Can't acquire DHCP lease through Docker Pi-hole

I have tried in vain to get this to work both using the method described here and the method using a maclvan without any luck. I am stuck now and don't know where to look next to try and figure this out.

The host machine I run docker on is a dual home linux (gentoo) box that I run a my router (firewall/gateway). eth0 = lan, ip 192.168.0.1 eth1 = wan, dhcp assigned

I use arno-iptables-firewall for my firewall and currently using dnsmasq on host to provide both dhcp and dns to lan clients. On host machine I run web services and thus cannot run pihole docker container in host network mode. I have no problem creating a pihole container to provide only dns services using bridge networking mode with mapped ports. However, I would like to get rid of dnsmasq on host if I can and just use dhcp services provided by already running pihole container (just cleaner and more portable).

That eventually brought me here.... Here is my docker-compose file for reference

version: "3"
services:
  pihole:
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "980:80"
      - "9443:443"
    restart: unless-stopped
    cap_add:
	- NET_ADMIN
    dns:
      - 127.0.0.1
      - 9.9.9.9
    environment:
      ServerIP: 192.168.0.1
      DNS1: 9.9.9.9
      DNS2: 149.112.112.112
      VIRTUAL_HOST: pi.hole
      DNSMASQ_LISTENING: all
      WEBPASSWORD: password
      ADMIN_EMAIL: admin@gmail.com
    volumes:
      - '/etc/timezone:/etc/timezone:ro'
      - '/etc/pihole/pihole/:/etc/pihole/'
      - '/etc/pihole/pihole/dnsmasq.d/:/etc/dnsmasq.d/'
    depends_on:
      - dhcphelper
    networks:
      pihole_network:
        ipv4_address: '172.31.0.100'

  dhcphelper:
    build: ./dhcp-helper
    restart: unless-stopped
    network_mode: "host"

    command: -s 172.31.0.100
    cap_add:
      - NET_ADMIN

networks:
  pihole_network:
    ipam:
      config:
        - subnet: 172.31.0.0/16

I have added the 07-dhcp-options file as instructed.
Here is my 02-pihole-dhcp.conf contents for reference

###############################################################################
#  DHCP SERVER CONFIG FILE AUTOMATICALLY POPULATED BY PI-HOLE WEB INTERFACE.  #
#            ANY CHANGES MADE TO THIS FILE WILL BE LOST ON CHANGE             #
###############################################################################
dhcp-authoritative
dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-option=option:router,192.168.0.1
dhcp-leasefile=/etc/pihole/dhcp.leases
#quiet-dhcp

domain=lan

What else can I do or look at to try and fix or figure out what is doing on. dhcp clients do not get assign any ip address with this set up. If I manual assign an ip address to a client that client can access internet and dns works. Just no luck with getting dhcp to work. FYI...yes dnsmasq on host is completely shut down so there are no other services attempting to provide dhcp services on network. Any help would be appreciated.

edit: a strange anomaly is that my daughters lonely iphone seemed to connect and showed up in the dhcp clients....that is the only client that was able to connect for some odd reason. No other clients, wifi or wired were able to connect via dhcp.

(Please don't hijack older dormant posts. Opening a new topic wille keep answers focussed on your issue and also allow users with the same problem to easier find an answer.)

You don't allow access to DHCP ports, see Pi-hole's prerequisite ports, and also have a look at the sample configuration for Docker Pi-hole.

For an overview of the different possibilties for setting up DHCP with Docker Pi-hole, refer to Docker DHCP and Network Modes.

Apologies on the hijacking....was thinking it was directly related to the setup being recommended in the first post and would be best here. Note for next time....

Are you sure I need to have port 67 open on pihole container for this setup? original instructions do not either and my understanding is it would not allow it as the dhcphelper container has this port open and is acting as the dhcp relay to relay requests from host to pihole container.

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|:67 '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1639/pihole-FTL

pi@noads:~ $ cat /etc/services
[..]
bootps          67/tcp                          # BOOTP server
bootps          67/udp

What instructions you are referring to?

Quoting from the links I've provided above:

A relay points to your containers forwarded port 67 and spreads the broadcast signal from an isolated docker bridge onto your LAN network.

sorry, the original instructions detailed in the first post of the thread I hijacked....

Yes, I realize the job of the dhcp relay is to 'relay' the dhcp request it receives on port 67 to some backend dhcp server...presumably on port 67 too or maybe another port <--this part I cannot seem to figure out.

You will see in those original instructions the pihole container is indeed ran in bridge mode and port 67 is not mapped. The separate container (dhcpehelper) is running the relay and is listening to port 67 on host using 'host' networking and is forwarding these requests to the pihole container on the docker bridge. There is something that I am missing that is causing I think the dhcp requests to be received on the pihole container and/or clients do not receive the reply.

Sorry from me as well, but that post has a few links to different instructions and it's also full of working and non-working configuration files, so it wasn't quite clear which or whose instructions you were following. :wink:

It is sort of now, but just to be clear: You are referring to the very first post in that topic, right?

In that case, you would be right to assume you don't need to publish DHCP ports, as the relay will forward them over the Docker internal bridge network. (EDIT: For the casual reader: DHCP relay is setup in its own container, exposing and handling DHCP ports.)

Did you check your firewall doesn't intercept those DHCP ports?

Seems you are running your Pi-hole Docker on a host machine that is also acting as DHCP server.

Did you deactivate your DHCP server on your host?

If not, it may well be that your client's would prefer your existing DHCP server.

