deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Pi-hole VLAN and DHCP

Sun Mar 28, 2021 11:44 pm

Hi everyone,

I'm currently doing a home networking project and really confused about VLANs and DHCP IP provisioning in Pi-hole (which is doing the DHCP).

My setup right now looks like this. Virgin router > Raspberry Pi & L2 switch > 3 subnets;
  • home
  • work
  • things (tv, ps4, etc.)
The Raspberry Pi and L2 switch are plugged in the Virgin router. The rest are in the VLANs on the L2 switch.

Everything works fine, I'm not seeing issues but when I look at the Pi-hole Dashboard > DHCP, all the assigned IP addresses appear to be in the same subnet. I mean they're all in the same IP range -- 192.168.0.201 - 251.

Is this something that's supposed to be configured in /etc/dhcpcd.conf?
How would the Raspberry Pi (or Pi-hole) even know the subnets? Do I define them by subnet names and IP ranges (and MAC addresses)?

I'm completely lost on this; could I please ask for help?

Thank you.

epoch1970
Posts: 6324
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi-hole VLAN and DHCP

Mon Mar 29, 2021 12:30 pm

dhcpcd is a client DHCP program. It has nothing to do with DHCP servers delivering IP addresses.

Your Pi should have tagged network interfaces that match the VLANs you're managing on the switch, e.g. "eth0.1234", "eth0.567" (or use extra USB adapters and plug them to switch ports with the appropriate PVID set on them)
On each interface, have a DHCP server listen and deliver addresses according to its configuration. Or use a fancy DHCP server like dnsmasq (which PiHole uses, IIRC) and configure it so that it sends the appropriate configuration according to which interface the request comes from.

If you strip the tag before the query arrives in the Pi, the server would have no way of knowing which network it comes from.
Last edited by epoch1970 on Tue Mar 30, 2021 12:26 pm, edited 1 time in total.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Re: Pi-hole VLAN and DHCP

Mon Mar 29, 2021 9:32 pm

epoch1970 wrote:
Mon Mar 29, 2021 12:30 pm
dhcpcd is a client DHCP program. It has nothing to do with DHCP servers delivering IP addresses.

Your Pi should have tagged network interfaces that match the VLANs you're managing on the switch, e.g. "eth0.1234", "eth0.5678" (or use extra USB adapters and plug them to switch ports with the appropriate PVID set on them)
On each interface, have a DHCP server listen and deliver addresses according to its configuration. Or use a fancy DHCP server like dnsmasq (which PiHole uses, IIRC) and configure it so that it sends the appropriate configuration according to which interface the request comes from.

If you strip the tag before the query arrives in the Pi, the server would have no way of knowing which network it comes from.
Okay, it looks like I need to look at my VLAN setup again...I may not have done the right thing with the PVID (facepalm).
What you've said about Pi tagging the network interfaces went over my head..but I'm picking things up as I go..so I'll report back once I've looked into it.

Thanks for the reply.

epoch1970
Posts: 6324
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi-hole VLAN and DHCP

Tue Mar 30, 2021 9:40 am

Let me try to clarify.

To create vlan interfaces in Linux, use the “ip” command, e.g. https://baturin.org/docs/iproute2/#ip-link-add-vlan
Or do it using systemd-networkd under raspios (no experience with that, sorry)

That gives you an interface like eth0.1234 (assuming VLAN ID 1234) that will:
  • add VLAN ID 1234 to Ethernet frames that go out of the interface, e.g. towards the switch to an other peer.
  • strip the ID from frames that come into the interface
  • reject incoming traffic that is not tagged with ID 1234
So now this interface is only connected to the virtual Ethernet network with ID 1234

In your case and if I got that right you want 3 networks managed by the Pi, possibly 2 VLANs and the "native" (aka untagged, aka default VLAN, aka VID 1) network.
- You'd want to see eth0, eth0.1234 and eth0.567 in the Pi, each with their (static, if hosting a DHCP server) IP configuration.
- You'd need to configure the switch port the Pi is connected to, to belong to VIDs 1, 1234, 567 (this is known as a "trunked port" setup).

