Suddenly no internet access but still have intranet access

ShadowofIntent · February 28, 2025, 1:43pm

Ubuntu 24.04.1, Docker, Portainer, OpenWRT on a Flint 2 (GL-MT6000) router

My Ubuntu server (192.168.200.151) no longer has internet access, IE: no websites will load and in the GUI it shows a question mark over the ethernet connection. All my other devices still have intranet and internet access. I am still able to remote in and copy files to the server still. The Pihole is set up on a macvlan I named "pihole" with the IP address 192.160.200.1. I created the macvlan a couple days ago and it was working great until last night out of nowhere, I lost internet on it. This was my previous thread: Possible nameserver issues PiHole v5.18.3, on Ubuntu running Docker - #21 by ShadowofIntent

Debug Token:
https://tricorder.pi-hole.net/EnOac8ns/

I found this interesting:

tom@ubuntu-server:~$ systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-02-28 08:18:32 EST; 28s ago
       Docs: man:systemd-resolved.service(8)
             man:org.freedesktop.resolve1(5)
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
   Main PID: 5275 (systemd-resolve)
     Status: "Processing requests..."
      Tasks: 1 (limit: 28332)
     Memory: 2.6M (peak: 3.1M)
        CPU: 48ms
     CGroup: /system.slice/systemd-resolved.service
             └─5275 /usr/lib/systemd/systemd-resolved

Feb 28 08:18:32 ubuntu-server systemd[1]: Starting systemd-resolved.service - Network Name Resolution...
Feb 28 08:18:32 ubuntu-server systemd-resolved[5275]: Positive Trust Anchors:
Feb 28 08:18:32 ubuntu-server systemd-resolved[5275]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Feb 28 08:18:32 ubuntu-server systemd-resolved[5275]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.>
Feb 28 08:18:32 ubuntu-server systemd-resolved[5275]: Using system hostname 'ubuntu-server'.
Feb 28 08:18:32 ubuntu-server systemd[1]: Started systemd-resolved.service - Network Name Resolution.
Feb 28 08:18:43 ubuntu-server systemd-resolved[5275]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 192.168.200.1.
Feb 28 08:18:49 ubuntu-server systemd-resolved[5275]: Using degraded feature set TCP instead of UDP for DNS server 192.168.200.1.
Feb 28 08:18:58 ubuntu-server systemd-resolved[5275]: Using degraded feature set UDP instead of TCP for DNS server 192.168.200.1.

tom@ubuntu-server:~$ sudo systemctl restart  systemd-resolved.service

tom@ubuntu-server:~$ docker network inspect pihole
[
    {
        "Name": "pihole",
        "Id": "50fd4aba79bb07bc934b28c0a2f37aad55d9b96c75d3e4e49ac0a663dd7b8afb",
        "Created": "2025-02-25T20:07:42.311076914-05:00",
        "Scope": "local",
        "Driver": "macvlan",
        "EnableIPv4": true,
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "192.168.200.0/24",
                    "IPRange": "192.168.200.0/29",
                    "Gateway": "192.168.200.4"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": "macvlanconfig"
        },
        "ConfigOnly": false,
        "Containers": {
            "230f2fd1cd64fb723af9eeceab23cc20eb943b3100236b9d1593b1f504a038d8": {
                "Name": "pihole",
                "EndpointID": "0d804a271e4d9859d258ba307f242b72ebdf87f45676f7f5cb52b21d8c3b0cf7",
                "MacAddress": "ee:09:96:10:06:12",
                "IPv4Address": "192.168.200.1/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "parent": "enp2s0"
        },
        "Labels": {}
    }
]

Docker-compose (NOTE: under "DNS" I tried both 127.0.0.1 and 192.168.200.1 just to test):

---
version: "3"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:2024.07.0
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 80:80/tcp
    environment:
      TZ: America/New_York
      WEBPASSWORD: 
    volumes:
      - /home/tom/dockervolumes/pihole/etc:/etc/pihole
      - /home/tom/dockervolumes/pihole/dnsmasq.d:/etc/dnsmasq.d
    dns:
      - 192.168.200.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
    networks:
      - pihole
    restart: unless-stopped

networks:
  pihole:
    external: true

Bucking_Horn · February 28, 2025, 3:10pm

Are you saying you are running a desktop and a browser on that Ubuntu server?