In fact, client's would do so for sure if they just renewed their DHCP leases, as requests for lease renewals are always sent to the last known DHCP server. They only would broadcast for a DHCP server if renewal fails, or if they join the network after connecting to it.

If more than one DHCP server is answering the broadcast, a client may pick a server at its own discretion, e.g. they may pick the first or the fastest one to answer.

yes, I was referring to the very first post in that topic.

I am currently checking to see if my firewall is somehow intercepting those dhcp ports/packets in any way.

When running DHCP in pihole I am disabling DHCP services on host (dnsmasq) completely so I am not running multiple DHCP servers on the network. When running DHCP services on host they are listened for on the internal nic (eth0 / 192.168.0.1), when attempting to provide them via pihole they again are also listened for on the internal nic (eth0 / 192.168.0.1) by the dhcp relay container which is configured to use host networking mode. So I think if they are using the last known DHCP server....it would still be correct.

Yes, I guess substituting the DHCP server behind the very same IP address should work, as long as the two won't fight over a common leases file (they can't here, because Pi-hole is isolated into its own container).
Of course, when a client requests renewal from Pi-hole for a lease that has beend handed out by your router before, Pi-hole wouldn't know that lease and thus could only deny that request, which should result in your client broadcasting for a nedw lease at some stage. May take a bit longer, but still should work.

Any progress on this?

The following may help you troubleshooting:
Create a custom configuration file for dnsmasq at /etc/dnsmasq.d/42-log-dhcp.conf (given your volumes, that would be /etc/pihole/pihole/dnsmasq.d/42-log-dhcp.conf on your host) containing the following line:

log-dhcp

To activate that option, run the following command from inside your container

pihole restartdns

This would allow you to see more verbose DHCP related messages, e.g. by running (also from a shell inside your container):

tail -n 10 -F /var/log/pihole.log | grep dhcp

You could use the following command to trigger some DHCP activity (from your host system this time).

sudo nmap -e eth0 --script broadcast-dhcp-discover

You may have to install nmap on your host system first if that's not already present.

Note that nmap may also pick up an answer from any other active DHCP server in your network.
Have a look at Reliably detect all DHCP servers on a network? - #8 by DL6ER if you suspect that a stray DHCP server would interfere somehow.

thanks bucking_horn, I did manage to have success last night by switching out dhcphelper container with isc-dhcp instead and it worked with issues. I did not make any changes to my firewall to get this to work.

here is the link that details the docker file for the isc-dhcp container and docker-compose file.

I would still like to get it to work with dhcphelper if I can as isc-dhcp is overkill for this setup. There are two things I noted that are different in this new docker-compose file...which I want to run some tests to see if any are directly responsible for this now working. For the dhcp container the network line does not have 'host' in quotes and there are some additional options added in the network section (which I do not know what they do...)

also, I found this command useful to trigger dhcp activity on the network without causing the interface to get or try to get a new ip through dhcp (useful when things are not working properly). It is basically a dhcp request in test mode.

Just wondering:
Is it imperative for you to have your Docker Pi-hole using a bridged network?

Unfortunately yes as ports 80/443 are used on host as it serves as web server. Host mode would have made this easier for sure.

If it's just for avoiding port conflicts, you could still use host mode.

Pi-hole itself uses port 80 to serve its web UI, it doesn't require port 443.

Pi-hole's Docker would only require port 443 if you were deviating from Pi-hole's default NULL blocking mode, and only to fail faster when trying to access Pi-hole's block page via HTTPS (which always fails for technical reasons).

As for port 80, that can be adjusted by setting the WEB_PORT environment variable.

Lol that's funny as I did not notice this env variable however I did previously in my googling searching for answers visit the linked thread noted for that variable on how to set this up on synology nas...might have discounted that thread from the amount of steps involved and thought it was complicated. I'll have to give it a try as that is the only reason I'm doing all this and if I can eliminate an intermediate container for that relay the simpler and better. Thanks for pointing that out

hmmmm.....so I have it up and running without messing with a second container for a dhcp relay. Can't believe I wasted about a week trying different things.....lol

Here is my command for reference in case it helps anyone else.

docker run --name pihole --hostname pihole --detach \
--net=host --cap-add=NET_ADMIN \
-e ServerIP=192.168.0.1 -e WEB_PORT=980 -e INTERFACE=eth0 \ 
-e WEBPASSWORD=password -e ADMIN_EMAIL=myemail@gmail.com \ 
-e DNS1=9.9.9.9 -e DNS2=149.112.112.112 \ 
--dns=127.0.0.1 --dns=9.9.9.9 \ 
--restart=unless-stopped \ 
-v /etc/timezone:/etc/timezone:ro \ 
-v /etc/pihole/pihole:/etc/pihole \ 
-v /etc/pihole/pihole/dnsmasq.d:/etc/dnsmasq.d pihole/pihole:latest

Thanks again bucking_horn for you assistance with this. I am now a happy pihole user.....

2 Likes

You'd normally favour a bridge if you want several containers to communicate on the same isolated network (e.g. I think the topic where you posted originally aims to integrate nginx containers as well).

If I'd payed closer attention to your configuration, I'd have asked about your network mode earlier: Your docker-compose suggests your are only defining Pi-hole and the DHCP relay to join your custom pihole_network. That would still be a valid setup, but since you want to run just Pi-hole, you have other options available.

Glad it's working for you now. :wink:

A post was split to a new topic: Can't get DHCP to work with Docker