EDIT: VID 5678 isn't possible, corrected to 576... Possible VLAN IDs range from 1 to 4096.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Re: Pi-hole VLAN and DHCP

Tue Apr 06, 2021 10:10 pm

epoch1970 wrote:
Tue Mar 30, 2021 9:40 am
Let me try to clarify.

To create vlan interfaces in Linux, use the “ip” command, e.g. https://baturin.org/docs/iproute2/#ip-link-add-vlan
Or do it using systemd-networkd under raspios (no experience with that, sorry)

That gives you an interface like eth0.1234 (assuming VLAN ID 1234) that will:
  • add VLAN ID 1234 to Ethernet frames that go out of the interface, e.g. towards the switch to an other peer.
  • strip the ID from frames that come into the interface
  • reject incoming traffic that is not tagged with ID 1234
So now this interface is only connected to the virtual Ethernet network with ID 1234

In your case and if I got that right you want 3 networks managed by the Pi, possibly 2 VLANs and the "native" (aka untagged, aka default VLAN, aka VID 1) network.
- You'd want to see eth0, eth0.1234 and eth0.567 in the Pi, each with their (static, if hosting a DHCP server) IP configuration.
- You'd need to configure the switch port the Pi is connected to, to belong to VIDs 1, 1234, 567 (this is known as a "trunked port" setup).

EDIT: VID 5678 isn't possible, corrected to 576... Possible VLAN IDs range from 1 to 4096.
Thanks again for your detailed response.

This is probably a noob question but currently, the Raspberry Pi is plugged into the router, not the switch. I thought it would need to be above (or on top of) the VLANs to be able to see them and provision IP addresses. Is that not the case?

Does it need to be plugged into the switch (where the VLANs are) and be configured as VLAN 1 (i.e. the VLAN all other VLANs see)?

Thank you.

epoch1970
Posts: 6324
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi-hole VLAN and DHCP

Wed Apr 07, 2021 7:49 am

There is no VLAN that all other VLANs see. VLAN traffic is self-contained, like in its own physical Ethernet network.

There is one VLAN that receives all untagged traffic, VLAN 1. VLAN 1 is a sort of “lost and found”, all the traffic (baggage) that doesn’t have an ID tag ends up there.

People who sell Ethernet switches want their product to work out of the box, so the default setup on a VLAN-aware switch is for all ports to belong to VID 1 and untag all outgoing traffic. Anything you connect to the switch is on the network, and there is a single network. Like with a dumb switch.
To start segregating traffic you not only need to add VLAN IDs and assign them to ports but also to remove ID 1 which is by default associated with every port.

If you have a single DHCP server listening on VLAN 1, all it does is deliver leases valid on that network.

Instead I think you’d want to have 3 DHCP servers, each listening on its own VLAN and serving its own network. You’d need 3 machines, or one machine with 3 interfaces, one for each VLAN.
Normally you’d also want 3 routers, each with their own security policy, or 3 interfaces in the router.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Re: Pi-hole VLAN and DHCP

Wed Apr 07, 2021 8:47 am

epoch1970 wrote:
Wed Apr 07, 2021 7:49 am
To start segregating traffic you not only need to add VLAN IDs and assign them to ports but also to remove ID 1 which is by default associated with every port.
Ah okay, so that would explain why the devices in different VLANs are still able to see/ping each other.
Currently, I have assigned the ports on the switch to different VLAN IDs but all VLAN IDs are also still associated with VLAN1. So, I would need to take them off of VLAN1 to fully segregate them. Gotcha.
Instead I think you’d want to have 3 DHCP servers, each listening on its own VLAN and serving its own network. You’d need 3 machines, or one machine with 3 interfaces, one for each VLAN.
Normally you’d also want 3 routers, each with their own security policy, or 3 interfaces in the router.
I see.
Okay, that would be a bit too complicated for just a home network (i.e having 3 separate DHCP servers). What I have in mind is just to segregate the subnets so the devices can't see each other across the different VLANs and still have the IPs leased.
If you have a single DHCP server listening on VLAN 1, all it does is deliver leases valid on that network.
I do and that's Pi-hole..which is directly plugged into the router (i.e. side by side with the switch).
But so far, it's still provisioning/leasing IPs to all devices on the switch. Does that mean it's currently in the correct position on my network topology?

