services are being migrated from an existing standalone LXD/LXC server into the new cluster. Various media libraries, web hosts, blog sites, and photo sharing, also a NextCloud instance I use instead of Google Drive. I don't know why I do this to myself.
- Ubuntu 16.04
- Machine or VM with accessible port 443/80 (will not work in container without extra steps)
- Local terminal or SSH access
- Upstream DNS/DHCP server (not using PiHole for this)
On the DHCP server, set a reservation on so IP doesn't change. For pfsense this is done using DHCP reservation
Note: Piping scripts to bash is a terrible idea, you should examine the script before executing this command
curl -sSL https://install.pi-hole.net | bash
Check admin interface
Visit URL provided in console after install (usually https://yourIP/admin/)
You will need the password.
Configure on Pihole
The DNS forward/lookup server is your normal router/gateway box (for example:
My setup is a bit different than the reccommended setup, as I use the upstream gateway for resolution and not one of the built-in DNS options (google, quad9, et al.)
If you'd like the clients to be identified by their DNS names uncheck the following options:
Never forward non-FQDNs
Never forward reverse lookups for private IP ranges
For additional domain validation (if supported upstream check:
I exclude my local network domain from appearing in webui [under what option]. This prevents local network chatter making the top domain lists useless.
Setup UFW to allow PiHole and deny everything else
Change the IP ranges below to match your internal network
# configure firewall for PiHole sudo ufw default deny incoming && \ # allow SSH admin from LAN sudo ufw allow from 192.168.1.0/24 to any app OpenSSH && \ sudo ufw allow from 192.168.2.0/24 to any app OpenSSH && \ # reject HTTPS to fail ads faster sudo ufw reject https && \ # allow Pihole web admin from LAN sudo ufw allow proto tcp from 192.168.1.0/24 to any port 80 && \ sudo ufw allow proto tcp from 192.168.2.0/24 to any port 80 && \ # allow DNS traffic from LAN sudo ufw allow from 192.168.1.0/24 to any port 53 proto any && \ sudo ufw allow from 192.168.2.0/24 to any port 53 proto any && \ # allow FTL pihole engine from LAN sudo ufw allow from 192.168.2.0/24 to any port 4711 proto tcp && \ sudo ufw allow from 192.168.1.0/24 to any port 4711 proto tcp && \ # enable firewall sudo ufw enable
Reload firewall if needed
sudo ufw reload
DNS traffic is over port 53 (udp and tcp) and the web interface traffic is over port 80, FTL goes over 4711. FTL may change or not be needed except for localhost, need to test.