{"id":1504,"date":"2021-12-05T16:04:19","date_gmt":"2021-12-05T21:04:19","guid":{"rendered":"https:\/\/blog.lufamily.ca\/kang\/?p=1504"},"modified":"2022-05-04T19:22:41","modified_gmt":"2022-05-04T23:22:41","slug":"pi-hole-installed-prerequisite-for-udm-pro","status":"publish","type":"post","link":"https:\/\/blog.lufamily.ca\/kang\/2021\/12\/05\/pi-hole-installed-prerequisite-for-udm-pro\/","title":{"rendered":"Pi-hole Installed &#8211; Prerequisite for UDM Pro"},"content":{"rendered":"\n<p>We are all in with Unbiquiti&#8217;s Unifi lined of networking products. To date with the exception of a few unmanaged switches, all of our home networking switches and Wi-Fi access points are Unifi products.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-1.25.17-PM.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"461\" src=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-1.25.17-PM-1024x461.png\" alt=\"\" class=\"wp-image-1506\" srcset=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-1.25.17-PM-1024x461.png 1024w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-1.25.17-PM-300x135.png 300w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-1.25.17-PM-768x345.png 768w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-1.25.17-PM.png 1454w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/a><figcaption>Current Network Layout (click above to enlarge)<\/figcaption><\/figure>\n\n\n\n<p>At the heart of our network is our USG Firewall (<a rel=\"noreferrer noopener\" href=\"https:\/\/dl.ubnt.com\/datasheets\/unifi\/UniFi_Security_Gateway_DS.pdf\" target=\"_blank\">USG 3P<\/a>). We&#8217;ve been using the secured gateway since December of 2017. During the holiday break, I plan to replace it with the new Unifi Dream Machine Pro (<a rel=\"noreferrer noopener\" href=\"https:\/\/dl.ubnt.com\/ds\/udm-pro\" target=\"_blank\">UDM Pro<\/a>). The main reasons are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The current USG 3P is limited to 85 Mbps when threat detection is turned on;<\/li><li>Run Intrusion Prevention System (IPS) and Intrusion Detection System (IDS)  with the UDM Pro at full IPS speeds which for me is at 1 Gbps download and 30 Mbps upload;<\/li><li>Upgrade my current Unifi Video solution to <a rel=\"noreferrer noopener\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/360058454253-UniFi-Protect-Getting-started\" target=\"_blank\">Unifi Protect<\/a>, since Unifi Video is no longer supported and I have five <a rel=\"noreferrer noopener\" href=\"https:\/\/dl.ubnt.com\/datasheets\/unifi\/UniFi_Video_G3_DS.pdf\" target=\"_blank\">Unifi G3 Flex<\/a> cameras;<\/li><li>Will most likely replace my current Kuna solution with Unifi Protect external cameras, so it is totally private, and my security video solution is <em>unified<\/em>;<\/li><li>The ability to connect Unifi Protect with my other devices using <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/hjdhjd\/homebridge-unifi-protect\" target=\"_blank\">Homebridge<\/a>;<\/li><li>The device has a capacity of up to 3.5 Gbps so we are future proofed for faster ISP speeds;<\/li><li>Move the UniFi Network Controller software that is currently running on my NAS server to a dedicated piece of hardware, the UDM Pro;<\/li><\/ul>\n\n\n\n<p>During my research with the UDM Pro, there is a slight regression in functionality that I currently use in my home. I currently use a functionality called static host mapping that allows me to give my NAS server several different host names so that I can use those host names to route to different in-home services, that is hosted by Apache2 server on my NAS. For example, the host name <code>media.home<\/code> routes to my home Plex server, and <code>books.home<\/code> routes to my Calibre server. Long story short, I need to run my own Domain Name Service to get this functionality back.<\/p>\n\n\n\n<p>I have deployed and configured a <a rel=\"noreferrer noopener\" href=\"https:\/\/thekelleys.org.uk\/dnsmasq\/doc.html\" target=\"_blank\">DNSmasq<\/a> installation before, but when I was exploring ways to reconfigure (hack) UDM Pro&#8217;s DNSmasq implementation, I came to the realization that it is probably best to offload the DNS functionality from the UDM Pro and run a dedicated instance on my NAS server. This way the upgrade path of the UDM Pro by Ubiquity in the future is nice and clean, and I can fully configure my own DNS the way I needed it.<\/p>\n\n\n\n<p>With further research, I came across an alternative to DNSmasq, and that is <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.pi-hole.net\" target=\"_blank\">Pi-hole<\/a> with <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/\" target=\"_blank\">unbound<\/a>, a full recursive DNS resolver. With this combination, I can essentially maintain my own local DNS records, satisfying my static host mappings, and also have a more private Internet experience for my entire home network when domain names are resolved by the authorized party.