I currently have a PiHole running on a small Debian virtual machine in Proxmox. I had it running on an RPi until an issue cropped up with Raspbian and PiHole, and honestly it runs faster. The VM runs PiHole and is my Unifi controller. The only other thing it *might* see on it is UNMS. I don't have iptables really running at the moment but am working on it (used to pf), and would be willing to install something like Fail2Ban if necessary (but I was under the impression this is mostly for SSH).
I have a couple separate VLANs on the network, one for internal systems and one guest network that has my tablet, cell phones, guest, work laptop, etc. I would like the guest network to also have access to a PiHole, and see three options:
1. Spool up another Debian instance with PiHole, or create a container with it that is standalone on the guest VLAN
2. Allow access from the Guest VLAN to the internal network PiHole
3. Separate the Unifi/PiHole and put the PiHole on its own VLAN that both networks can access (blech)
#1 is probably the more secure option, but #2 is attractive as it's less stuff to deal with, less configuration and any stats can all be seen in one place. #3 is a pain in the rear, I think. If I'm only allowing DNS through the firewall to the internal Debian machine (no SSH or anything like that), it doesn't seem like there is a substantial security risk with option #2. Am I missing something? What else should I consider?
I have a couple separate VLANs on the network, one for internal systems and one guest network that has my tablet, cell phones, guest, work laptop, etc. I would like the guest network to also have access to a PiHole, and see three options:
1. Spool up another Debian instance with PiHole, or create a container with it that is standalone on the guest VLAN
2. Allow access from the Guest VLAN to the internal network PiHole
3. Separate the Unifi/PiHole and put the PiHole on its own VLAN that both networks can access (blech)
#1 is probably the more secure option, but #2 is attractive as it's less stuff to deal with, less configuration and any stats can all be seen in one place. #3 is a pain in the rear, I think. If I'm only allowing DNS through the firewall to the internal Debian machine (no SSH or anything like that), it doesn't seem like there is a substantial security risk with option #2. Am I missing something? What else should I consider?