The issue I am facing:
Got rate limit message in pi-hole diagnosis logs. Don't think I have a DNS loop.
I'm In uncharted territory, setup Pi-hole on a Mac in Docker for the first time after having run it on a Pi for years. Trying to slim down the amount of hardware I have so I decided to run it on my always-on Mac Mini vs a Pi.
I never had the issue when I just ran it on a Pi.
Details about my system:
Topology is: Xfiniity Cable Modem > Firewalla Gold DNS set to Mac Mini's 192.168.2.10 IP > then splits off to my wifi APs and some wired clients (This Mac Mini being one of them).
What I have changed since installing Pi-hole:
I just added 4 blocklists and a few whitelist items using teleport from the setup that was previously on my Pi
In bridge network modes, Docker is isolating containers in a separate network.
In your case, that also means that Docker is NATting traffic that it's passing into the bridge network, making that gateway your Pi-hole's only client.
If you were running your Docker on Linux, you could consider switching to another network mode - but unfortunately, Docker Desktop for MacOS does not support host or macvlan network modes (and neither would Docker Desktop for Windows).
You could consider to lift Pi-hole's rate limit by passing FTLCONF_RATE_LIMIT into your Pi-hole container. If n would be the number of clients, I'd probably set it to (n ÷ 2 *1000), so e.g. FTLCONF_RATE_LIMIT=4000/60 for 8 clients.
However, as Docker would still NAT requests, you still won't be able to attribute DNS requests to individual clients in your Docker MacOS configuration, and thus cannot take advantage of Pi-hole's client specific filtering.
If you need that, you should consider to stick with your RPi.
Thanks for the info. I thought about maybe having a double NAT after posting this since I am not so familiar w/ Docker. Sucks very much that it goes this way running Docker on Mac/Windows since I'd like to slim down the # of devices I run.
I'm already unable to take advantage of client specific filtering because I am behind a Firewalla Gold. 172.17.0.1 has to be the Firewalla.
Is it?
Your debug log seems to suggest that 172.17.0.1 is your Docker's internal gateway, while your home network operates on 192.168.2.0/24(?) - at least, 192.168.2.10 is the address used for your Pi-hole container.
@readthebook I use Colima on macOS. Colima supports the host network mode.
But when I try to run the pi-hole in host mode I get this:
➜ docker compose up
[+] Running 3/0
✔ Volume "pi-hole_dnsmasq_data" Created 0.0s
✔ Volume "pi-hole_pihole_data" Created 0.0s
✔ Container pihole Created 0.0s
Attaching to pihole
pihole | s6-rc: info: service s6rc-oneshot-runner: starting
pihole | s6-rc: info: service s6rc-oneshot-runner successfully started
pihole | s6-rc: info: service fix-attrs: starting
pihole | s6-rc: info: service fix-attrs successfully started
pihole | s6-rc: info: service legacy-cont-init: starting
pihole | s6-rc: info: service legacy-cont-init successfully started
pihole | s6-rc: info: service cron: starting
pihole | s6-rc: info: service cron successfully started
pihole | s6-rc: info: service _uid-gid-changer: starting
pihole | s6-rc: info: service _uid-gid-changer successfully started
pihole | s6-rc: info: service _startup: starting
pihole | [i] Starting docker specific checks & setup for docker pihole/pihole
pihole | [i] Setting capabilities on pihole-FTL where possible
pihole | [i] Applying the following caps to pihole-FTL:
pihole | * CAP_CHOWN
pihole | * CAP_NET_BIND_SERVICE
pihole | * CAP_NET_RAW
pihole | * CAP_NET_ADMIN
pihole | [i] Ensuring basic configuration by re-running select functions from basic-install.sh
pihole |
pihole | [i] Installing configs from /etc/.pihole...
pihole | [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
pihole |
pihole | [i] Installing latest logrotate script...
pihole | [i] Existing logrotate file found. No changes made.
pihole | [i] Assigning password defined by Environment Variable
pihole | [✓] New password set
pihole | [i] Added ENV to php:
pihole | "TZ" => "Europe/Berlin",
pihole | "PIHOLE_DOCKER_TAG" => "",
pihole | "PHP_ERROR_LOG" => "/var/log/lighttpd/error-pihole.log",
pihole | "CORS_HOSTS" => "",
pihole | "VIRTUAL_HOST" => "colima",
pihole | [i] Using IPv4 and IPv6
pihole |
[✓] Installing latest Cron script
pihole | [i] setup_blocklists now setting default blocklists up:
pihole | [i] TIP: Use a docker volume for /etc/pihole/adlists.list if you want to customize for first boot
pihole | [i] Blocklists (/etc/pihole/adlists.list) now set to:
pihole | https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
pihole | [i] Existing DNS servers detected in setupVars.conf. Leaving them alone
pihole | [i] Applying pihole-FTL.conf setting LOCAL_IPV4=0.0.0.0
pihole | [i] FTL binding to default interface: eth0
pihole | [i] Enabling Query Logging
pihole | [i] Testing lighttpd config: Syntax OK
pihole | [i] All config checks passed, cleared for startup ...
pihole | [i] Docker start setup complete
pihole |
pihole | [i] pihole-FTL (no-daemon) will be started as pihole
pihole |
pihole | s6-rc: info: service _startup successfully started
pihole | s6-rc: info: service pihole-FTL: starting
pihole | s6-rc: info: service pihole-FTL successfully started
pihole | s6-rc: info: service lighttpd: starting
pihole | s6-rc: info: service lighttpd successfully started
pihole | s6-rc: info: service _postFTL: starting
pihole | Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
pihole | s6-rc: info: service _postFTL successfully started
pihole | s6-rc: info: service legacy-services: starting
pihole | s6-rc: info: service legacy-services successfully started
pihole | [i] Neutrino emissions detected...
[✓] Pulling blocklist source list into range
pihole |
[✓] Preparing new gravity database
[✓] Creating new gravity databases
pihole | [i] Using libz compression
pihole |
pihole | [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
pihole | [i] Status: Pending...Stopping pihole-FTL
pihole | pihole-FTL: no process found
[✓] Status: Retrieval successful
[✓] Parsed 121629 exact domains and 0 ABP-style domains (ignored 1 non-domain entries)
pihole | Sample of non-domain entries:
pihole | - "0.0.0.0"
pihole |
pihole | [i] List has been updated
pihole |
[✓] Building tree
[✓] Swapping databases
pihole | [✓] The old database remains available
pihole | [i] Number of gravity domains: 121629 (121629 unique domains)
pihole | [i] Number of exact blacklisted domains: 0
pihole | [i] Number of regex blacklist filters: 0
pihole | [i] Number of exact whitelisted domains: 0
pihole | [i] Number of regex whitelist filters: 0
[✓] Cleaning up stray matter
pihole |
pihole | [✗] DNS service is NOT running
pihole |
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Pi-hole version is v5.18.3 (Latest: v5.18.3)
pihole | web version is v5.21 (Latest: v5.21)
pihole | FTL version is v5.25.2 (Latest: v5.25.2)
pihole | Container tag is: 2024.07.0
pihole |
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
pihole | Stopping pihole-FTL
pihole | pihole-FTL: no process found
Gracefully stopping... (press Ctrl+C again to force)
Not sure what I'm missing.
EDIT: Port 53 is already In use on my system. But I can access the web interface via my Macs IP. So, you could use Colima on your Mac.
