I have a particular difficult setup, at least in my mind, at a small college in the jungles of Papua New Guinea. We have a small campus with our own DHCP server, Fileserver, etc. Students access the system via Ubiquiti access points located around campus. The DHCP server distributes IP addresses in the range of 192.168.0.100-192.168.0.200.

Now we want to add internet service to the campus. The only ISP in our area that we can use, uses a long haul radio modem to the campus. They have a portal page where the students can buy data, chunks at a time to access the internet. Once a student logs in, their terminal is assigned an IP address, DNS Server, Gateway, etc., from the ISP's DHCP server.

I created a separate SSID on the Ubiquiti access points using VLAN 20 that separates the networks, thereby separating the DHCP servers. On a Raspi I installed a USB to ethernet adapter and connected it to the ISP's radio link. I created VLAN20 on the Rapsi and bridged the WAN and VLAN20. All of that is working great. If the student logs into the campus Wifi, he gets a campus IP address and is able to access the network. If the student logs into the Internet Wisi, he gets an ISP provided IP address and is able to access the internet.

Now I want to implement Pi-Hole on the same Raspi. Almost everything is working as it should. For testing, I installed a cellular modem (192.168.0.251) and assigned it as the Gateway for the campus Wifi. It is working correctly when I assign the Pi-Hole as the DNS server for the campus. Now I want the Pi-Hole to be the DNS server for the Internet Wifi. I have spent about 2 weeks getting to this point. My background is in programming and coming into this project I knew very little about networking.

I have read dozen of sites and watched dozens of Youtube videos trying to figure out how to route the client's internet to the Pi-Hole without success. If I do a nslookup on an internet client, it correctly shows the ISP's DNS server address. If I make an entry into the iptables such as the following, the DNS query times out.

iptables -t nat -A PREROUTING -i br0 -p udp ! --source 192.168.0.99 ! --destination 192.168.0.99 --dport 53 -j DNAT --to 192.168.0.99
iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 192.168.0.99 ! --destination 192.168.0.99 --dport 53 -j DNAT --to 192.168.0.99
iptables -I FORWARD -d 192.168.0.99 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -d 192.168.0.99 -p tcp --dport 53 -j ACCEPT

I do have ip_forwarding enabled.
I have tried dozens of other variations. I've tried pfsense, dd-wrt, ebtables, even dnschef and ettercap. I've tried routing via iptables, just not making any progress.
Can someone please offer some advice? I am at my wits end. I am sure it is just a matter of a couple of commands. I just do not have the networking knowledge. I have also posted this on the Pi-Hole forum without response. But it is more of a networking problem.

Here is my network layout.
http://philandjansmithpng.com/wp-con...4/Untitled.png

My understanding is you want to DNS forward to the pi-hole DNS requests via a bridged interface. iptables can't do it, it works at the ip layer and bridging is below that. If it were routing, iptables could do it. Or if you were the NAT (but then you are routing in reality, so iptables is in play).

I think you want to use nftables. There was a older tables that works with bridges network, etables.