Run pi-hole on an additional ip

I use my pi as a webserver in addition to using it as a pi-hole. The webserver is exposed to the internet and has a valid let's encrypt certificate (which serves the admin page through a reverse proxy).

I accomplished this by changing the lighttpd port to 8077. I wrote my own update function for pi-hole to prevent it from changing the port back:

pihole -up
# Allow framing of admin page
sed -i 's/"X-Frame-Options" => "DENY"/"X-Frame-Options" => "SAMEORIGIN"/' /etc/lighttpd/lighttpd.conf
sed -i "s/server.port                 = 80\n/server.port                 = $PIHOLE_PORT\n/" /etc/lighttpd/lighttpd.conf
sed -i 's:127.0.0.1/admin/:127.0.0.1\:'$PIHOLE_PORT'/admin/:g' /opt/pihole/chronometer.sh

service lighttpd restart

When I visit a pi-holed domain I get a security warning informing me that the page I am visiting serves the security certificate of my domain.

I think this could be circumvented by running pi-hole on it's own ip using these commands to add an ip to the interface the pi is running on:

INTERNALIP=`ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1  -d'/'`
OIFS=$IFS; IFS='.'; ip=($INTERNALIP); IFS=$OIFS
  
cp /etc/network/interfaces /etc/network/interfaces.bak
#nano /etc/network/interfaces
ex /etc/network/interfaces << END_EX_COMMANDS
" Find the mark
/^iface eth0 inet manual/
" Add the complex, multi-line text
a

#IP Aliasing
auto eth0:0
iface eth0:0 inet static
name Ethernet alias LAN card
address ${ip[0]}.${ip[1]}.${ip[2]}.$((${ip[3]}+1))
netmask 255.255.255.0
broadcast ${ip[0]}.${ip[1]}.${ip[2]}.255
network ${ip[0]}.${ip[1]}.${ip[2]}.0
.
" The '.' terminates the a-command. Write out changed file.
w!
q
END_EX_COMMANDS
unset ip OIFS

I propose running the pi-hole lighttpd server on an alternative interface standard, or at least as a choice during install in order to keep the common ports on the raspberry available to serve a website.

My choice of circumventing this is to do a vlan, and host lighttpd and pihole on that IP address.

We have been investigation on this topic for quite some time and I'm running a solution similar to what you proposed since some months without seeing problems.

My configuration (i.e. the one we though about implementing into Pi-hole) looks like:

• eth0 is listening on 192.168.2.10 and port 80 is unused (there could be another webserver)
• eth0:0 is listening on 192.168.2.11 and port 80 is occupied by lighttpd
• dnsmasq and sshd are listening on both interfaces (as default)
• pi.hole resolves to 192.168.2.11

To be honest, the problem why we haven't added this as of now are mainly twofold:

1. Many users that install Pi-hole barley understand that the Pi needs a static IP address, but we can explain it in a failry simple form. However, if we ask the user to either specify two static addresses (or one static address that is independent from the "main" IP address) this may become way too difficult to understand for users. I'd bet that many aren't even aware of the possibility to have more than one address on the same networking interface.

2. Another (minor) issue is that it seems like we cannot configure this using a sole dhcpcd5 way (we always have to edit /etc/network/interfaces and it simply seems quite unclean to modify the networking settings in more than one place. This may change when the Raspbian foundation goes to Stretch (scheduled for today if I'm not mistaken).

@DanSchaper and @deHakkelaar might want to add to my post as they have done some testing with this as well.

I like the idea of having a psudo interface for the command and control aspect, but like @DL6ER mentions, we have the installer for users that have just picked up the Pi (or other device) and are fresh to the whole concept. Those of us that do know how to set things up probably don't need the hand holding, but adding in more options would cause some confusion. We do have to support multiple OSes and multiple platforms, so something that could be done easily in Debian/Raspbian may be more difficult to work out on other systems.

I don't think Raspbian is going to make any kind of changes to move away from dhcpcd5 now that they have everyone set on the new way however, they just have too much invested in their GUI tools that reference that file. I've moved to NetworkManager in places that I can use it, and as much as I hated it to begin with, calling it NetworkMangler even, it's easier to work with via nmcli and nmtui, plus it's way more scriptable.

So the option I see is to use a basic installer for general users, and possibly an advanced mode for other configurations, but that would take a lot of work to implement so it's a long term idea.

This. I've always felt there should be a "noob" friendly install,,, and an advanced install for more advanced users.

I'd like that, but I understand keeping the advanced options cross platform compatible can become cumbersome. And the ease one can setup pi-hole is certainly one of the great things about it. However it is quite a common use case to have something else running on the pi that uses port 80. Integration with other servers is something that could use some attention in my opinion.

I've looked at some options regarding this and concluded IP aliasing is the cleanest way to do it. I might even submit a pull request to integrate it into the installer, as I will be using it anyway.

Most users will be able to answer the question if they have/will have an other server running on the pi (or am I wrong?). There could also be a check in the installer to see if port 80 is being used.

