Pihole is working but host has no internet connection


I replaced my old raspberry and thought it might be an good idea to do the new implementation in a docker / Portainer environment. Just not as easy as I thought.

I did the installation with adjusted yaml files and i did it manually in Portainer. The installation worked every time fine. I can do a nslookup from my computer to the raspberry and pihole is doing its thing just fine. Wenn I do a nslookup on the raspberry the situation looks different. Just no connection to pihole. If i switch my router to the raspberry as the new DNS, Portainer goes haywire since it as no internet connection.

I tried quite a lot to make it work. Different ports, macvlan, bridge mode nothing seems works.
I used these IP's for the macvlan

IPV4 Subnet:
IPV4 Gateway:
IPV4 IP Range:

By luck i stumbled over a forums entry (unrelated to my issue) where somebody combined the port 53 directly with the host IP.
I did that as well and it works now (in bridge mode). Heureka. I just don't understand why?

It seems to me very bodged. Just hope there is a proper way to implement it?

I would like to add unbound as well but I am not sure how to do it, since I had to perform a headstand to make it work for me.

What is here the right way to get that mess cleaned up and add unbound to the mix?
Is macvlan or bridge mode the right way to go?
Apparently I am too new to that whole docker game.
Hope somebody can help me out.
Thanks in advance.

There is no right or wrong.
Pi-hole runs using bridge, host or macvlan network modes.
This is just an user choice.

  1. How did you created your macvlan? Compose file or in a separate step?

  2. You don't need to publish ports using macvlan. The container will use the default ports (53, 80, 67).

  3. Also, by design macvlan doesn't allow direct communication between the host and containers, but this can be easily fixed creating a "macvlan-shim network" to allow the communication.


thanks for responding.

  1. I created the macvlan always separately and manually in Portainer, since adjusting the compose files did not always ended up as intended.

  2. Yeah, noticed that. Portainer is hiding the ports as soon you adding a container to a macvlan

  3. That makes sense after my experiences. Did not know about the shim network though. I think that is a good starting point.

That blog article from Ivan Smirnov seems to be the missing step i was looking for. It makes surprisingly even sense to me, very nice.

Thanks a lot again. Not sure how my endeavor will end up, but now I know what I have to look for to get there.

I'm glad you solved your issue.


Actually, Portainer just shows what docker is doing with the ports.

Ports are never changed when using macvlan.
Docker will always use the container's default ports (then Portainer sees only the default ports and shows nothing).

In Pi-hole's case, these will be the exposed ports:

I managed to get it to work. At least the macvlan-shim part with ipv4 addresses.
Pihole is working without bodging IP addresses and ports together.
Now somehow I have to add unbound and maybe afterwards I like to add ipv6 as well.
Will see. I have a lot to learn I noticed.
Thanks again.

Unfortunately now my wireguard did stop listening to to the other container. The connection to the host is there, just everything else after it is not reachable. Bummer. Back to he drawing board.