Phaselockedloopable- PLL's continued exploration of networking, self-hosting and decoupling from big tech

Pretty dope.


Write coming soon ™

Allah give me the energy to go through my terminal less history oooooffffffff :sob:


Okay now that I got most of it up I might be ready to start sorting what I (as well as novasty) did

More descriptive names


Clean d up the wire mess and power cable routing. Ethernet out the front (in case I need to do stuff)… power out the back. Way more convenient


Will get this hooked up soon

Courtesy of sarge


Alright so a few wanted to know or wanted a reference on how to get a pi-hole properly setup with DoH behind a firewall and having the proper redirects so that the pi-hole filters all the traffic and doesnt get redirected to itself.

First things first start out with the pi-hole. Make sure it is working properly. A good way to test this is to go ahead and make sure it is setup with Quad 9 DNS and your firewall is vanilla without DNS rules.

My system setup: (relevant devices)
OPNSense Firewall (Protectli Core Boot) (see table of contents)
RPI 4 - 8GB

(no its not hosted in canada thats a proxy load balancer)

Also don’t try logging in to my url. Its behind a vouch proxy and 2fa … there will be 0 luck lol. Only @Novasty has the extra perms as it stands.

Make sure you have the correct IP addresses set. These are static.

In my OPNsense I assign them to the DUID of the device for IP6 and the MAC for IP4. This is just in case the pihole loses its settings. It will never have another IP Address set.
IPv4: (DHCPv4 - NAT)

IPv6: (DHCPv6 Native - Track Interface of ISP) (true full public IPv6)

Make sure those IPs are set as the DNS for the pihole to get some initial filtering going.

This wont catch all of it so we need to set rules so that there is a forced 53 reroute for devices such as apple devices, google android devices and samsung TVs

First go to your LAN rules. I wont get specific since interfaces change but this should give you a general idea. If someone wants OPNsense specifics… ask but thats only going to come if asked for

Now you want two rules for IPv6 and IPv4 of your pi-hole ONLY to be let out on 53 so you can obviously grab the DNS queries. (later you can setup DNS over HTTPS like I did and its less necessary)

The second rule is to block all traffic… IPv4 and IPv6 port 53 from traversing LAN to WAN. Done simple its all going to your pi-hole now. Not to bad huh?

@Buffy you specifically asked about my DNSoHTTPS configuration at one point. Here you go. So IF anybody wants to do this with pi-hole you need to first grab the cloudflared argo tunnel program. We are going to modify it slightly as I dont like cloudflare being a single point of failure and I much prefer to use OpenNIC. (you may configure it for whichever DoH server you like)

Firstly on the pi-hole go ahead and execute the commands as follows

Proceed to make the directory and configuration file:

sudo mkdir /etc/cloudflared/
sudo nano /etc/cloudflared/config.yml

This is my configuration. I chose a trusted and reliable server I know doesnt take logs with opennic and supports DNS over HTTPS.

proxy-dns: true
proxy-dns-port: 5053
  # IPv6 Native Stack DoH - OpenNIC - LOCATION - MONTREAL QC, CA
  - https://[2607:5300:60:be0::1]/dns-query

You can replace this configuration how you need. I have native 6 so I enabled native 6. If you dont. Dont bother. You also dont necessarily need to as AAAA served over A doesnt affect your native stack since its up to the client to route from itself to the AAAA address. Your various favorite DNS servers should have documentation on what you need to enter here. Or you may use mine. I like uncensored unlogged untamperable DNS logs tbch.

Now install the service via cloudflared 's service command:

sudo cloudflared service install --legacy

Start the systemd service and check its status:

sudo systemctl start cloudflared
sudo systemctl status cloudflared

Verify 4 is working

[email protected]:~# dig @ -p 5053 -t A

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @ -p 5053 -t A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46625
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;                    IN      A

;; ANSWER SECTION:             177     IN      A

;; Query time: 152 msec
;; WHEN: Fri Jan 15 01:36:06 MST 2021
;; MSG SIZE  rcvd: 65

Verify 6 is working

[email protected]:~# dig @ -p 5053 -t AAAA

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> @ -p 5053 -t AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48397
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;                    IN      AAAA

;; ANSWER SECTION:             201     IN      AAAA    2607:f8b0:4009:805::200e

;; Query time: 153 msec
;; WHEN: Fri Jan 15 01:36:10 MST 2021
;; MSG SIZE  rcvd: 77

[email protected]:~# 

There I know both are working before I configure the pi-hole to accept this.

The configuration is easy. Point it to theres not place like ::1 lol and the port and save

What I do after this you dont have to. I hit these buttons in this order

Then I wait until its up. I login via ssh and make sure systemctl status cloudflared gives me an OK and I check if I am getting queries from both on my machine by digging my pi-holes address and for A and AAAA records on google.

If that goes off perfectly its working set and forget.

Now cloudflares tunnel needs an update here and there. It wont update via package management. Add to your cron week or a cron task the following commands: (I leave this up to you)

sudo cloudflared update
sudo systemctl restart cloudflared

Make sure those are ran as root :slight_smile: probably about once a week and you are golden!

Any questions ask below.

Word to the wise. Keep the tunnel fresh by putting the last three commands in the root crontab -e

This updates the tunnel software
It keeps it fresh by restarting it and then restarts the pi-holes DNS Masq resolver so it sees it properly


Nice! :slight_smile:

So your own DNS for your PCs is being run on OPNsense? DHCP (static) too? Or just not using DHCP at all?