<\/p>\n\n\n\n<p>I chose the <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.pi-hole.net\/main\/basic-install\/\" target=\"_blank\">Alternative 1<\/a> installation methodology on my NAS, but with a twist. Since I already have Apache2 installed, after the installation, I purged <a rel=\"noreferrer noopener\" href=\"https:\/\/www.lighttpd.net\" target=\"_blank\">lighttpd<\/a> from the installation, which came with the Pi-hole installation process. I also added the following to my Apache 2 configuration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;VirtualHost *:80>\n    ServerName pi.hole\n    DocumentRoot \/var\/www\/html\n&lt;\/VirtualHost><\/code><\/pre>\n\n\n\n<p>For extra security, I also added an .htaccess file containing:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>% cat \/var\/www\/html\/.htaccess\n&lt;RequireAny>\n    Require ip 192.168.167.0\/24\n    Require ip 172.17.168.1\/24\n&lt;\/RequireAny><\/code><\/pre>\n\n\n\n<p>The above ensures that only local computers or VPN clients on my network can gain access to Pi-hole. I also had to enable the above .htaccess file by adding the following in the main Apache 2 configuration file (<code>\/etc\/apache2\/apache2.conf<\/code>):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;Directory \/var\/www\/html\/>\n\tAllowOverride All\n&lt;\/Directory><\/code><\/pre>\n\n\n\n<p>After a quick restart, Pi-hole is installed and operational. With an afternoon of testing, I noticed that some Google based shopping links have been blocked. We cannot have that during the holiday season, so I had to white list the following sites for them to work:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-3.49.18-PM.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1007\" height=\"368\" src=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-3.49.18-PM.png\" alt=\"\" class=\"wp-image-1513\" srcset=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-3.49.18-PM.png 1007w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-3.49.18-PM-300x110.png 300w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-05-at-3.49.18-PM-768x281.png 768w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/a><figcaption>Click above to enlarge<\/figcaption><\/figure>\n\n\n\n<p>Configuring unbound was really easy, I just had to follow the instructions <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.pi-hole.net\/guides\/dns\/unbound\/\" target=\"_blank\">here<\/a>.<\/p>\n\n\n\n<p>Now that I have my own DNS server running, I am no longer using Cloudfare or Google&#8217;s domain services. This translates to a little more privacy. I can also track which domains are being blocked and which domains are being accessed when I visit sites. Since this solution is site wide within my house, no additional work is required on iPhones, iPads, and client computers.<\/p>\n\n\n\n<p>With this prerequisite step completed, I am now all set to migrate to the UDM Pro.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are all in with Unbiquiti&#8217;s Unifi lined of networking products. To date with the exception of a few unmanaged switches, all of our home networking switches and Wi-Fi access points are Unifi products. At the heart of our network is our USG Firewall (USG 3P). We&#8217;ve been using the secured gateway since December of &hellip; <a href=\"https:\/\/blog.lufamily.ca\/kang\/2021\/12\/05\/pi-hole-installed-prerequisite-for-udm-pro\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Pi-hole Installed &#8211; Prerequisite for UDM Pro&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[111],"tags":[67,28],"class_list":["post-1504","post","type-post","status-publish","format-standard","hentry","category-tech","tag-networking","tag-technology"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7V6i8-og","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/1504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/comments?post=1504"}],"version-history":[{"count":9,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/1504\/revisions"}],"predecessor-version":[{"id":1515,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/1504\/revisions\/1515"}],"wp:attachment":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/media?parent=1504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/categories?post=1504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/tags?post=1504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}