epoch1970
Posts: 6324
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi-hole VLAN and DHCP

Wed Apr 07, 2021 3:40 pm

deathtoduarte wrote:
Wed Apr 07, 2021 8:47 am
Instead I think you’d want to have 3 DHCP servers, each listening on its own VLAN and serving its own network.
Okay, that would be a bit too complicated for just a home network (i.e having 3 separate DHCP servers). What I have in mind is just to segregate the subnets so the devices can't see each other across the different VLANs and still have the IPs leased.
First off it's not that complicated, just running 3 instances of the same program, each bound exclusively to a specific network interface.
But with dnsmasq this is made really easy:
  • Let it listen to every interface
  • Write your configuration commands in a way that references the interface. dnsmasq has a concept of "tags", nothing to do with VLAN IDs, but useful nonetheless here.
    Buried in the NOTES section of https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html wrote:The tag system works as follows: For each DHCP request, dnsmasq collects a set of valid tags from active configuration lines which include set:<tag>, including one from the --dhcp-range used to allocate the address, one from any matching --dhcp-host (and "known" or "known-othernet" if a --dhcp-host matches) The tag "bootp" is set for BOOTP requests, and a tag whose name is the name of the interface on which the request arrived is also set.
    This is an example config for a dnsmasq DHCP server taking care of 2 VLANs (host has 2 interfaces):

    Code: Select all

    # Listen on VID 1 and VID 100
    interface=eth0
    interface=eth0.100
    # IP pool spec for the untagged network  
    dhcp-range=tag:eth0,192.168.1.100,192.168.1.200,255.255.255.0,1d
    # IP pool spec for the VID 100 network  
    dhcp-range=tag:eth0.100,192.168.100.100,192.168.100.200,255.255.255.0,2h
    # DHCP options to be set by clients (cf. "dnsmasq --help dhcp")
    # Router: DHCP option 3
    dhcp-option=tag:eth0,option:router,192.168.1.1
    dhcp-option=tag:eth0.100,option:router,192.168.100.254
    # DNS server: DHCP option 6
    dhcp-option=tag:eth0,option:dns-server,192.168.1.2
    dhcp-option=tag:eth0.100,option:dns-server,8.8.8.8
    ...
    
    I have no idea how to configure that with pi-hole, sorry.
  • To be complete, the interfaces would be configured in /etc/dhcpcd.conf, something like this:

    Code: Select all

    interface eth0
    static ip_address=192.168.1.2/24
    static routers=192.168.1.1
    static domain_name_servers=8.8.8.8
    
    interface eth0.100
    static ip_address=192.168.100.254/24
    static routers=192.168.100.254
    #static domain_name_servers=8.8.8.8
    
    The best way of creating that eth0.100 interface is unclear to me. My preference goes to adding a script to dhcpcd but that's "complicated"; systemd-networkd can create vlan interfaces but I don't understand why it insists on configuring the IP layer in addition to creating the link; ifupdown and/or vconfig are antiquated.
deathtoduarte wrote:
Wed Apr 07, 2021 8:47 am
If you have a single DHCP server listening on VLAN 1, all it does is deliver leases valid on that network.
I do and that's Pi-hole..which is directly plugged into the router (i.e. side by side with the switch).
But so far, it's still provisioning/leasing IPs to all devices on the switch. Does that mean it's currently in the correct position on my network topology?
It currently sort of works because your VLANs are improperly configured and hosts see each other, cf. switch config issue. Some hosts receive an IP config they wouldn't really care about because it is for the wrong network, cf. your first post.
As soon as you'll fix the switch configuration and some ports stop trunking their VLAN with VLAN ID 1, these hosts won't receive a lease at all, this time because no DHCP server is listening on their network.
You'll need to fix the network configuration of the Pi and that of dnsmasq so that it can serve DHCP leases. In the expected network, this time.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Re: Pi-hole VLAN and DHCP

Mon Apr 19, 2021 11:47 am

Thanks for your detailed explanation and config examples.