PR's are a great way to get more functionality into the installer. There have been some requests as to port 80 being used and detection of that, but where we run in to issues is with the need to have 80/443 available for the blockpage and for reception of traffic that is redirected. Unless there were changes to that subsystem, people would potentially be sending out their pages from the already installed daemon out to clients when they request a page on 80/443 from being redirected via Pi-hole (bar having another interface or IP available, which is very difficult to do on Raspbian with the current dependency on dhcpcd5 that we have to work under.)

The basic-installer.sh is just meant to be an installer for fresh systems, I know we've grown out to be used on other use-cases, but accounting for those cases is more time consuming than we currently have the volunteers to be able to handle. There are a lot of changes under the hood that we are already working on, and not having any full or part time staff makes it difficult to develop all the features that we would like to present to the users.

As Feature Requests get more votes then the priority for those features goes up and we try to work them in to the time that we have available.

Yes, this is exactly what I'd like to achieve. Is there any reason to think that Stretch will bring IP aliassing to dhcpcd5? For now it seems to me that /etc/network/interfaces is just the place to add an interface. You could still configure the interface in /etc/dhcpcd.conf if you want it to be cleaner.

Also on fedora you only have to change one file.

The harder part might be educating people on how to configure their DNS settings on their router or devices now, as it will have to point to a different ip than the normal pi address. However this seems manageable. People who need help with this will currently use the guide on pi-hole for this anyway.

I was not able to assign a static IP to an aliased interface using the dhcpcd5 way.
So i devised below making use of the default "source-directory /etc/network/interfaces.d" directive in the interfaces file.
This is just prove of concept/an example as I dont have ipv6 configured at home.
This test Pi only got WiFi so thats why the wlan0:0 (with ip 10.0.0.200).

Create new file:

sudo nano /etc/pihole/pihole-if

Containing below aliased interface with second IP:

auto wlan0:0
iface wlan0:0 inet static
address 10.0.0.200
netmask 255.255.255.0

Symlink it so it gets included with ifup:

sudo ln -s /etc/pihole/pihole-if /etc/network/interfaces.d/

Bring up the new interface:

sudo ifup -v wlan0:0

Reconfigure network for Pi-Hole (the second IP should appear during the wizzard):

pihole -r

Configure lighttpd to listen to the new IP address only:

sudo nano /etc/lighttpd/lighttpd.conf

Add below line:

server.bind = "10.0.0.200"

To listen only to ipv4 requests, find and hash out below line before save/close the file:

# include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port

Reload lighttpd to apply new settings:

sudo service lighttpd reload

Have dnsmasq listen to the new IP by creating below file:

sudo nano /etc/dnsmasq.d/14-pihole-if.conf

Containing:

except-interface=wlan0
except-interface=lo
listen-address=10.0.0.200
#no-dhcp-interface=wlan0
bind-interfaces

Restart dnsmasq to apply new settings:

sudo service dnsmasq restart

This is from before:

pi@raspberrypi:~ $ sudo netstat -nltup | grep 'Proto\|lighttpd\|dnsmasq\|dhcpcd\|pihole-FTL'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      469/pihole-FTL
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      786/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      8154/dnsmasq
tcp6       0      0 :::80                   :::*                    LISTEN      786/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      8154/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*                           8154/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           8154/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           572/dhcpcd
udp6       0      0 :::53                   :::*                                8154/dnsmasq

And this is after:

pi@raspberrypi:~ $ sudo netstat -nltup | grep 'Proto\|lighttpd\|dnsmasq\|dhcpcd\|pihole-FTL'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      530/pihole-FTL
tcp        0      0 10.0.0.200:80           0.0.0.0:*               LISTEN      779/lighttpd
tcp        0      0 10.0.0.200:53           0.0.0.0:*               LISTEN      1713/dnsmasq
udp        0      0 10.0.0.200:53           0.0.0.0:*                           1713/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1713/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           692/dhcpcd

The only one I was not able to bind was the dhcp service port 67.

Below is from a client and 10.0.0.13 being the physical interface IP of Pi-Hole:

$ dhclient -r && dhclient -v wlan0
Killed old client process
Internet Systems Consortium DHCP Client 4.3.5
Copyright 2004-2016 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/wlan0/00:1f:3c:99:de:17
Sending on LPF/wlan0/00:1f:3c:99:de:17
Sending on Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 8
DHCPREQUEST of 10.0.0.220 on wlan0 to 255.255.255.255 port 67
DHCPOFFER of 10.0.0.220 from 10.0.0.13
DHCPACK of 10.0.0.220 from 10.0.0.13
bound to 10.0.0.220 -- renewal in 42619 seconds.

$ host pi.hole
pi.hole has address 10.0.0.200

$ curl -I http://10.0.0.200
HTTP/1.1 404 Not Found
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Date: Tue, 20 Jun 2017 01:06:24 GMT
Server: lighttpd/1.4.35

That's a solution that works, but it wouldn't work cross platform with all the OSes that we support unfortunately. Also would be very hard to script that kind of a configuration. But thanks for the posts!