2x Pi-hole in docker, an accesspoint and homeassistant on a single Pi5

Help Community Help
1

The issue I am facing:
So I am trying to setup my Pi5 as a home server running among other things:

  • HomeAssistant
  • Pi-Hole over LAN with DHCP and DNS
  • Pi-Hole over WLAN with DHCP and DNS for SmartHome devices, as they only use wifi anyways

Details about my system:
I have gotten the ports and stuff sorted out, but my only remaining problem is, that the Pi-Hole container for the IoT stuff doesn't seem to give out IPv6 addresses, or the clients aren't self assigning them one.
As my SmartHome devices are run using Matter over Wifi, IPv6 is essential, as the matter protocol is IPv6 only.

What I have changed since installing Pi-hole:
My current setup is as follows:

  1. Docker Container (LAN):
services:
  pihole-lan:
    container_name: pihole-lan
    image: pihole/pihole:latest
    network_mode: host
    environment:
      TZ: 'Europe/Berlin'
      FTLCONF_webserver_api_password: 'jellyBeansAreGreat'
      FTLCONF_dns_interface: 'eth0'
      FTLCONF_dns_listeningMode: 'bind'
      FTLCONF_dns_upstreams: '1.1.1.1;1.0.0.1'
      # Configure DHCP
      FTLCONF_dhcp_active: 'true'
      FTLCONF_dhcp_start: '192.168.1.100'
      FTLCONF_dhcp_end: '192.168.1.200'
      FTLCONF_dhcp_router: '192.168.1.1'
      FTLCONF_dhcp_ipv6: 'false'
    # Volumes store your data between container upgrades
    volumes:
      # For persisting Pi-hole's databases and common configuration file
      - './etc-pihole:/etc/pihole'
    cap_add:
      - NET_ADMINtime
      - SYS_NICE
    restart: unless-stopped

No manual edits to the pihole.toml.
With the containers dnsmasq.conf looking like (not manually edited), comments removed for the post:

hostsdir=/etc/pihole/hosts

no-resolv

# DNS port to be used
port=53

# List of upstream DNS server
server=1.1.1.1
server=1.0.0.1

cache-size=10000

localise-queries

# Enable query logging
log-queries
log-async

log-facility=/var/log/pihole/pihole.log

bogus-priv

use-stale-cache=3600

# Bind to one interface
interface=eth0
bind-interfaces

domain=lan
local=/lan/

local=/pi.hole/
host-record=pi.hole,0.0.0.0
# DHCP server setting
dhcp-authoritative
dhcp-leasefile=/etc/pihole/dhcp.leases
dhcp-range=192.168.1.100,192.168.1.200,255.255.255.0
dhcp-option=option:router,192.168.1.1
dhcp-rapid-commit
# Advertise the DNS server multiple times to work around
# issues with some clients adding their own servers if only
# one DNS server is advertised by the DHCP server.
dhcp-option=option:dns-server,0.0.0.0,0.0.0.0,0.0.0.0

# Add NTP server to DHCP
dhcp-option=option:ntp-server,0.0.0.0

server=/test/
server=/localhost/
server=/invalid/

server=/bind/
server=/onion/

cache-rr=ANY
filter-rr=ANY
  1. Docker Container (IoT):
services:
  pihole-iot:
    container_name: pihole-iot
    image: pihole/pihole:latest
    network_mode: host
    environment:
      TZ: 'Europe/Berlin'
      FTLCONF_webserver_api_password: 'jellyBeansAreGreater'
      # Configure DHCP
      FTLCONF_dhcp_active: 'true'
      FTLCONF_dhcp_start: '192.168.2.100'
      FTLCONF_dhcp_end: '192.168.2.150'
      FTLCONF_dhcp_router: '192.168.2.240'
      FTLCONF_dhcp_ipv6: 'true'
    # Volumes store your data between container upgrades
    volumes:
      # For persisting Pi-hole's databases and common configuration file
      - './etc-pihole:/etc/pihole'
    cap_add:
      - NET_ADMIN
      - SYS_NICE
    restart: unless-stopped

Notable edits to the pihole.toml include:

  dnsmasq_lines = [
    "listen-address=192.168.2.1",
    "listen-address=fe80::387c:89ff:fe74:3358",
    "bind-interfaces"
  ] ### CHANGED, default = []

as the UI doesn't allow for binding to a IP, which seems to be the only way for dnsmasq to not listen on lo0, which would cause problems with 2 containers in host mode.
Both the IPv4 and the IPv6 address have been manually set via sudo ip addr add IP dev wlan0.
Interface binding has not been set via the env, as that seems to default bind eth0, if no interface is specified.