However, I'm gonna have to take a few steps away and ask another stupid question; does the Raspberry Pi (which is doing the DHCP) need to be plugged into each VLAN for which it's responsible for provisioning the IPs?

Currently, it is plugged into the Router and because the managed switch is also plugged into the router, I thought the Rpi would be able to see the VLANs. Is this not the case?

Would I need to get multiple NICs on the Pi and plug them into each VLANs individually?

epoch1970
Posts: 6324
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi-hole VLAN and DHCP

Mon Apr 19, 2021 2:57 pm

A VLAN is the same as a physical network.
Picture in your mind what you need to deliver addresses vis DHCP on a physical network. It is the exact same for a VLAN.

Lets consider 3 VLANs. That's 3 networks, so 3 DHCP servers, and up to 3 hosts to run the server on each network. Assuming a single host runs all DHCP servers, it has to have 3 interfaces.

Normally your router would also have 3 interfaces on the LAN side.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Re: Pi-hole VLAN and DHCP

Tue Apr 20, 2021 10:28 am

epoch1970 wrote:
Mon Apr 19, 2021 2:57 pm
A VLAN is the same as a physical network.
Picture in your mind what you need to deliver addresses vis DHCP on a physical network. It is the exact same for a VLAN.

Lets consider 3 VLANs. That's 3 networks, so 3 DHCP servers, and up to 3 hosts to run the server on each network. Assuming a single host runs all DHCP servers, it has to have 3 interfaces.

Normally your router would also have 3 interfaces on the LAN side.
Ah okay, makes complete sense.

My current router is just a generic ISP-provided one and doesn't have 3 interfaces.

Sorry to digress..but is this why I would need to add an "edgerouter" then? So, it'll be like..

Modem (ISP router in a modem mode) -> edgerouter (doing DHCP) -> L2 switch -> end-user devices ?

epoch1970
Posts: 6324
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi-hole VLAN and DHCP

Tue Apr 20, 2021 11:59 am

If your ISP router doesn't support VLANs, you can put the Pi behind it and use the normal (raw, tagless) ethernet link to access the internet. Then create VLANs in the Pi and route/masquerade between the VLANs and the upstream network to access the internet.
Connect both to your switch. The ISP router must be connected to a port that only accepts untagged traffic, the Pi connected to a port that accepts all traffic (trunk port) the other machines connected to a port that only accept traffic tagged with their VLAN ID.

If your ISP router features bridge ("modem") mode, then the IP address of the tagless interface in the Pi will be a public address. If the ISP router does not, the Pi will get a private address. In this case the Pi will masquerade traffic that needs to go to the internet, and the ISP box will masquerade it again. That's a "double NAT" situation, not ideal but it works in general.
If the Pi receives a public IP address it must be very secure and stable, so run a minimal amount of services. Using a dedicated router OS distribution, like OpenWRT would be a wise choice. OpenWRT handles VLANs no problem.

If you like fancy names, I think your ISP router would be called a "border router", sitting between the internet and your LAN, and the Pi behind it would be an "inner router".
An "edge router" belongs to an ISP or other large organization operating part of the internet, that's something else: https://en.wikipedia.org/wiki/Router_(c ... t_networks
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

deathtoduarte
Posts: 7
Joined: Sun Mar 28, 2021 11:02 pm

Re: Pi-hole VLAN and DHCP

Tue Apr 27, 2021 10:34 am

Okay, so I took a step back for a couple of days to really look at my home set-up. I considered what I'd need to do to get it up and running the way I wanted it to...and decided to tear down the whole thing and replaced it with a Unifi Dream Machine.

Now, it's doing DHCP on separate VLAN subnets and I'm running everything wirelessly with a few segregated SSIDs (from those VLANs). Had to learn a little about writing firewall rules but turned out there were quite a few articles about it on the Internet.

I reset the pi-hole, set a new static IP and ensured it's doing only the DNS. Then, I added its address as the DHCP Name Server on each VLAN from Unifi interface. Things are working as they should be now. Even saved some space as I've done away with the switches :D

Thanks again for your help. The steps you had run through helped me understand the the process involved in VLAN networking and DHCP. I realised how much I didn't know and started looking into homeworking, and discovered the UDM :)

Return to “Networking and servers”