Our internal network is just a .local and on a private IP range, so our local DNS and DHCP are run on one of our Synology servers, even though all of our DHCP leases are static except for a few left for ad-hoc adding of things to test etc.

Have you tried out Ansible for configuring and maintaining all the different services? I’m learning about that now; it looks pretty handy. Plus the playbooks etc are easy to put into gitlab. :slight_smile:

I’m kind of wondering if threads like this and even @wendell’s Home Automation series would be good ones to have in more of a wiki format to be easier to follow? IDK if there is interest in a Level1Tech wiki and who could help maintain it? (I’d help :slight_smile: )


No my DNS is ran on an RPI4 8 GB model (OC to 2.1 GHz lol)

My OPNSENSE is the DHCP Authority. It hands out DHCP pools and it assigns subnets and it assigns static leases…


@wendell hate to bug I know you are busy. Do you want threads like this split into wikis? Or maybe like a linked wiki… where its drafted in this post and linked to it… individually? What do you see as best for your forum?


I’d highly recommend making multiple wikis for each topic. Something is coming :wink:

Soon ™


How are you accomplishing the traffic forwards from your homelab services through the RPi and on to the linode? I have a similar setup but I run OpenWRT in a VM and have all my services terminate to that which goes through wireguard out my VPS. Similar but a different approach. This way I only use one tunnel interface instead of each container/VM having their own certs and connections.

Gotta hand it to you on VouchProxy. I just ran across it today when I was working on another project and now I want to look into getting it setup myself.

1 Like

wait what…? and I will… its just a lot to sort through in here. this is kind of an unsorted continuous build blog


@Buffy @SgtAwesomesauce

IEEE 802.15-4 + Open Z-wave Smart AI home assistant mycroft build soon ™

Highly recommend both these sticks. They are both open. They have open drivers. They are much easier to work with.


Hell yes permanent floating root zsh when I swipe right … Man I think i got all the tools i need now on android

Lineage OS
Encrypted + password on boot
Full busybox
Cloudflared aarch64 Argo tunnel tied to rmnet so I can DoH on android
AFwall+ iptables firewall
AHN V3 Labs antimalware

I literally have the toolset I need on the go


At our house, I’m the home assistant… :smiley:


@wendell gonna need your brain here a bit if you don’t mind.

So AX. We both know an openwrt standard base for it is a bit off

However when I do upgrade to it. I’m likely to upgrade all wired to 10gbe

Also will likely upgrade fiber or cable modem to do so.

Now I’ve seen Linus tech tips affordable home 10gbe. He talks about a microtik switch. If someone wanted to build an affordable to spec or to the standard 10 GBE. What devices ate around. (I’m fine with expensive cables) … I’m also fine considering fiber instead of Ethernet.

1 Like

Cat6 don’t bother with sfp+ just do cat6 wires and jacks. You can do affordable 2/5gb switches for now then switch to 10gb later. The 12-24 port 10gb switches are under 1k now though which I think is reasonable


Full disclosure… an adobe datacenter closed near me and I got ridiculously high quality cables used for short runs between SANs… they can do about 20 gbps … so I think im pretty covered here

sweet. I guess in time it will all come down. I generally wait until OpenWRT is available for a router. While its not really scientific. Ive found its a good measure of development of the wireless generational chipsets. Right now for me AC is king and despite actually understanding the physical engineer layer improvements of AX … it wasnt worth my investment yet. Too much development. I mean wifi 6E (aka 802.11 ax wave 2)… is right here… and tbch theres going to be a lot of development as us military folk move off of the sub I nato bands :wink: … and it opens spectrum to commercial…

So yeah Im starting to think about the upgrade down the road. This one you see took about a year or so of planning and its still a mess lol. I have yet to plop my 24 1GBE switch in that I got from sarge. Ive got this giant amount of packaging and parts I gotta sort because of a joint project (between sarge and I) coming to the forum soon.

I was aware of 2.5 GBE but not 5GBE… thats a thing? My main motivation is when I move to AX the wires will become a limitation and nobody likes that. Especially as 10 gigabit fiber in my area is coming for a price thats ridiculously low… (state has some open infrastructure project going)

1 Like

Pretty later

Function now

Max lazy mode chuck switch under router mode engaged

Thanks @SgtAwesomesauce switch worked flawlessly


@Buffy @SgtAwesomesauce I attempted to ddos my pi. Lol

It was unsuccessful. The pi4 OCd with my yuge heatsink running pihole with as many servers as I have in the resolver and as big of cache as I have was too robust

Results across multiple clients all doing this at once (10,000 queries a second each)


  Queries sent:         180957451
  Queries completed:    177977352 (98.35%)
  Queries lost:         2880123 (1.59%)
  Queries interrupted:  10034 (0.06%)

  Response codes:       NOERROR 13724982 (77.12%), SERVFAIL 188871 (1.06%), NXDOMAIN 3883865 (21.82%), REFUSED 2 (0.00%)
  Average packet size:  request 38, response 77
  Run time (s):         1492.196066
  Queries per second:   121285.154825

  Average Latency (s):  0.194975 (min 0.000163, max 4.966739)
  Latency StdDev (s):   0.348371

Like maybe I could spinup my own DoH server for when im out and about… No ads everywhere.

DoT as well for android private DNS?

Like as long as I don’t get cache evictions the server is performing correctly

Anyone know the dangers in doing what I’m saying above?