Pi-Hole unable to ping the gateway

Help
1

Expected Behaviour:

Pi-Hole should be able to ping the gateway (ISP modem) and access public Internet.

Actual Behaviour:

Hardware: raspberry pi 4

OS:

  • Linux andromeda 6.1.0-rpi6-rpi-v8 #1 SMP PREEMPT Debian 1:6.1.58-1+rpt2 (2023-10-27) aarch64 GNU/Linux
  • PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"

Network interfaces:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff
inet 192.168.2.100/24 brd 192.168.2.255 scope global dynamic noprefixroute eth0
valid_lft 257297sec preferred_lft 257297sec
inet6 fe80::435d:7339:95be:1c57/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether brd ff:ff:ff:ff:ff:ff

Network topology:

  • ISP Modem: x.y.z.1 (DHCP enabled)
  • RPI: x.y.z.100 (static / eth0) -- wired directly to the ISP modem
  • Laptop: x.y.z.11 (dynamic / wlan0)

ISP Modem DNS configuration:

  • Primary: x.y.z.100 (RPI/Pi-Hole)
  • Secondary: 8.8.8.8

DHCP configuration:

  • Enabled on ISP modem (but not Pi-Hole)
  • x.y.z.100 is reserved to RPI/Pi-hole

Behavior:

  • Laptop able to ping RPI
  • Laptop able to ping gateway
  • RPI able to ping Laptop
  • SSH possible from Laptop to RPI
  • BUT, Pi-Hole/RPI unable to ping the gateway (ISP modem)
  • Pi-Hole unable to upload debug log

Debug Log:

Sections of the log showing errors:

[i] Default IPv4 gateway(s):
     192.168.2.1
   * Pinging first gateway 192.168.2.1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] cdn.apprope.com is 0.0.0.0 on lo (127.0.0.1)
[✓] cdn.apprope.com is 0.0.0.0 on eth0 (192.168.2.100)
[✓] No IPv4 address available on wlan0
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Name resolution (IPv6) using a random blocked domain and a known ad-serving domain
[✓] www.financesucceed.webador.com is :: on lo (::1)
[✗] Failed to resolve www.financesucceed.webador.com on eth0 (fe80::435d:7339:95be:1c57)
[✓] No IPv6 address available on wlan0
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   DHCP packets received on interface eth0: 0

I spent weeks of vain debugging. Pi-hole does not work neither on bare-metal installation nor as a Docker container. Any help will be highly appreciated. Thank you!

3

What message is shown when you attempt to upload your debug log?

If the message indicates a failure to resolve the tricorder domain name, do the following:

Temporarily reset the nameserver on the Pi to bypass Pi-Hole DNS.

sudo nano /etc/resolv.conf

Edit the nameserver line to nameserver 9.9.9.9 or your preferred third party DNS service, save and exit

Run

pihole -d

and upload the debug log.

4

The Pi-Hole is able to generate the debug log but unable to upload it.

[✓] ** FINISHED DEBUGGING! **

   * The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
[i] Debug script running in automated mode
    * Using curl for transmission.
    * curl failed, contact Pi-hole support for assistance.
    * Error message: curl: (6) Could not resolve host: tricorder.pi-hole.net

[✗] There was an error uploading your debug log.
   * Please try again or contact the Pi-hole team for assistance.
   * A local copy of the debug log can be found at: /var/log/pihole/pihole_debug.log
5

Unfortunately, it does not work.

cat /etc/resolv.conf 
# Generated by NetworkManager
search home
nameserver 8.8.8.8
➜  ~ nslookup www.google.com
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; no servers could be reached
6

Something is interfering with your DNS traffic to 8.8.8.8.

Do you have any firewalls active? Any DNS redirection at work (for example, to prevent network clients from bypassing Pi-hole)?

7

No. Nothing specific at the best of my knowledge.
I set up the DNS settings in the modem: Primary (Pi-Hole IP), secondary: 8.8.8.8.
All network devices have access to the Internet except the RPI/Pi-Hole.
All network devices are wireless but the RPI is wired.

