Pi-hole is blocking Bitwarden

GraTay · August 30, 2024, 1:01am

I am running both Bitwarden and Pi-hole in separate docker containers on my Synology nas. Pi-hole runs fine but when it is running, I cannot access Bitwarden when connected to my local network. If Pi-hole is running, I can only access Bitwarden when not connected to my local network (i.e. cellular network). When I stop the Pi-hole container, I am able to connect to Bitwarden again on my local network. This leads me to believe it is some setting in Pi-hole I have configured wrong or one I need to configure to access Bitwarden. Any help would be great. Am I missing something easy?

*After some further trouble shooting, I figured out that it is not just Pi-hole running that causes the issue. I configured a macvlan network for Pi-hole to use, that is where the issue begins. If I stop the container and delete the ph_network, then I am able to connect to Bitwarden again. The command I used to make the macvlan network is listed below.

sudo docker network create -d macvlan -o parent=eth1 --subnet=10.0.0.0/24 --gateway=10.0.0.1 --ip-range=10.0.0.198/32 ph_network

Debug token url: https://tricorder.pi-hole.net/OeRt4bkd/

Below is my compose.yaml file setup.

version: "3"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "80:80/tcp"
    networks:
     - ph_network
     - ph_bridge
    environment:
      TZ: 'America/Dallas'
      WEBPASSWORD: '-Password-'
      DNSMASQ_LISTENING: local

en container upgrades
    volumes:
      - '/volume1/docker/pihole/pihole:/etc/pihole'
      - '/volume1/docker/pihole/dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
    restart: unless-stopped
networks:
    ph_bridge:
      driver: bridge
      ipam:
        config:
          - subnet: 192.168.10.0/24
            gateway: 192.168.10.1
            ip_range: 192.168.10.2/32
    ph_network:
      name: ph_network
      external: true

Bucking_Horn · August 30, 2024, 7:33am

That compose contains a seemingly unintended > Blockquote?
Please edit your post to correctly reflect your current compose file.

Also, please share your Bitwarden compose file, specifically the ports and networks sections - you may want to be careful to redact sensitive information.

And please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

GraTay · August 30, 2024, 2:28pm

I believe I made the debug log correctly and listed the token url that was created. I also added some extra notes I figured out through some additional trouble shooting.

Bucking_Horn · August 30, 2024, 9:31pm

Your compose file still looks dodgy, at around the same place where that Blockquote was.

I notice that you are tying your container to two networks, ph_bridge and ph_network.
Is that by intention?

Also, each of those networks defines a specific IP address range.
What is your home network address range?

Also, it seems you have overlooked my request to...

GraTay · August 30, 2024, 10:25pm

I followed some generic instructions to set up pi-hole on my nas. This was a copy and paste compose file. I followed the instructions to create a macvlan network for pi-hole, ph_network, I don’t know how else to set it up. Do I have to use a macvlan network for pi-hole? I thought this is how my home router sends traffic to pi-hole.

As for your request to include the compose file for Bitwarden, I don’t have one. I didn’t use a compose file to make my Bitwarden container from a project. I made it just by using synology’s container manager. The only network specific settings I set for bitwarden was specifying the internal port of my nas to connect to port 80 of the container. I then set a reverse proxy to direct traffic from a specific incoming port to the port I directed to bitwarden.

My home network ip and gateway are specified in the command line I used to make the macvlan.

Bucking_Horn · August 31, 2024, 7:06am

Where does the ph_bridge network come from then?

If you do not require that, you should probably remove it, or start with a fresh docker-compose.

No, the choice is yours - but your choice may be affected by your requirements as well as by your host configuration.

In bridge network modes, Docker would allow you to remap ports, so you could avoid port conflicts.

This isn't an option for the DNS port (53), as any client would use that port by default, so Pi-hole must bind that port in order to receive your clients' requests.

Now, if anything on the host is already claiming port 53, then that would force you to avoid host and bridge network modes.
Alternatively, you could try to free port 53 by disabling whatever service is claiming it on the host, and use one of Docker's bridge or host network modes.
If you can't do that, you'd have to use one of the network drivers that would create a virtual network interface (e.g. macvlan or ipvlan).

When using macvlan, you should be aware that there is no communication between your container and the host, as Docker isolates it, which could prevent your Bitwarden container resolve DNS if it would use Pi-hole's macvlan container IP for DNS.

But without your Bitwarden configuration, I cannot know whether it would be that macvlan communication issue or a port conflict or if Pi-hole would block a domain that Bitwarden needs to resolve.

Note that, except for the last, those would be Docker issues rather than Pi-hole ones.

If Pi-hole would be blocking a Bitwarden domain, then that should register as blocked in Pi-hole's Query Log, from where you could use the respective button in the Action column to allow it.

system · September 22, 2024, 10:41am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.