I had a spare Protectli FW4B laying around and have been testing proxmox in a replacement for the raspberry pi's that I run apps in docker containers like Pi-hole. What is cool is that I have 4 ports. One for management and the 2 of the other 3 setup for LAGG in my switch with the VLAN's assigned to the LAGG. This means that a Linux container can have a network adapter on each VLAN with one Pi-hole instance setup to listen on all origins. No routing needed VLAN to VLAN.
To start I had to create the basic network configuration for the LAGG. The physical network ports are:
I bonded emp2s0 and emp3s0 with LACP 802.3ad and configured my network switch to bond the ports with a profile of "All" so all tagged and untagged traffic can be presented on the ports. I then created a Bridge1 that bridge that will be used to bridge the container networks to the LAGG:
I then created my first container with a network interface on the "Server" VLAN tag and static IP address. I used the Debian 11 standard container image. Booted and pinged the gateway for the Sever VLAN to make sure I had connectivity. Then I installed Unbound on this container and tested that I could do a NS lookup to the IP address of the new container which worked.
The next container I created was for Pi-Hole. On this container I created a network adapter per VLAN with static address and VLAN tagged. Only one gateway was configured on the "Server" VLAN to keep things simple.
I used the same Debian base image for the container and installed Pi-Hole using the script. I then configured the DNS source of the Pi-Hole to the address of the Unbound network adapter in that container and set listen on all origins. Each network interface in the container ends in 222 (192.168.x.222) that way the DNS address is consistent on all VLAN's.
I then did a quick NSLookup on each interface and they were all working. Set the static hosts DNS servers to their local VLAN DNS and DHCP sever to hand out the local VLAN DNS server as the Pi-Hole for that VLAN.
It's been running for a week now with no issues. DNS traffic is now local to each VLAN and could not be happier that this works. I still haven't given up on Docker and other Pi projects but this definitely was the coolest thing I have done since my Pi-Hole and DNScrypt proxy Docker container. I do have plans to setup a 3rd container with just DNScrypt proxy configured for DoH and do some comparison on performance. With this model I can easily spool up and test that configuration.
One more thing is that Pi-Hole container only seems to use 50 to 60 MB of RAM and the Unbound uses about 40 MB of RAM.