P-Hole is installed on OpenMediavault (7.0-29, Sandworm), (Docker composed).
When Pi-Hole is active (by changing the DNS server on Route with that of Pi-Hole) I can't update OpenMediavault and its plugins.
Also I can't update Plex metadata. If I disabled pihole everything works.
Everything else works perfectly (the whole network is protected).
I can't understand what I'm wrong.
Can you help me?
All the traffic of OpenMediavault and other installed containers are blocked by Pi-Hole. Which settings should I change on the container configuration file (or on settings)?
Sorry but I can't use Pi-Hole with these problems.
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
hostname: pihole
networks:
pih_network:
ipv4_address: 192.168.0.100 #**Change, use pihole address
environment:
TZ: 'Europe/Rome' #**Change to your timezone
WEBPASSWORD: 'XXXXXXXXXXXXXXXXX' #**Password for pihole, used on container creation.
#dns: #**Inizio aggiunta per risoluzione DNS
#- 127.0.0.1 #**Fine aggiunta per risoluzione DNS
ports:
- "443:443/tcp"
- "53:53/tcp"
#- "67:67/udp" # Only required if you are using Pi-hole as your DHCP server
- "53:53/udp"
- "80:80/tcp"
restart: "unless-stopped"
volumes:
- "/Data/pihole/etc/pihole:/etc/pihole"
- "/Data/pihole/etc/dnsmasq.d:/etc/dnsmasq.d"
#cap_add:
#- NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
networks:
pih_network:
driver: macvlan
driver_opts:
parent: end0 #**Change this to your interface
ipam:
config:
- subnet: 192.168.0.0/24 #**Your network subnet
gateway: 192.168.0.1 #**Your network gateway
ip_range: 192.168.0.0/25 #**ip for pihole container
nslookup pi.hole 192.168.0.100
pi@shield:~ $ nslookup pi.hole 192.168.0.100
;; communications error to 192.168.0.100#53: timed out
;; communications error to 192.168.0.100#53: timed out
;; communications error to 192.168.0.100#53: timed out
;; no servers could be reached
pi@shield:~ $ nslookup raw.githubusercontent.com 192.168.0.100
;; communications error to 192.168.0.100#53: timed out
;; communications error to 192.168.0.100#53: timed out
;; communications error to 192.168.0.100#53: timed out
;; no servers could be reached
but at the moment pihole is not the dns server, because the updates would not work
You didn't confirm (or deny), but will I assume you are connecting to the host (OpenMediavault server).
If that's the case, your issue is probably related to your macvlan network.
Macvlan networks are not able to directly communicate with the host OS.
This isolation is by design, but you can use a "shim" network interface to allow this communication.
Note:
I noticed you are creating your macvlan network directly in the compose file.
As I said before, communication between the host and container using a macvlan network is not possible, but using the network "shim" will allow this communication.
parent=eth0 This should be your host network interface. You will need to use the same interface when you create the shim network (step 3).
subnet: 192.168.0.0/24 This is your network subnet (usually the same as defined on your router)
gateway: 192.168.0.1 Your network gateway (usually your router's IP)
ip_range: 192.168.0.0/25 Your macvlan network range - your Pi-hole IP should be inside this range.
You can add other containers to this network.
aux-address: 192.168.0.126 This address will be excluded (docker won't be allowed to use this address for containers).
We will later use this address to create a "shim" network, to allow host-container communication
Make sure you add an auxiliary address to your macvlan config.
2. Use this network in your compose file
To create your container, just use the macvlan0 in your compose file, as external network:
networks:
macvlan0:
external: true
Now, your container works, but there is no docker to host communication (and vice-versa).
3. Allow docker to host communication
Create a "shim" network to allow the communication:
# Some tutorials recommend this step. I'm not sure if this is needed for everyone, but here it is anyway.
sudo ip link set eth0 promisc on
# This will create a virtual link called "macvlan-shim" (you can use a different name)
sudo ip link add macvlan-shim link eth0 type macvlan mode bridge
# Assign an IP and range to the new network link.
# IMPORTANT: use the same value used for "aux-address".
sudo ip addr add 192.168.0.126/25 dev macvlan-shim
# Bring your new interface up
sudo ip link set macvlan-shim up
At this point your container and host will be allowed to communicate, but this will be lost on every boot.
You can read on the articles I linked above, how to persist these settings.
That looks just as what OMV's own documentation suggests:
EDIT:
Note that those steps would only be required if you want same host DNS requests to reach your Pi-hole.
They are not blocked by Pi-hole, but VLAN isolation prevents any traffic to be routed to your container (as demonstrated by your failing nslookups and pings).
If your containers do not need their DNS traffic to be filtered by Pi-hole, you could also consider to configure OMV's OS to not use Pi-hole for DNS.
That would also avoid potential issues with OMV's own DNS requests, e.g. after a reboot, when Docker would not yet have started, but OMV would already try to resolve domains.
Note that Pi-hole does not touch its host machine's DNS configuration.
It's even beneficial to use an alternate (public) DNS server, as that would allow the host OS to resolve DNS if Pi-hole woud be inoperational (e.g. for OS updates and Pi-hole's repair scripts).