Setup on Synology Docker

@Beefyfish I managed to get this installed in the end using this guide:

I am however curious to the benefits of your method (which I have tried and failed at) versus this? Any help appreciated

I setup like this to maintain pi.hole as the address for my pi-hole. Synology NAS will not give up port 80. The way I wrote it up it is almost like another computer on your network.

With the error you received I think you may have messed up an address while creating the macvlan or the network port. I dont know how your network may be setup so using the numbers provided in my write up are example addresses unless your network is like mine.

My domain is on 192.168.1.x and my synology is on 192.168.1.2, with gateway on 192.168.1.1

my macvlan is hence on 192.168.1.1/24 and IP range 192.168.1.3/32

Pi-hole_Bridge I have kept identical to yours, so in my mind looks to be right?

That would be correct. If you attempt to retry making it you have to make sure to delete the existing macvlan through the webui before retrying.

I do know that if you are using virtual machines or network interfaces it will effect if you should be using eth0 or another network port while creating the docker image.

Have tried this a few times, with slightly different settings. Same error everytime it looks to be port related but there is no setup for ports in this. I am also running tatulli and a couple of unifi controllers, see other networks in docker, but don't think they should conflict? Other than that my syno is pretty standard.

When you run command ip addr does it come up as eth0 or eth#. I know with open v switch enabled you would need to use ovs_eth#. Another thing that might change it is binding the ethernet ports if it is equipped with more then one port as Im pretty sure it creates a virtual port that binds the multiple ports together but I'm not 100% positive as I dont use that feature.

Ah I think you are spot on with this, I since gave up on this but its now obvious I should not have chosen eth0. I have an aggregation on eth0 and eth1, so should have chosen bond0!

Will give it another attempt when I get the chance.

EDIT:
@Beefyfish all working now thanks for your help. Fantastic to have this showing on its own IP

Is it possible for this to resolve local dns hostnames with this container setup, opposed to just IP addresses?

I use conditional forwarding to my router which serves as my local dns/dhcp. I run dd-wrt for my router currently.

I think pihole checks with the router every hour to find host names from my router.

You could mount the hosts file and then put your clients in the file, restart the container every time you change the file. Then you will see hostnames instead of IP address. e.g. /volume1/docker/pihole/etc/hosts : /etc/hosts:rw

Thanks @BobWs but I presume this will only work on static IP's? I have a number of devices that are dynamically assigned and don't really want to static them all.

I am using Unifi which is also my DHCP server (192.168.0.1) and have:

  • Set the DHCP Name Server to my pihole ip
  • Set the WAN DNS to 9.9.9.9 , 8.8.8.8
  • Set the Pihole Upstream DNS to 9.9.9.9, 8.8.8.8
  • In pihole - created a manual upstream server to my Gateway (DHCP Server) (i.e. 192.168.0.1)
  • Added Conditional forwarding to my gateway (DHCP Server) 192.168.0.1 and added what I think is the local domain name (checked windows network setting, and also matches the name I gave in Unifi).

Still only getting IPs! @Beefyfish as you have it working does it look similar to what you have appreciating you are not using unifi?

Unfortunately I do not use a USG.

I know when running dd-wrt all you do is set dhcp option 6 to pi.hole and make sure local dns is enabled in the router finally add the gateway into pihole for conditional forwarding. It will check hourly with my router to resolve host names vs showing ip addresses.

I'm new to Pi-hole, but have it running since today on my Synology DS918+. Great to see others using a similar setup, using Macvlan etc. It's working fine for devices on the same subnet as Pi-hole, e.g. 192.168.1.1, but it's not working from devices on another subnet, e.g. 192.168.2.1. Strange thing is that I can ping the Docker host (Synology Nas) just fine from the other subnet

192.168.1.2: Synology NAS
192.168.1.3: Pi-hole

192.168.2.2 Other device

From 192.168.2.2 I can ping 192.168.1.2, but not 192.168.1.3...

