Setup on Synology Docker

Beefyfish · August 28, 2020, 4:55pm

If you are ok with everything installed on the synology using an outside DNS without pihole you can set the DNS to something other then the bridge such as google.

Otherwise there seems to be an issue with the bridge networks communicating. Example: The Synology is telling the default docker bridge to use the Pihole_Bridge for the DNS but it doesnt have any idea where that ip is.

I have not tried this or even sure if it will allow it but try setting up an ip table for:

Network Desination: 172.17.0.0
Gateway: 10.0.100.0
Netmask: 255.255.255.0
Interface: Docker

Other ways to look into this could be removing pihole from the pihole_bridge and installing onto the default bridge. (shutdown container and remove from Pihole_Bridge and add it to bridge.) The only issue I would have here is knowing what the IP would be. You may or may not be able to use 172.17.0.1 for the DNS of the synology.

Either way let me know.

bxlouis · August 28, 2020, 10:01pm

Thanks for your help Beefyfish

I tried to setup an ip table as you recommended, but I can only select "Bond 1" as an interface. Is there a way to create one using ssh?

The problem with your other solution - I had similar issue in the past - is that there is no way to create a static ip address within the default bridge. All containers get assigned a series of IPs in random order at every reboot, which makes it unreliable as the Pihole address might change after a reboot.

I have been reading a whole bunch of threads online but was not able to find any viable solution yet. This is really frustrating as Pi-hole and everything else is working really well.

I ended up setting CloudFlare's DNS on the Synology which works as you suggested, but too bad I'm not able to rely on Pihole for my containers. I'll keep looking for a solution!

Last thing, after rebooting my NAS several time, I noticed that the Pihole settings "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges" are reset after every reboot, and that the "Interface listening behavior" is reset to "Listen on all interfaces" although I set it to "Listen on all interfaces, permit all origins".

Any idea on how to make these settings persistent?

Beefyfish · August 28, 2020, 11:38pm

These are all environment variables. See Docker there is a list on there. You can add/change them when creating the docker image and they will always go to the setting.

A quick way to do that is export the container settings and modify the variables in the text file. Then you can delete the container and re import the settings file. If you have the text editor installed on your synology you can do all this on the synology.

This is an example of the env settings in the syno.json that is exported:

 {
         "key" : "S6_LOGGING",
         "value" : "0"
      },
      {
         "key" : "S6_KEEP_ENV",
         "value" : "1"
      },
      {
         "key" : "S6_BEHAVIOUR_IF_STAGE2_FAILS",
         "value" : "2"
      },
      {
         "key" : "ServerIP",
         "value" : "192.168.0.5"
      },
      {
         "key" : "FTL_CMD",
         "value" : "no-daemon"

Beefyfish · August 28, 2020, 11:46pm

Here is an example of getting 2 bridge networks to communicate. networking - Allow communication between two docker bridge networks using docker-compose - Stack Overflow

The problem with synology is they use something that rewrites the iptables on every shutdown/restart and it deletes the manual settings you create.

Running pihole in a docker image starts to become difficult when locked down to the synology system. You may be able to masquerade the DNS request from the synology to the router (using the routers ip tables and loop it back around to the macvlan. Now I am pretty sure this would be frowned upon in the networking world. This will take some research on your end.

killerbunny · September 3, 2020, 8:03am

I just came here to point out I spent hours and hours troubleshooting this to get it working on bonded ethernet on synology.

It simply DOES NOT work if you use the synology load sharing mode, you must use the active/passive failover mode ONLY or macvlan DOES NOT work.

I cannot believe this was the problem for me and it explains why it works for some and not for others, as some people would be using 1 type of bonding, the others another.

I simply changed it in the network wizard to the diff type of bond and all is well.

RonV42 · September 6, 2020, 10:12pm

Hmm...I have my pi.hole config working fine with macvlan and a bonded ethernet:

Here is my compose file:

version: '2'

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole2
    domainname: mydomain.com
    cap_add:
      - NET_ADMIN
    networks:
      pihole_network:
        ipv4_address: 192.168.10.205
    dns:
      - 1.1.1.1
      - 1.0.0.1
    ports:
      - 443/tcp
      - 53/tcp
      - 53/udp
      - 67/udp
      - 80/tcp
    environment:
      ServerIP: 192.168.10.205
      VIRTUAL_HOST: pihole2.mydomain.com
      WEBPASSWORD: changeme
      UTC: America/Chicago
      DNS1: 192.168.10.206#53
      DNS2: 192.168.10.250#5153
    volumes:
       - '/volume1/docker/pi-hole/etc-pihole/:/etc/pihole/'
       - '/volume1/docker/pi-hole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    restart: unless-stopped

networks:
  pihole_network:
    driver: macvlan
    driver_opts:
      parent: bond0
    ipam:
      config:
        - subnet: 192.168.10.0/24 
          gateway: 192.168.10.252
          ip_range: 192.168.10.201/32

markdumay · September 23, 2020, 12:15pm

Thanks a lot for sharing your experience Beefyfish! I created a shell script inspired by your walkthrough, perhaps it might be helpful to others too. It can be found here: GitHub repository.