasonable or not?

Hopefully this is somewhat helpful and I will follow up with a screenshot of the ACLs when I get home.

Best regards

  @spotlizard Were you able to figure out the best solution for this? currently trying to implement something similar to yours. I have a pihole setup on vlan 1 and want to have other vlans use this as a dns server.

I am trying to do the same thing. I have a "Guest Network" vlan with a gateway ACL to deny it on all others but i want their dns to use pi hole thats on the primary vlan. This guest network is for the kids or any of their friends that decide to connect to wifi. I even tried creating an IP Group that contains pi hole and then a EAP ACL permitting traffic to that IP Group but i still cant reach it. Is there a way to use this blocking ACL but allow exceptions for specific IP's? I am using a ER707M2 router and the guest are connecting over Wifi through the EAP670 WAP.