Debug log made private by moderator

9

You definitely have a connection problem on the Pi itself:

[✗] dig return code: 10
[✗] dig response: dig: couldn't get address for 'ns1.pi-hole.net': failure
[✗] Error: dig command failed - Unable to check OS

[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (2001:4860:4860::8888)

-rw-r--r-- 1 root root 282 Nov 11 20:56 /etc/pihole/versions
   CORE_VERSION=v5.17.2
   CORE_BRANCH=master
   CORE_HASH=60b6a101
   GITHUB_CORE_VERSION=
   GITHUB_CORE_HASH=
   WEB_VERSION=v5.20.2
   WEB_BRANCH=master
   WEB_HASH=3dd57522
   GITHUB_WEB_VERSION=
   GITHUB_WEB_HASH=
   FTL_VERSION=v5.23
   FTL_BRANCH=master
   FTL_HASH=d201776e
   GITHUB_FTL_VERSION=
   GITHUB_FTL_HASH=

   -----tail of pihole.log------
   Nov 11 21:44:10 dnsmasq[4496]: query[A] 1.debian.pool.ntp.org from 192.168.2.100
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 8.8.8.8
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 8.8.4.4
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 208.67.222.222
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 208.67.220.220
   Nov 11 21:44:10 dnsmasq[4496]: query[AAAA] 1.debian.pool.ntp.org from 192.168.2.100
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 8.8.8.8
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 8.8.4.4
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 208.67.222.222
   Nov 11 21:44:10 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org to 208.67.220.220
   Nov 11 21:44:15 dnsmasq[4496]: query[A] 1.debian.pool.ntp.org.home from 192.168.2.100
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 8.8.8.8
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 8.8.4.4
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 208.67.222.222
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 208.67.220.220
   Nov 11 21:44:15 dnsmasq[4496]: query[AAAA] 1.debian.pool.ntp.org.home from 192.168.2.100
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 8.8.8.8
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 8.8.4.4
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 208.67.222.222
   Nov 11 21:44:15 dnsmasq[4496]: forwarded 1.debian.pool.ntp.org.home to 208.67.220.220

The versions file is incomplete in that it has not retrieved the Github versions.

The last part above is the tail of your Pi-hole log. Of interest, there are no replies from your upstream DNS server.

Check on the device itself for connectivity issues.

10

Also double-check your router settings and confirm that it is indeed at 192.168.2.1, and not, for example, at 192.168.1.1. Being on the wrong network could give the symptoms seen. Sometimes an ISP will make remote changes to a router, eg to upgrade it, and there is a slim chance it may have changed. Or you may have even transcribed it incorrectly.

It may be a faulty ethernet cable. Perhaps enable the Pi's wifi interface, then do pihole -r and Reconfigure and try using that instead of a cable, just for testing purposes. Afterwards you can reconnect the cable, disable wifi and do another Reconfigure to return to the desired wired setup.

11

From the hidden debug log.

12

I see – it has an IP via DHCP from said router? Meaning it has reached it previously.

13

No DHCP servers answered:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   DHCP packets received on interface eth0: 0
14

That's what I was describing in the first instance – the possibility that the Pi has been set up on 192.168.2.0/24 because the router was believed to be (or indeed once was) on 192.168.2.1, but due to a transcribing error, or the ISP doing a remote update, the router is now on a different network, such as 192.168.1.1, cutting the Pi off as a result of using 192.168.2.0/24. Hence worth checking the router's IP to confirm that it and the Pi are on the same network for sure.

15

Hello,

Thank you for your suggestions. Actually, I checked the network parameters multiple times. The modem and the RPI are on the same network. After a long day of debugging, I got to the point that I scrapped Debian and installed Ubuntu. I had to start over again.

This time, I'm betting on Docker again. I went through the steps that are provided in the official documentation.

Docker compose file:

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'America/Toronto'
      WEBPASSWORD: '***'
      DNSMASQ_LISTENING: 'all'
    dns:
      - 127.0.0.1
      - 1.1.1.1
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

Status report!

  • Gravity update works. Blocking from within the RPI seems working. However, ad blocking does not work for any of my network devices.

List of clients:

Client Requests Frequency
localhost 507
172.18.0.1 114
pihole 2

This is an excerpt of the container's network settings:

"Ports": {
                "53/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "53"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "53"
                    }
                ],
                "53/udp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "53"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "53"
                    }
                ],
                "67/udp": null,
                "80/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "80"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "80"
                    }
                ]
            },
...
"Gateway": "172.21.0.1",
"IPAddress": "172.21.0.2",
"IPPrefixLen": 16,

Here's the token of the latest logs: E2wmKF8X

Here's some more information about my new set up:

