Ok, I will make a simply guide of this.
The Synology Docker part will just use the GUI (as that is the “Synology way” of handling docker).
For the router configuration I will probably just put my router’s GUI and ask for some kind to soul to translate that into iptable commands (I have a good grasp on what should be in those lines, but not sure on the exact syntax).
On the router part that you asked: as mentioned I use an Edgerouter-X. It is Vayatta (Debian Linux) based. But as you said, it probably wont be possible on a consumer router with stock firmware. DD-WRT is obviously a good choice in that case (although I am hard pressed to recommend DD-WRT on an internet facing router due to the lack of updates on older hardware).
Just gave alpine_dev a swing. Works like a charm. The makes running it on Synology so much easier .Somehow I overlooked VIRTUAL_HOST previously, together with the new WEB_PORT it enables configuration via only the Synology Docker GUI (and no need to change any *.conf that is part of th image anymore).
Cheers, will update the guide above accordingly.
Edit: Done!
I could really use some help from somebody with a DD WRT router on how to accomplish the NAT reflection . Probably the 3 required iptable commands and where to put them would suffice. Or a screenshot if it can be done via the GUI.
I gave it a shot on my slightly order DD-WRT router but wasn't able to get the DNAT PREROUTE working even after moving it to the very top of the rule list so the stock NAT catchall rules didn't effect it..
$ iptables -t nat -L -v --line-numbers
Chain PREROUTING (policy ACCEPT 4774 packets, 327K bytes)
num pkts bytes target prot opt in out source destination
...
2 17 980 DNAT tcp -- any any 192.168.41.0/24 192.168.9.6 tcp dpt:www to:192.168.41.55:32773
I can see the rule getting hit (note the pkt/byte count) when I try to curl 192.168.9.6 but I'm not getting results, just timeouts, for some reason - initial connection must be made to router to iterate the iptables counter but return or further traffic is failing?
Curling the container on 192.168.41.55:32773 returns pi-hole block page fine. I'm not exactly sure what IPTables magic is needed here, open to suggestions. It maybe this long standing NAT hairpin/reflection issue mtioned there, I do not have 'Filter WAN NAT Redirection' enabled so I think this should work.
These are the iptables commands I used on my router (running asus-merlin) that seem to be implement the behavior described in this post. Hopefully it can help someone else out that cannot do it via their router GUI.
I am the least sure about that last line, as it didn't have a direct equivalent in the linked example.
The biggest problem I have now is that https requests do not get routed (since they are for port 443), and end up hanging the request, leading to some very slow web page loads (try https://slickdeals.net with these settings enabled).
I tried to come up with an iptables rule to add to the router to REJECT requests to port 443 on the "fake" address (192.168.0.2), but nothing I came up with would stop the hanging. But I barely understand iptables, so hopefully someone can provide the necessary command.
It appears VIRTUAL_SERVER doesn't exist anymore. When trying to launch the container :
2018-08-01 13:03:26: (network.c.464) can't bind to port: 192.168.0.2 37337 Cannot assign requested address (it seems to use the ServerIP instead of VIRTUAL_SERVER env variable).
Any idea ?
I got 4.0 working with the following docker run and corresponding proxy (Synology's "Application Portal") settings. I had the SNAT and DNAT working with Pi-hole 3.3 but assume they're not needed any more given that we can't bind to a fake IP via VIRTUAL_SERVER.
Hey @musicsnob - so how does this work? If PiHole only answers DNS queries, how would the host (loading the ads) use the 'pihole.your.domain' header to make use of the Reverse Proxy feature?
Hi @Mathius, no worries! There's two parts: the DNS server, and the web server. The reverse proxy allows allows multiple web sites / servers to flow through the same IP. The proxy maps each request to the correct server based on the host name.
Pi-hole's web server provides the "block page", the Pi-hole graphic and text indicating something was blocked. (pihole.your.domain). Pi-hole's web server also provides the admin interface as well. (pihole.your.domain/admin/)
Given that Synology's web UI already grabs port 80, Pi-hole must use a different port: 50314 in my example. So the Synology web UI "synology.your.domain" continues to go to 192.168.1.9:80, and now "pihole.your.domain" to 192.168.1.9:50314.
When your browser asks Pi-hole's DNS for "some.adserver.com", Pi-hole responds with 192.168.1.9. Now, here's where it gets a little messy because of the ports. You won't see Pi-hole block page when adds are blocked, because the browser is requesting 192.168.1.9:80 or :443, which is the Synology UI. Ideally, Synology would let us remap :80 and :443 to Pi-hole, but that's not an option in DSM as far as I know.
I'm not an expert but hopefully this is somewhat helpful...?
Hi - thanks for the explanation, it is exactly as I understand it. I thought you had a solution to correctly reroute traffic to the pihole server.
I think we can add a new subnet and IP to Synology - I have done this for running the proxy software Squid. If pihole can bind to that, then ad (and Admin) traffic can reach pihole, staying on port 80/443 all the time.
Reviving this thread with the following addition, because this thread is referenced directly from WEB_PORT paragraph in the environment variables table on Github.
Had some trouble with this tutorial, as apparently there have been some changes to the pihole environment variables definition. The Howto reflected above does not fit with current reality. For configuring the docker container, one must perform the following:
set “ServerIP” "VIRTUAL_HOST" to “192.168.0.2” (or whatever fake address you chose)
set “VIRTUAL_SERVER” "ServerIP" to “192.168.178.50” (or whatever IP address the Synology has)
Set “WEB_PORT” to “37337” (or whatever port you want to assign to pi-hole’s http server)
@diginc, including you in this reply as it concerns a Docker related issue.