Binding of services to a specific IP with pihole-v6

Even after lots of tests and research in documentation and forums I'm stuck. Any advice welcome.

These are the facts:

• I want to run pi-hole via a container (docker-compose.yml defined) on my NAS. Version is the latest v6.
• Besides DNS I also need DHCP, I don't have and want a proxy like Caddy, which according to pi-hole documentation means that I have to use network-mode: host
• If I use network-mode host, I cannot use the docker port-mapping feature.
• I have already some other services on the NAS running in containers. I don't want those to interfere (especially port-conflicts), so I decided to add a new alias IP on the main internal network interface of the server. This IP is dedicated to pi-hole only.
• According to my research in docs and forums, I configured this specific IP in the following ways:
• docker-compose env-variables:

• FTLCONF_LOCAL_IPV4: '192.168.0.25'
• FTLCONF_misc_etc_dnsmasq_d: 'true'
• './etc-dnsmasq.d:/etc/dnsmasq.d' (for persisting custom dnsmasq configs)

• in a custom dnsmasq.conf-file dnsmasq.d/fractal.conf:

• bind-interfaces
• listen-address=192.168.0.25

• in a custom lighttp config file lighttp/external.conf

• server.bind = "192.168.0.25"

When I start the container, DNS and DHCP works fine. However, if i test DNS-resolution against the different IPs of the server, it works with all of them! So binding to a specific IP didn't succeed. I could live with that.

The GUI however is not accessible. When I connect to the shell of the container, I see that binding to the given IP (with all those config steps above) didn't succeed.
netstat gives many lines like:
tcp 0 0 pi.hole:http 0.0.0.0:* LISTEN
tcp 0 0 pi.hole:http 0.0.0.0:* LISTEN

..which tells me binding didn't work at all.

BTW, in my different in one point (before going the alias way) I tried to use the docker environment-variable WEB_PORT, which according to some discussions should have worked to pick a dedicated port for the Web-GUI (as 80/443 is in use on my server for the other IPs). But that didn't work neither.

Could it be that v6 brought some changes concerning the IP binding process?

Pi-hole v6 dropped lighttpd as webserver and is now embedding a webserver engine itself, see Introducing Pi-hole v6.

That's a v5 environment variable, to be replaced by FTLCONF_webserver_port in Pi-hole v6.

See the disclaimer for the Pi-hole v6 Docker image, in particular about environment variables:

!!! THE LATEST VERSION CONTAINS BREAKING CHANGES

Pi-hole v6 has been entirely redesigned from the ground up and contains many breaking changes.

Environment variable names have changed, script locations may have changed.

If you are using volumes to persist your configuration, be careful.
Replacing any v5 image (2024.07.0 and earlier) with a v6 image will result in updated configuration files. These changes are irreversible.

If your docker compose is still using v5 environment variables, please have a read of Upgrading from v5.x - Pi-hole documentation and adjust as required.

Adjusting FTLCONF_webserver_port to avoid port conflicts should allow you to start your Pi-hole container in host mode, unless ports 53 and 67 would also be occupied by other DNS or DHCP services already running on the same machine.

Thanks for the heads-up. I guess I'm one step further, however yesterday I spent an evening for nothing, as after a night of debugging and troubleshooting I found that I made a stupid mistake which rendered all my tests useless (I accidentally had two piholes running on the same hosts, which interfered). Called it a night, continue today.

But today with fresh start - I'm still struggling with enabling pi-hole on a specific IP only.

Let's list the relevant facts:

• I have three alias IPs on the main adapter:
  --> 192.168.0.2 (main IP for other stuff)
  --> 192.168.0.34 (dedicated IP for some other container)
  --> 192.168.0.25 (dedicated IP for pi-hole)
• I use docker with the current pi-hole image, prefereably using docker-compose environment variables for basic pi-hole setup.

This is my current docker-compose file, with the goal of enabling all pi-hole services (dns, web-gui) on the .25-IP:

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    network_mode: host
    environment:
      TZ: 'Europe/Vienna'
      FILCONF_webserver_domain: '<name which resolves to 192.168.0.25'
      FTLCONF_webserver_api_password: 'redacted'
      FTLCONF_webserver_port: '20720'
      # If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
      FTLCONF_dns_listeningMode: 'all'
      FTLCONF_dns_domain: 'redacted'
      FTLCONF_dns_bogusPriv: 'true'
      FILCONF_dns_reply_host: '192.168.0.25'
      FTLCONF_LOCAL_IPV4: '192.168.0.25'
      FTLCONF_misc_dnsmasq_lines: 'bind-interfaces;listen-address=192.168.0.25'
    volumes:
      - '/mnt/DATA/shares/persistent/docker/pihole/etc:/etc/pihole'
    cap_add:
      # See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
      # Required if you are using Pi-hole as your DHCP server, else not needed
      - NET_ADMIN
      # Required if you are using Pi-hole as your NTP client to be able to set the host's system time
      - SYS_TIME
      # Optional, if Pi-hole should get some more processing time
      - SYS_NICE
    restart: unless-stopped

What works: DHCP, DNS (and on correct IP)

What doesn't work: webgui on correct IP.

If I connect to the container and have a look, I see that the webserver is running on the two other IPs, just not on the one I would like it to run:

/ # netstat -l | grep http
tcp        0      0 192.168.0.34:http-alt   0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.2:https       0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.2:http        0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.34:http       0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.34:https      0.0.0.0:*               LISTEN
tcp        0      0 :::https                :::*                    LISTEN
tcp        0      0 :::http                 :::*                    LISTEN
udp        0      0 192.168.0.34:https      0.0.0.0:*
/ # netstat -l | grep 192.168.0.25
tcp        0      0 192.168.0.25:domain     0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.25:5357       0.0.0.0:*               LISTEN
udp        0      0 192.168.0.25:domain     0.0.0.0:*
udp        0      0 192.168.0.25:3702       0.0.0.0:*

If I check the /etc/pihole/pihole.toml file, I see some values not correctly populated from the environment variables in the docker-compose-file:

    [dns.reply.host]
      IPv4 = ""

This stays empty although I set it via FILCONF_dns_reply_host above. As DNS is already served via .25 it's not a problem. But I cannot get the webserver to run on the correct IP. If I change that value manually in the .toml file and restart the container, the behaviour doesn't change.

Any advice appreciated. I'm puzzled why the webserver refuses to run on the correct IP. If unconfigured, it would run on all three.

This variable doesn't exist in v6.

You have 2 errors here:

• it should be FTLCONF, but you have a typo "FILCONF";
• the correct option ends with IPV4: FTLCONF_dns_reply_host_IPv4.

FTLCONF_LOCAL_IPV4 is v5 and should be removed.
FILCONF_dns_reply_host is just wrong.
FTLCONF_dns_reply_host_IPv4 is likely what you want.

If you want to limit Pi-hole's webserver to a specific IP, just do so in webserver.port, e.g.:

FTLCONF_webserver_port: '192.168.0.25:20720'

webserver.port allows for very flexible configuration of Pi-hole's embedded webserver listening behaviour. Settings | All settings » Webserver and API has a quite comprehensive description.
All settings is available in Expert mode only.

Thank you @Bucking_Horn & @rdwebdesign. It puzzles me that after a night of fiddling around you both come along and notice immediately a typo which I managed to miss all along.

The stuff works now. I made a donation for the pi-hole project. Thanks.