Home Router / UniFi Gateway
-
Network redesigned into six independent VLANs (Trusted, IoT, Management, PiDNS, Guest, Default LAN), each with its own firewall zone and default-deny inter-zone policy.
-
IoT zone gateway access changed from blacklist to whitelist model; only DNS, DHCP, and mDNS permitted; explicit DROP rule confirmed accumulating hits immediately.
-
Previously wide-open wildcard ACCEPT (31,179 packets) replaced with two targeted rules allowing only required gateway services, with a terminal DROP for everything else.
-
Prevents devices from bypassing network DNS by using DNS-over-TLS directly to upstream resolvers.
-
Firewall rule added (VPN → PiDNS zone, port 53); GliNet WireGuard config DNS updated to Pi-hole LAN IP; Pi-hole logs confirmed receiving queries from GliNet's WireGuard IP with gravity blocks active.
-
Debug Terminal confirmed as working sole CLI access method; SSH removed as an attack surface.
Raspberry Pi
-
Fresh OS install, single-homed onto dedicated PiDNS VLAN; clean slate after earlier setup attempts left inconsistent state.
-
DNS filtering and ad blocking active; all Trusted VLAN clients pointed to Pi-hole via DHCP. Configured block lists and set gravity update.
-
Recursive resolver running, forwarding to Quad9 over DNS-over-TLS (port 853, encrypted); full DNS chain verified end-to-end on command line.
-
Pi enrolled as a Tailscale exit node; remote devices can route all traffic through home network via Pi → Pi-hole → Unbound → Quad9. Remote ad-blocking enabled on all Tailscale devices – including travel router.
-
Ad blocking active for all Tailscale-connected devices in DNS-only mode, without requiring an exit node.
- Caused break in Apple TV exit node → turned off DNS override on other exit nodes, stable/always on nodes and devices in home LAN that can route directly to pi-hole. Left on for mobile devices.
Travel Router / GliNet GL-MT3000
-
WAN interface audited; confirmed no management ports exposed to the internet.
-
Tunnel connects directly to home UniFi gateway; DNS routes through Pi-hole automatically; verified via DNS leak test.
-
gl-tailscale-fixplugin installed to resolve documented GL.iNet bug that prevented LAN client traffic from being forwarded through the Tailscale exit node. -
GliNet enrolled in tailnet; LAN client forwarding verified; both VPN paths now functional and tested. Tailscale requires automatic DNS from router to establish tunnel, can then manually switch to pi-hole DNS (via Tailscale IP) if network wide ad block/DNS desired.
-
WireGuard and Tailscale paths both confirmed routing DNS through Pi-hole → Unbound → Quad9 DoT.
Tailscale ACL
-
Grant-based default-deny ACL deployed; Personal (Tier 1) gets full access; Family (Tier 2) gets exit node + Pi-hole DNS only; Apple TV (Tier 3) can serve as exit node but cannot initiate tailnet connections.
-
Missing grant for
tag:full-accessdevices to reach Pi-hole on port 53 identified and added; resolved FaceTime and Apple services breaking when Tailscale was active without an exit node.
Apple / Device Integration
-
Private Relay disabled per-interface on home network (Pi-hole handles DNS); re-enables automatically on all other networks.
-
Hide IP Address feature causing mail fetch failures when
mask.icloud.comis blocked; identified and fixed per-device. -
Root cause: stale cached IP from before NAS static IP assignment; cleared and verified.
-
Root cause: tvOS silently rejects self-signed certificates on HTTPS; resolved by switching to HTTP port 5000 for local LAN access.
-
Tailscale global DNS nameserver override caused stale DNS state when active without an exit node, breaking FaceTime and other Apple services; resolved by adding ACL grant 1e and reinstalling iCloud on iPhone to clear stale state.