Pi-Hole and PowerDNS

Since a while I’m using Pi-hole in my home to filter all kinds of domain names. This in combination with a PowerDNS resolver makes gives me more privacy. At least not monitored by the ‘free’ DNS resolvers out there…

PowerDNS is running on my Synology NAS in a docker container. Pi-Hole is still running on a Raspberry Pi 3 Model B+ since I wanted to test first and did not want to touch my working PowerDNS setup. but it already running fine for a while and I need to still move form the Pi to a docker as well. I will update this post when I moved everything with the detailed docker information as well.

Currently Pi-Hole v5 is just out, so I want to wait for a short moment when the fist fixed are done and the move to docker as well.

Cool thing with Pi-Hole is that you can use your one blocklists. Some I took form fireblog.net.

Related links;

Unifi Access Point says in Adopting state

I’m running the UniFi Controller on my Synology NAS in a docker container. After a firewall upgrade (gateway for the AP LAN), I noticed that all my Access Points were in the Adopting state. The wireless was still working fine, but no UniFI AP was in the Connected state. Forcing provisioning the AP’s did not work. So I restated all my AP’s the hard way by restarting the PoE adapters, just to get it working again, i hoped…

This fixed the issue for the AP-AC-Pro access points. However the AP-Pro stayed in the Adopting state even after a reboot.

I logged in to the node and checked the configuration;

$ ssh <user>@192.168.1.131 
<user>@192.168.1.131's password: 


BusyBox v1.25.1 () built-in shell (ash)


  ___ ___      .__________.__
 |   |   |____ |__\_  ____/__|
 |   |   /    \|  ||  __) |  |   (c) 2010-2019
 |   |  |   |  \  ||  \   |  |   Ubiquiti Networks, Inc.
 |______|___|  /__||__/   |__|
            |_/                  https://www.ui.com/

      Welcome to UniFi UAP-Pro!

AP1-BZ.v4.0.69# grep url cfg/mgmt 
mgmt.servers.1.url=http://172.17.0.2:8080/inform
stun_url=stun://192.168.1.139/
mgmt_url=https://192.168.1.139:8443/manage/site/default

As you can see the mgmt.servers.1.url is set to IP 172.17.0.2, this is incorrect! No idea how it ended up in there, but I changed it and intermediately the AP had a Connected state with the controller again!

AP1-BZ.v4.0.69# set-inform http://192.168.1.139:8080/inform

Adoption request sent to 'http://192.168.1.139:8080/inform'.  Use the controller to complete the adopt process.

After this setting change, I upgraded the AP to version 4.0.80.10875, checked the cfg/mgmt file again and now the mgmt.servers.1.url value is just fine.


Update: Now I got an idea what happened :) 172.17.0.2 is the IP the docker container is using. Somehow this ended up at the AP. I changed the following settings and now it’s fixed;

Settings > Controller Settings > Advanced Configuration

Controller Hostname/IP: 192.168.1.139 (my controller IP)
Override Inform Host With Controller Hostname/IP: enabled

6in4 tunnel on FortiWifi-30D

Before you can start your manual IPv6 tunnel configuration, the only thing you need is so called Tunnel Broker. I use the Hurricane Electric Free IPv6 Tunnel Broker.
See my post “IPv6 tunnel on Time Capsule” if you need more details about the Tunnel Broker.

The FortiGate/FortiWifi 30D don’t support the 6in4 configuration via the GUI, but only via CLI. The CLI configuration should look like:

For the config parts I use some IP’s is what they mean:
<IPv4_A> = Server IPv4 Address (www.whatismyip.com)
<IPv6_A> = Server IPv6 Address (HE IPv6, mostly x::1/64)
<IPv4_B> = Client IPv4 Address (HE IPv4 address)
<IPv6_B> = Client IPv6 Address (Your IPv6, mostly x::1/64)
<IPv6_C> = Routed IPv6 Prefix gateway
<IPv6_D> = Routed IPv6 Prefix

Create the sit-tunnel interface

config system sit-tunnel
    edit "HE_6in4_TUNNEL"
        set source <IPv4_A>
        set destination <IPv4_B>
        set ip6 <IPv6_B>
        set interface "wan"
    next
end

Now you should already be able to ping the HE Ipv6 address: execute ping6 <IPv6_A>

Add the default IPv6 route

config router static6
    edit 1
        set device "HE_6in4_TUNNEL"
    next
end

You can check if the default route is added via get router info6 routing-table, you should see something like this

S*      ::/0 [10/0] via ::, HE_6in4_TUNNEL, 00:01:08

Add the Routed IPv6 address to your LAN and enable router advertisements

config system interface
    edit "internal"
            config ipv6
                set ip6-allowaccess ping https ssh fgfm capwap
                set ip6-address <IPv6_C>
                set ip6-send-adv enable
                    config ip6-prefix-list
                        edit <IPv6_D>
                            set autonomous-flag enable
                            set onlink-flag enable
                        next
                    end
            end
    next
end

Add the policy to allow clients to reach the Internet

config firewall address6
    edit "HE_ROUTED_/64"
        set ip6 <IPv6_D>
    next
end
config firewall policy6
    edit 1
        set srcintf "internal"
        set dstintf "HE_6in4_TUNNEL"
        set srcaddr "HE_ROUTED_/64"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Most of the time with IPv4 you will enable NAT, with IPv6 this is not needed since the IPv6 address you got from HE (in this case) is specifically assigned to you.

You can also add IPv6 servers in DNS, for example the DNS servers from OpenDNS:

config system dns
    set ip6-primary 2620:0:ccd::2
    set ip6-secondary 2620:0:ccc::2
end