hungover_pilot

Both opnsense and pfsense allow custom DNS entries so you still have that as an option. Probably the other options do too but you'll just have to verify.

But if you want to keep it simple I would just keep the pihole as a separate device. A lot of the built in options aernt quite as easy to setup and don't have the best UI compared to pihole IMO.

Most of the more advanced gateways have some sort of DNS filtering built in. Opnsense has an adguard plugin, pfsense has pfblocker-ng, openwrt has a few different options, Unifi and mikrotik both have solutions too I think. Usually you can just load the same block list that pihole uses into the filtering software and you are good to go.

If you want the most flexibility and want to use the same hardware for both gateway/DNS and want to try out different DNS/router solutions a hypervisor would give you the most options. But it would also be the most complicated.

Another solution is to use NAT on the router. NAT all traffic from the client network 11.0/24 to the routers IP on the server network 10.0/24.

That way when the server sees the ICMP echoes on its 10.102 network it will look like it came from the router and send the reply back together router instead out its other interface.

Are you sure you are typing the address in correctly on android/ios? 198.162.x.x isnt part of private IP space.

If you're looking for a more mature networking setup, I would definitely recommend splitting up your router, switch and AP duties into separate devices. It gives you the most flexibility for when you want to tinker or change things.

For a main router setup, I would recommend OpnSense. It's has a cloud backup feature which allows you to automatically backup the configuration to a Google Drive xml file whenever it is changed.

The XML config file stores all your leases so you don't have to worry about reassigning DHCP reservations. If you load the config onto a new system, like for an upgrade or if the router hardware fails, usually you just have to change the interface mappings and you're good to go.

As far as APs/switches, I would recommend Unifi or Mikrotik. Unifi has a fancy dashboard you can use to adopt new equipment and restore/change configs from, but I find Mikrotik easier and simpler to backup and I like that i dont have to host a controller to make config changes.

I do something similar with opnsense and policy based routing. opnsense is acting as both a VPN client and server. The client interface connects out to a commercial VPN, and the server interface listens for incoming connections. Based on what I I want to accomplish I setup firewall rules that use policy based routing to route incoming VPN traffic where it needs to go.

Regarding split tunnel on the client, the Android wireguard app has the option to specify what traffic uses the tunnel based on the application

I really enjoy reading in my hammock. Usually I set it up in my backyard but it's also easy to take to a park or on a hike. I just use one of those camping ones that packs away to the size of a nalgene water bottle.

Sidenote, I also use one of these security straps on my e-reader. It allows me to read laying down in the hammock or in bed without having to completely hold onto my reader. Definitely recommend.

Is the NIC built into the motherboard or an add on pcie card?

You could check the journal to see if the logs tell you anything.

You could try taking some packet captures from opnsense and your server while accessing your externally available web server. Reviewing the pcaps might give you some hints on how fix it based on what behaviour you see in the captures.

This is how I would do it also, assuming you aernt passing the NICs through to VMs

Once you change your DNS server in your router, make sure to renew your clients DHCP lease. It may still be using the stale DNS server. On windows verify its using the new DNS server with: ipconfig /all

Can you ping the server from your phone successfully? You can use an app like this to check: https://play.google.com/store/apps/details?id=net.he.networktools

Making sure you have layer 3 connectivity first would be a good first step. If you don't, I would start by troubleshooting at layer 2. Run a packet capture on both your phone and server while trying to connect to determine where the disconnect is. Make sure ARP is resolving properly.

If layer 3 IS working, move up to layer 4 and make sure you are using the correct port, http vs https, etc