Background
My WIFI is bound to my Internet-Router and it is seperated from my home-office by an routed stateful-firewall. Some WIFI devices (for example my printer) need access to this home-office ip-range.
Pi-Hole DHCP Service
The DHCP-Service of my pi-hole server usually offers just dhcp-option #3 – the default-gateway.
Disable DHCP-Option 3 (Default Gatway)
The pi-hole Web-GUI doesn’t allow to specify additional dhcp-options, so first disable offering the default-gateway-option:
which is not allowed (my opinion: a bug since this is no feature)
Stop here and use another dhcp-service?
Use the „Router-Option“ as fallback for „old“ clients
Fortunately RFC3442 („The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4“) https://datatracker.ietf.org/doc/html/rfc3442 states:
If the DHCP server returns both a Classless Static Routes option and a Router option, the DHCP client MUST ignore the Router option.
So this can stay enabled, it’ll be ignored – and, just for the case an old DHCP-Client doesn’t implement the Classless Static-Routes Option it’ll ignore it and can use the Default-Gateway-option.
Implementation
- leave the Web-GUI as it is
- go the the SSH-bash-shell
- add additional dhcp-options
Leave the auto-generated config-files as they are
adminname@pi-hole-server:/etc/dnsmasq.d $ ls -l
total 16
-rw-r--r-- 1 root root 1524 May 22 13:16 01-pihole.conf
-rw-r--r-- 1 root root 490 May 22 13:16 02-pihole-dhcp.conf
-rw-r--r-- 1 root root 143 Dec 8 14:04 04-pihole-static-dhcp.conf
adminname@pi-hole-server:cat 01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: #
# /etc/pihole/setupVars.conf #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
###############################################################################
addn-hosts=/etc/pihole/local.list
...
add your config in a seperated config-file
So lets add „/etc/dnsmasq.d/yourname.conf“:
I’d like to create
- a Default-Route (0.0.0.0/0) via the WIFI-Router 172.16.1.1
- static routes for all private (RFC1918) address-ranges via the Firewall 172.16.1.2
sudo echo "
dhcp-option=option:classless-static-route,0.0.0.0/0,172.16.1.1,10.0.0.0/8,172.16.1.2,172.16.0.0/12,172.16.1.2,192.168.0.0/16,172.16.1.2" > 99-user-settings.conf
restart the DHCP-Service
sudo service pihole-FTL reload
refresh the DHCP-Client
Horrible – Windows 10 states a „default-gateway“ to be set 🙁
C:\Users\user>ipconfig /renew "WLAN"
Windows-IP-Konfiguration
Drahtlos-LAN-Adapter WLAN:
Verbindungsspezifisches DNS-Suffix: prod.local
IPv4-Adresse . . . . . . . . . . : 172.16.1.14
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 172.16.1.1
Check results
But the ip routing-table is fine: even Windows 10 implements RFC3442:
C:\Users\user>route print
===========================================================================
IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 172.16.1.1 172.16.1.14 35
10.0.0.0 255.0.0.0 172.16.1.2 172.16.1.14 36
127.0.0.0 255.0.0.0 Auf Verbindung 127.0.0.1 331
127.0.0.1 255.255.255.255 Auf Verbindung 127.0.0.1 331
172.16.0.0 255.240.0.0 172.16.1.2 172.16.1.14 36
192.168.0.0 255.255.0.0 172.16.1.2 172.16.1.14 36
172.16.1.0 255.255.255.0 Auf Verbindung 172.16.1.14 291
255.255.255.255 255.255.255.255 Auf Verbindung 172.16.1.14 291
===========================================================================
Android?
Forget it, Google seems to not priotize fixing basic low-level IP-Stack issues, it’s embarrassing: https://issuetracker.google.com/issues/36920068