PI Interfaces:

lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether
    inet 192.168.2.100/24 brd 192.168.2.255 scope global dynamic noprefixroute eth0
       valid_lft 254713sec preferred_lft 254713sec
    inet6 fe80::f16b:4ae3:8b82:dff9/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 
    inet 192.168.2.17/24 brd 192.168.2.255 scope global dynamic noprefixroute wlan0
       valid_lft 254707sec preferred_lft 254707sec
    inet6 fe80::68c2:5793:91f8:915c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:3ff:fe59:509f/64 scope link 
       valid_lft forever preferred_lft forever
18: br-3a7548a6bcb1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 
    inet 172.21.0.1/16 brd 172.21.255.255 scope global br-3a7548a6bcb1
       valid_lft forever preferred_lft forever
    inet6 fe80::42:26ff:fe63:46f9/64 scope link 
       valid_lft forever preferred_lft forever
20: veth2f0f286@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-3a7548a6bcb1 state UP group default 
    link/ether link-netnsid 0
    inet6 fe80::a4dd:84ff:febe:eb1e/64 scope link 
       valid_lft forever preferred_lft forever

Modem DNS settings:

  • Primary: x.y.z.100 (Pi/Pi-Hole on Docker on eth0)
  • Secondary: 8.8.8.8

When I forced the secondary DNS to use Pi-Hole, no Internet! (as simple as that!)

Curiously, it is not possible to ping the gateway from RPI while it is possible to ping other devices on the network:

➜  RPI ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
From 192.168.2.100 icmp_seq=1 Destination Host Unreachable
From 192.168.2.100 icmp_seq=2 Destination Host Unreachable
^C
--- 192.168.2.1 ping statistics ---
5 packets transmitted, 0 received, +2 errors, 100% packet loss, time 4046ms
pipe 2
➜  RPI ping 192.168.2.11
PING 192.168.2.11 (192.168.2.11) 56(84) bytes of data.
64 bytes from 192.168.2.11: icmp_seq=1 ttl=64 time=3.51 ms
64 bytes from 192.168.2.11: icmp_seq=2 ttl=64 time=52.8 ms
^C
--- 192.168.2.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 3.506/28.136/52.766/24.630 ms

It is possible to ping the gateway and the RPI (eth0) from another device (laptop) on the same network:

➜  Laptop ping 192.168.2.1  
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=4.90 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=2.86 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.862/3.882/4.902/1.020 ms
➜  Laptop ping 192.168.2.100
PING 192.168.2.100 (192.168.2.100) 56(84) bytes of data.
64 bytes from 192.168.2.100: icmp_seq=1 ttl=64 time=5.12 ms
64 bytes from 192.168.2.100: icmp_seq=2 ttl=64 time=2.86 ms
64 bytes from 192.168.2.100: icmp_seq=3 ttl=64 time=2.77 ms
^C
--- 192.168.2.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 2.767/3.584/5.122/1.088 ms

Third observation, it is possible to ping an external domain name (e.g., www.google.com) from within the Docker container (pihole) but not the gateway.

➜  Hole docker exec -it pihole bash
root@pihole:/# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
From 192.168.2.100 icmp_seq=1 Destination Host Unreachable
From 192.168.2.100 icmp_seq=2 Destination Host Unreachable
From 192.168.2.100 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.2.1 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4068ms
pipe 4
root@pihole:/# ping www.google.com
PING www.google.com (172.217.13.164) 56(84) bytes of data.
64 bytes from yul03s04-in-f4.1e100.net (172.217.13.164): icmp_seq=1 ttl=117 time=5.16 ms
64 bytes from yul03s04-in-f4.1e100.net (172.217.13.164): icmp_seq=2 ttl=117 time=4.26 ms
64 bytes from yul03s04-in-f4.1e100.net (172.217.13.164): icmp_seq=3 ttl=117 time=4.65 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.262/4.691/5.162/0.368 ms
root@pihole:/# nslookup www.google.com
Server:		127.0.0.11
Address:	127.0.0.11#53

Non-authoritative answer:
Name:	www.google.com
Address: 172.217.13.164
Name:	www.google.com
Address: 2607:f8b0:4020:805::2004

Last but not least:

  • I replaced the network cable and used another port of the modem.

What am I missing here?

16

To complement the information I've given in the previous post, I forced my laptop to use the RPI IP address as DNS resolver. No results so far!

➜  Laptop cat /etc/resolv.conf 
#nameserver 127.0.0.53
nameserver 192.168.2.100
options edns0 trust-ad
search home
➜  Laptop nslookup www.google.com
;; communications error to 192.168.2.100#53: timed out
;; communications error to 192.168.2.100#53: timed out
;; communications error to 192.168.2.100#53: timed out
;; no servers could be reached


➜  Laptop dig www.google.com
;; communications error to 192.168.2.100#53: timed out
;; communications error to 192.168.2.100#53: timed out
;; communications error to 192.168.2.100#53: timed out

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> www.google.com
;; global options: +cmd
;; no servers could be reached
17

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.