Sunday, 5 January 2020

Mikrotik + Pi Zero + Pi-hole = advertising sinkhole with fail-safe

Components

  • Mikrotik router with USB port - I tested on RB2011UiAS-2HnD-IN and hAP ac models
  • RouterOS in modern version - I tested with long term (6.44.6)
  • Raspberry Pi Zero - I use old one without "W", with 4GB microSD card running latest Raspbian 10 Buster (minimal, without GUI!)
  • Short micro-USB data cable - because many cheap cables don't do data

Pi Zero actually has more than enough power to run Pi-hole serving even quite large home/family network and running it completely self-contained off Mikrotik seems to work great!


Initial setup

  1. Download and burn the latest Raspbian onto the SD card - I used for this Etcher and 2019-09-26-raspbian-buster-lite.img
  2. Connect SD card to a PC and in partition called boot edit two files to enable Ethernet gadget:
    1. config.txt - at the very end of the file add a line saying dtoverlay=dwc2
    2. cmdline.txt - add modules-load=dwc2,g_ether directly after 'rootwait' and before any other parameters that may (or not) be there
  3. Boot up RPi powering from PC using the port marked as USB on the board - not the PWR IN; it's the one in the centre - only that one does power + gadget
  4. After all boots up, you should be able to run ssh pi@raspberrypi.local (thanks mDNS!) with password raspberry
  5. On the RPi create file called /etc/modprobe.d/g_ether.conf with the following content (single line of text)
    options g_ether idVendor=0x05ac idProduct=0x1402 iProduct=Pi0 iManufacturer=Raspberry
    NOTE - This is required for RPi to show up as LTE interface on Mikrotik!
  6. Configure network access on the PC to allow RPi to reach the Internet - NAT or something
  7. Install Pi-hole - instructions are here, follow the steps and you will end up with Pi with static IP address configured on it
  8. If you want to change the static assigned IP address AFTER installing Pi-hole, you can edit usb0 interface settings in /etc/dhcpcd.conf
  9. Once Pi-hole is ready, shut down both RPi and Mikrotik, connect RPi to USB port on Mikrotik, let it boot up... and then you should see lte1 under both /interfaces and /interfaces lte


  10. Add IP address to lte1 from the same subnet as set on the RPi and enjoy - you should be able to reach RPi via SSH and/or web - if not, check firewall
    NOTE - you can't add lte1 to the bridge, so just treat it as routed destination instead of bridged (sorry, no mDNS broadcasts for you!)
  11. Now you can edit DNS settings in your DHCP server - this sits under Networks - enjoy!
Note - Mikrotik is not PnP - you have to reboot it after connecting RPi. If after 1st reboot you don't see lte1 interface, reboot the Mikrotik again. You may also try updating Mikrotik firmware.

Automated fail-safe - when RPi goes down...

Now, with this being your primary DNS server, if Pi-hole or RPi goes down, you lost your DNS so ideally there's some sort of uptime testing for RPi and automatic fall-back to a default DNS server when RPi is non-responsive.

Luckily Mikrotik allows us to use Tools -> Netwatch to do it. It uses ICMP ping to check if host is up, so nothing too fancy but a good start!
  1. Enable DNS server on Mikrotik (of course blocking access from WAN on the firewall)
  2. Change DHCP Server configuration to use Mikrotik as DNS server and configure Mikrotik to use RPi as upstream DNS - you may want to disable 'Use peer DNS' in DHCP Client on Mikrotik
  3. Implement failover to known working DNS when RPi goes down - for example to 1.1.1.1 (CloudFlare) or 8.8.8.8 (Google)... or whatever you want to use :-)

UPDATE:

In fact it would be also possible to write UP script that would trigger in the background once host comes up (ping ok) and script would check if DNS resolver also works, before pointing Mikrotik to RPi resolver. I may look into this at some later time.

13 comments:

  1. Hey, everything works, except that Pi can't access the internet - lte1 is set to .53.1, RPi .53.53 with gateway .53.1, masquerade on MikroTik. Any hints?

    ReplyDelete
    Replies
    1. To recap:
      - Pi and LTE1 interface are in the same network subnet
      - On the Pi (.53.53), the default gateway is set to .53.1
      - The subnet used by Pi is different than your usual LAN
      - You use NAT or MASQUERADE based on egress interface, not specific IP subnets - if you have by source subnet, then you need additional rule

      I have it set up like this and it works great. Have a try, especially make sure your Pi has LTE1 IP as default gateway and that NAT/MASQUERADE is set up correctly.

      Delete
    2. Right, just figured out that I made a mistake in Pi's IP address in firewall. Works great, thx!

      Delete
  2. Hi, I am stuck at this point:
    6. Configure network access on the PC to allow RPi to reach the Internet - NAT or something

    And in step 4. After all boots up, you should be able to run ssh pi@raspberrypi.local (thanks mDNS!) with password raspberry

    I had to make SSH file on SD card (boot) to enable SSH, just a hint. (name ssh without extensions)

    Can I do that step when insert RPI to mikrotik, and how to change LTE adress in mikrotik? Thanks

    ReplyDelete
    Replies
    1. I did the pihole install. My mikrotik range is 192.168.88.0, and I put my Pihole address to 192.168.88.150, getaway 192.168.88.1 (like mikrotik)
      And now, how can I add address to my LTE1 interface ?

      Delete
    2. To add IP address to an interface, go to IP/Addresses and hit "+".

      Delete
    3. I put adress 192.168.88.150/24 for LTE1 device. Then loose internet.

      What should I do after that. After that I cant seem to get it all right.

      Thank you

      Delete
    4. Ah. Maybe try setting another subnet, different from LAN. I have set 192.168.53.1/24 for LTE1 (Pi has 192.168.53.53) and home/guest/mgmt are on 192.168.5.0/20.0/0.0 subnets.
      I think that's the issue.

      Delete
    5. You need effectively 3 subnets - one for WAN link, different one for LAN and yet another (different from the other two) for LTE1 and raspberry pi.

      If your WAN and LTE1 networks are identical, system won't know which interface to use to reach internet. At best it will work intermittently, at worst (and most likely) not at all.

      Delete
    6. Thx. Got it working. I can access now my LTE(Pihole) over network and get to pihole. My pihole address is 192.168.8.2, when I set that as my DNS in mikrotik I get no internet.

      In mikrotik NAT I "masquarade LTE1 device". What else shuld I do so my DNS gets me out ot internet

      Delete
    7. I did it. My gateway on RPI has to be the same as the LTE device in mikrotik (range out of the mikrotik address). So my RPI (pihole) is 8.2, gateway is 8.1, and LTE mikrotik device is 8.1. LAN range is 88.0, DNS now is 8.2.

      Delete
  3. This is brilliant thank you.

    Just using it for the second time after my first PiHole SDCard was corrupted by an unexpected power outage.

    One thing to add, when editing files in step 2 - I needed to add a blank file called "SSH" (no file extension) to the boot partition to get SSH to be automatically enabled.

    ReplyDelete
    Replies
    1. True, very true... I guess I didn't mention that because I assumed we already have that in place...

      Delete