Run from the Ubuntu machine, please share the output of:

ip -4 address

cat /etc/resolv.conf

ShadowofIntent · February 28, 2025, 3:18pm

tom@ubuntu-server:~$ ip -4 address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.200.151/24 brd 192.168.200.255 scope global dynamic noprefixroute enp2s0
       valid_lft 38401sec preferred_lft 38401sec
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: br-b031bf29dddd: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-b031bf29dddd
       valid_lft forever preferred_lft forever
tom@ubuntu-server:~$

tom@ubuntu-server:~$ cat /etc/resolv.conf


# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search lan
tom@ubuntu-server:~$

Bucking_Horn · February 28, 2025, 3:20pm

What's the output of:

sudo resolvectl status

ShadowofIntent · February 28, 2025, 3:21pm

Are you saying you are running a desktop and a browser on that Ubuntu server?

Correct I have the Ubuntu GUI installed.

tom@ubuntu-server:~$ sudo resolvectl status
[sudo] password for tom: 
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (enp2s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.200.1
       DNS Servers: 192.168.200.1
        DNS Domain: lan

Link 3 (enp3s0)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 4 (wlo1)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (docker0)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 6 (br-b031bf29dddd)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 7 (veth2a10545)
    Current Scopes: none
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
tom@ubuntu-server:~$

Bucking_Horn · February 28, 2025, 3:39pm

Your observation is expected if you are hosting your Pi-hole as a macvlan Docker container on top of Ubuntu.

Docker's macvlan isolation prevents direct communication between your Pi-hole container and the Docker host, i.e. your Ubuntu machine hosting Docker cannot use your dockered Pi-hole on the same machine for DNS.
Your Ubuntu's stub resolver is doing that - it is using your container's IP for DNS:

You have two options:
a. configure your systemd-resolved stub resolver to use a public DNS server instead of Pi-hole.

b. create a shim network to route traffic between the container and the host

a. may both be easier to setup as well as a sensible choice if you would run your Ubuntu machine as a server, which would not run desktop applications like browsers that need to be filtered by Pi-hole.
You didn't answer my related question, but if you are running a browser on that machine, you may not want to opt for a..

For b., you'd have to follow a more complex scenario to add and persist the shim network configuration, see e.g. Set up a PiHole using Docker MacVlan Networks — (with no guarantuees for the linked guide to still exists and to still be working for current Docker installations).

ShadowofIntent · February 28, 2025, 3:42pm

I edited the post and said, "Correct I have the Ubuntu GUI installed." I don't really use the browser though, I only ever use it to check internet connectivity to sites.

a. configure your systemd-resolved stub resolver to use a public DNS server instead of Pi-hole.

Is it as simple as editing /run/systemd/resolve/stub-resolv.conf? The only reason I ask is when I cat it, this is displayed and am not sure if it's just a general warning to unsavvy users or if you can freely edit it:

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.

Sorry if these questions seem silly but I am learning and do not want to learn bad/incorrect practices. I've set up Pihole in the past and this is my first time with a macvlan. I have read so much info causing me to be confused at points and to me it's worth just asking for advice to clear everything up. I don't want to assume everything I am doing is right just because I have done it that way is what I mean.

Bucking_Horn · February 28, 2025, 4:04pm

I'm not overly familiar with that specific stub resolver, but you could try:

sudo resolvectl dns enp2s0 9.9.9.9

I don't know if that would survive reboots, and you should check the output of resolvectl status that 9.9.9.9 has replaced your container as DNS server.

If 192.168.200.1 is still appearing, you'd have to figure this yourself.
Having a read of the man pages usually is a good starting point (also available online):

ShadowofIntent · February 28, 2025, 4:23pm

Would it be possible to somehow bridge the macvlan? Just exploring other potential ideas.

Bucking_Horn · February 28, 2025, 4:25pm

That idea is similar to creating the shim network - you'd have to follow the link from:

ShadowofIntent · February 28, 2025, 4:47pm

I added public DNS to the resolved.conf and we're back in business. Thanks for your help again.

system · March 21, 2025, 4:47pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.