The full dnsmasq.conf for the container looks like this:

hostsdir=/etc/pihole/hosts

no-resolv

port=53

server=8.8.8.8
server=8.8.4.4

cache-size=10000

localise-queries

log-queries
log-async

log-facility=/var/log/pihole/pihole.log

bogus-priv

use-stale-cache=3600

local-service

domain=lan
local=/lan/

local=/pi.hole/
host-record=pi.hole,0.0.0.0
# DHCP server setting
dhcp-authoritative
dhcp-leasefile=/etc/pihole/dhcp.leases
dhcp-range=192.168.2.100,192.168.2.150,255.255.255.0
dhcp-option=option:router,192.168.2.240
dhcp-rapid-commit
dhcp-option=option6:dns-server,[::]
# Enable IPv6 DHCP variant
dhcp-range=::,constructor:eth0,ra-names,ra-stateless,64

# Add NTP server to DHCP
dhcp-option=option:ntp-server,0.0.0.0

server=/test/
server=/localhost/
server=/invalid/

server=/bind/
server=/onion/

cache-rr=ANY

filter-rr=ANY

#### Additional user configuration - START ####
listen-address=192.168.2.1
listen-address=fe80::387c:89ff:fe74:3358
bind-interfaces
#### Additional user configuration - END ####

It would be great if someone could help me with that issue, as I don't really want to get a second device or something to serve as the router for the IoT network, as that would also make HomeAssistant interfacing with 2 networks more difficult.

The wlan network is hosted by the Pi using hostapd.

interface=wlan0
driver=nl80211
ssid=Pi5-SmartHome
hw_mode=g
channel=1
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=KeePGuessinG
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP

I have tested wether IPv6 is functioning via my iPhone. It does not display any IPv6 addresses in the network settings, when connected to the IoT wifi network, as opposed to any wifi network.

2

Your question seems related to (Docker) networking rather than Pi-hole.

You should note that Docker is IPv4 only by default. IPv6 is only supported by Docker on Linux hosts, and you'd have to explicitly enable IPv6 support for any container that you want to use IPv6 as well as for the Docker daemon itself.

You are trying to configure a separate IPv6 network for your IoT devices.
You'd likely need your existing router to delegate an IPv6 prefix to the router on your RPi 5. Note that Pi-hole is not a router.
It may be easier to have your router handle your IoT VLAN/subnet and just point that to Pi-hole for DNS.

In addition, two containers in host mode are going to cause port conflicts, likely preventing the second one to start successfully.

What's the intention for using two Pi-hole containers instead of just one?

3

I guess my question is about dnsmasq, and why I am not getting a IPv6 address from it.

Well, the thing is, that I don't have a modem/router at this moment :sweat_smile:.

From my understanding: The two containers don't have any port conflicts, as both are binding their interfaces.. one using eth0 and other using wlan0. The logs also don't indicate any port conflicts or startup errors.

Using one container I wouldn't know how to configure it so that it hosts 2 networks on 2 different interfaces, as I want to separate my IoT devices from my other stuff. But if that was an option somehow, I also wouldn't mind that, as that might make networking a bit easier.

EDIT:
...maybe it isn't working as I haven't set ipaddr_type_availability in hostapd yet.. I think the default says ipv6 unknown.. will get back to it later

EDIT 2:
On a random site note:
running an equivalent dnsmasq config on the host directly leads to connection times of maybe a second, while running it in the pi-hole container leads to wifi connection times of up to minute, which seems odd to me.. does anyone have an idea why that might be?

4

That's perhaps by chance then, as only one of your docker compose scripts actually passes an interface into the container (unless your shares above would be incomplete).

Without a router to acquire and advertise any IPv6 prefixes, your network will be limited to link-local IPv6 connectivity, and LLAs are always auto generated by clients via SLAAC.

In addition, Pi-hole's IPv6 support is not intended to facilitate IPv6 address assignment. All it does is advertise its IPv6 address as a local DNS server via RDNSS Router Advertisements, and likewise distributing its own IPv6 to clients requesting it via Stateless DHCPv6.
This would only be useful if your router would not allow changing its advertised DNS server IPv6 addresses, but only switching off RDNSS RAs and DHCPv6 altogether.

So to repeat:

5

That's intentional, as dnsmasq always binds lo0 when binding an interface.
So I have one container bind on an interface and one bind on an IP, so dnsmasq then selects the interface based on the IP without also binding lo0 to avoid port conflict there. So it's working as intended.

But alright I guess.. looks like I'll have to wait until I get a proper router in the coming weeks... is there router software which one could use on the Pi, without installing a different OS?

6

I'm sure there would be, but there are forums better suited to bring up that question. :wink:

And you haven't answered my question for your intention running two containers instead of just one.

7

That was supposed to be the answer to that

8

In that case, you may want to consider adding dnsmasq custom configuration lines to serve different DHCP ranges specific to the interface that pihole-FTL/dnsmasq has received a DHCP request on, e.g.

no-dhcpv6-interface=eth0
dhcp-range=tag:wlan0,192.168.2.100,192.168.2.150,24h
dhcp-option=tag:wlan0,option:router,192.168.2.240
dhcp-option=tag:wlan0,option6:dns-server,[::]
dhcp-range=::,constructor:wlan0,ra-names,ra-stateless,64

That's obviously just a sketch glanced from your config files, assuming you'd want your Pi-hole hosts IPv6 DNS server address to be offered to your wifi clients exclusively.
dnsmasq's documentation will be helpful in figuring better options to suit your requirements.

You may add those lines to a file at /etc/dnsmasq.d/, so adding a mount for that to your container may be useful.
You'd then need to tell Pi-hole to read configuration files from that path, e.g. by adding FTLCONF_misc_etc_dnsmasq_d: true to your compose script, or by enabling that option via Settings | All settings ยป Miscellaneous.
All settings is available in Expert mode only.

12

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.