Is this a limitation of using Macvlan?

Would love to know if there's a solution so I can share this Pi-hole to other subnets, specifically the subnet I use for my OpenVPN TUN clients.

EDIT:

Solved it! This scenario is possible with Macvlan. I misconfigured Policy Based Routing on my router, which was the reason I couldn't ping the Macvlan containers from another subnet. Hehe, whoops.

Thanks for this, setup a docker + unbound + VPN. Only thing is. When using macvlan i'm unable to ping/use the pihole when connected to the VPN. Anyone know how to fix this?

Ive never used a VPN but if it is a docker image it would have to talk to pihole through the bridge network you created as your synology cannot talk to pihole through the macvlan due to securities inside docker.

Hi Beefyfish

I created an account on this site just to say thank you!
I have been trying to figure out why i can't reach the pi.hole from the Synology, until i took my time and read through your guide VEEEERY carefully.
Thanx again for the nice write up.

Peter

Hi beefyfish thanks for the tutorial , could you clarify the subnet ... I am not clear between your post and the pics
One ends with 0 ...
my gateway is 10.0.0.1 and nas is at 10.0.0.35 .. what would be my subnet ?!
When i ping 10.0.0.199 i get
Reply from 10.0.0.35: Destination host unreachable.
Where would I find the pihole admin page?
[

It looks as you have everything setup right. Your issue is that you are not allowed to ping 10.0.0.199 from your nas. As a host is not allow to talk to a macvlan docker image. The subnet in the bridge really isnt that important (you could change the /24 all the way down to /30 to limit ip's if you desired) as the only things connect to that bridge are pihole and the host machine.

You need to make sure you set the dns on the nas to talk through the bridge connection you created (step 11). This is a work around the so you host machine can talk to the docker image. Just verify the connection in the pi-hole UI when the synology sends out a dns request (open package center).

Sorry I am still a little confused. My desktop which is 10.0.0.8 on my lan … I cannot ping 10.0.0.199 or 10.0.100.1 or 10.0.100.2 … how do I open the pi admin page (pi.hole) ?
I did the step 11 … changed NAS dns to 10.0.100.2
I have also tried to set the DNS to 10.0.0.199 and 10.0.100.2 on my router but ads are not blocked when I browse internet on my desktop.
Sorry I am not very good with networking concepts
Thanks a lot for taking time to respond here

few more info ..I am using bond0 interface. I can see both 10.0.0.35 and 10.0.0.199 identified by my router as NAS. 10.0.0.199 is also getting identified as windows computer dont know why ? I though i was able to see 10.0.100.2 in the network but after changing synology DNS to 10.0.100.2 i cannot see it in my router.
Also i cannot browse for packages in synology docker, which means it has no outside internet connection

Can you go to pi.hole/admin or 10.0.0.199/admin ?

If so then pihole is up and running on the network.

You will not be able to ping 10.0.100.1 or 10.0.100.2 with a PC on the network as it is a virtual network created inside docker on your synology. Your synology should have the dns set to 10.0.100.2 and it will communicate to pihole through this network as it is not allowed to through 10.0.0.199 due to docker security.

Your router dns should point to 10.0.0.199 if you were able to connect to the pihole interface.

If you were unable to access pi.hole or 10.0.0.199/admin I would just delete the image and all the created networks and try again as one small issue during install can really mess things up (pay close attention to any IP address that you may need to change). I would also try to set the macvlan outside any address range your router can assign so it doesn't accidentally assign that address to another device.

You were right to select bond0 if that is what "ip addr" showed if your using the dual network ports bonded. Otherwise it would be eth# or ovs_eth# (if open v switch is enabled). Either way you must use the proper port or the macvlan will not work.

For reference my network setup is:
192.168.0.1 - DDWRT router
192.168.0.5 - Pi.hole
192.168.0.20 - NAS

DHCP is located on router can assign IPs from 192.168.0.100 to 192.168.0.199