Pi-Hole on docker-compose on OMV DNS issues with wireless interface

Rock_Twain · May 28, 2024, 5:49pm

I have an issue running Pi-Hole on docker-compose using OMV.
I should mention this issue only occurs when i use the wireless interface wlan0.
I want to use a macvlan to give my Pi-Hole an address outside what my DHCP assigns.
I need to do this because otherwise the ports for OMV and Pi-Hole would clash.
I do not want to use the Pi-Hole as a DHCP host, just as a DNS sinkhole.

My docker compose file is:

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole
    networks:
      pi_network:
        ipv4_address: 192.168.1.68
    environment:
      TZ: 'Europe/Zagreb'
      WEBPASSWORD: '12345678'
    ports:
      - "443:443/tcp"
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    restart: "unless-stopped"
    volumes:
      - "/srv/dev-disk-by-uuid-48b944cc-417c-415a-a8bc-3875bab7b992/config/pihole:/etc/pihole"
      - "/srv/dev-disk-by-uuid-48b944cc-417c-415a-a8bc-3875bab7b992/config/pihole/dnsmasq.d:/etc/dnsmasq.d"
networks:
  pi_network:
    driver: macvlan
    driver_opts:
      parent: wlan0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1
          ip_range: 192.168.1.68/32

The assinged adress is not in the DHCP range of the router, the subnet and gateway are correct.
When I use this exact compose file but have the parent field be a wired interface it works.

The output of docker logs pihole is:

piServer@raspberrypi:/srv/dev-disk-by-uuid-48b944cc-417c-415a-a8bc-3875bab7b992/config/pihole $ sudo docker logs pihole
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service cron: starting
s6-rc: info: service cron successfully started
s6-rc: info: service _uid-gid-changer: starting
s6-rc: info: service _uid-gid-changer successfully started
s6-rc: info: service _startup: starting
  [i] Starting docker specific checks & setup for docker pihole/pihole
  [i] Setting capabilities on pihole-FTL where possible
  [i] Applying the following caps to pihole-FTL:
        * CAP_CHOWN
        * CAP_NET_BIND_SERVICE
        * CAP_NET_RAW
  [i] Ensuring basic configuration by re-running select functions from basic-install.sh

  [i] Installing configs from /etc/.pihole...
  [i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
  [✓] Installed /etc/dnsmasq.d/01-pihole.conf
  [✓] Installed /etc/dnsmasq.d/06-rfc6761.conf

  [i] Installing latest logrotate script...
 [i] Existing logrotate file found. No changes made.
  [i] Assigning password defined by Environment Variable
  [✓] New password set
  [i] Added ENV to php:
                    "TZ" => "Europe/Zagreb",
                    "PIHOLE_DOCKER_TAG" => "",
                    "PHP_ERROR_LOG" => "/var/log/lighttpd/error-pihole.log",
                    "CORS_HOSTS" => "",
                    "VIRTUAL_HOST" => "pihole",
  [i] Using IPv4 and IPv6

  [✓] Installing latest Cron script
  [i] Preexisting ad list /etc/pihole/adlists.list detected (exiting setup_blocklists early)
  [i] Existing DNS servers detected in setupVars.conf. Leaving them alone
  [i] Applying pihole-FTL.conf setting LOCAL_IPV4=0.0.0.0
  [i] FTL binding to default interface: eth0
  [i] Enabling Query Logging
  [i] Testing lighttpd config: Syntax OK
  [i] All config checks passed, cleared for startup ...
  [i] Docker start setup complete

  [i] pihole-FTL (no-daemon) will be started as pihole

s6-rc: info: service _startup successfully started
s6-rc: info: service pihole-FTL: starting
s6-rc: info: service pihole-FTL successfully started
s6-rc: info: service lighttpd: starting
s6-rc: info: service lighttpd successfully started
s6-rc: info: service _postFTL: starting
  Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
s6-rc: info: service _postFTL successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [✓] Creating new gravity databases
  [i] Using libz compression

  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✗] Status: Connection Refused
  [✗] List download failed: no cached list available

  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available
  [i] Number of gravity domains: 0 (0 unique domains)
  [i] Number of exact blacklisted domains: 0
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 0
  [i] Number of regex whitelist filters: 0
  [✓] Cleaning up stray matter

  [✓] FTL is listening on port 53
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

fatal: unable to access 'https://github.com/pi-hole/pi-hole/': Failed to connect to github.com port 443: No route to host
fatal: unable to access 'https://github.com/pi-hole/web/': Failed to connect to github.com port 443: No route to host
fatal: unable to access 'https://github.com/pi-hole/FTL/': Failed to connect to github.com port 443: No route to host
  Pi-hole version is v5.18.2 (Latest: N/A)
  web version is v5.21 (Latest: N/A)
  FTL version is v5.25.2 (Latest: N/A)
  Container tag is: 2024.05.0

It looks like DNS is not resolving and I don't know why.
This is the debug log from pihole -d
pihole_debug.txt (24.7 KB)

Bucking_Horn · May 28, 2024, 7:02pm

What keeps you from tying to a wired interface then?

This isn't a Pi-hole issue:
For the most part, wifi protocols disagree with multiple MAC addresses showing up for the same device, i.e. you can't expect macvlan to work with any wifi interface and/or AP/router.
Your observation would indicate yours doesn't.

Note that Pi-hole 5 doesn't require port 443, so you could omit that.

Is that conflict about port 53, or just port 80?

If so, did you consider running your container in bridge network mode and just remap the web port?

Alternatively, if you need to avoid port 53 as well, you could consider trying to use ipvlan instead (see Docker's Use an IPvlan instead of Macvlan), which would give your container a separate IP without creating an additional, virtual MAC.

Rock_Twain · May 28, 2024, 9:41pm

I would prefer not to since I do not have an easy way to store the server near the router or any cabling done to bring the ethernet where I need it.

I did not know a macvlan has its own MAC adress. Makes sense when you say it ahahaha.

I found reading the resource:

that I could set the parent interface to promiscuous mode with:

sudo ip link set wlan0 promisc on

As far as I understand it tells the interface to receive all the packets regardless if it has its MAC address as the destination.
After creating a macvlan with a promiscuous parent wlan0 with the commands:

sudo ip link add pi_network link wlan0 type macvlan mode bridge
sudo ip addr add 10.0.37.68/32 dev pi_network
sudo ip link set pi_network up

I could ping using the container with the command:

sudo docker exec -ti pihole ping -c 4 192.168.1.68

But I still can't ping from inside the container.

Yes, the collision would occur on port 53 an port 80.

I did try to use the bridge interface docker0 which was created automatically when installing docker-compose, but it's IP is 172.17.0.1 and I can't access that adress or ping it from my local network ( I lack the knowledge of networking ).

And anyways then I tried using an ipvlan and it worked.... this is amazing thank you so much <3
The only thing I changed was the docker-compose file driver from macvlan to ipvlan.
I hope this thread helps a lost soul like myself.

Thank you again @Bucking_Horn