1

Setup

I have a Unifi Home Setup with multiple Wifi Networks set up and a RaspberryPi with Arch to take care of DNS filtering.

Goals

I want to run multiple DNS Servers on the Raspberry Pi and direct the different Wifis to different DNS. To this end I need different IP addresses for different DNS containers.

What I have done so far

After trying systemd and a couple of different docker solutions, I have settled on using Pi-Hole in combination with cloudflared.

Running multiple pi-holes is not a problem with docker-compose, but I know far too little about proper (docker) networking to figure out how to get different, network reachable ip-addresses to different containers.

Here is the docker-compose file for one set of cloudflare + pi-hole:

version: "3.5"
services:
  cloudflared_workday:
    container_name: cloudflared_workday
    image: crazymax/cloudflared:latest
    ports:
      - "5053:5053/udp"
      - "49312:49312/tcp"
    environment:
      - "TZ=Europe/Berlin"
      - "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query"
    restart: always

  pihole_workday:
    container_name: pihole_workday
    image: pihole/pihole:latest
    depends_on:
      - cloudflared_workday
    network_mode: host
    environment:
      TZ: 'Europe/Berlin'
      WEBPASSWORD: 'password'
      DNS1: '127.0.0.1#5053'
      DNS2: 'no'
      ServerIP: '192.168.2.10'
    # Volumes store your data between container upgrades
    volumes:
      - './pihole_workday/pihole/etc-pihole/:/etc/pihole/'
      - './pihole_workday/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    restart: always

Where 192.168.2.10 is the ip given to the RaspberryPi.

I can only specify an IP for a DNS in my router, not different ports that I could remap for the containers.

PS.: I know the password is not ideal, but that's a problem for another day :D

Question

How do I run a duplicate of this setup on the same machine without the two DNS getting into each others' way and how do I reach the separate pi-holes with different IPs?

Edit 1

I found that there is something called macvlan in docker linking docker containers directly to the network. This seems to also work with pi-hole (macvlan + pi-hole), only that I haven't succeeded yet. Does anyone see a conceptual issue with this approach?

Phteven
  • 161
  • 2
  • 10
  • How are you forwarding from each network to the different DNS servers? Also what does having multiple DNS servers solve for you? Without being able to specify a port I think you're going to have a very challenging time pulling this off on a single host. – lvrf Jan 28 '21 at 17:05
  • For each network I can specify an IP where it can find the DNS. At the moment this is the IP of the RaspberryPi in the network. I want to be able to block different stuff for different Wifis (think of blocking social networks for a kids wifi while leaving it open for the parents). – Phteven Jan 28 '21 at 17:18
  • Hmmm, I personally have a PH on 2 different devices for redundancy in case one goes down, so I'm just thinking off the top of my head, but, since you can only specify an IP (not port) for DNS, I'm thinking maybe you could use a VM on the machine, install PH in it as well, then you'll get a new IP (via the DHCP on your router) that you can use. Then point one DNS IP to the main machine's PH, and point the second DNS IP to the IP of the VM's PH. – J. Scott Elblein Jan 28 '21 at 18:41
  • This is insane ;) Try using squid instead, it's designed for this use-case: https://www.tecmint.com/configure-squid-server-in-linux/ there's a section in that link about `restricting access by client` – Software Engineer Jan 28 '21 at 18:45
  • Also, the latest PH has a Group Management tab; which may be able to do all you need in one PH; have you looked into that already? – J. Scott Elblein Jan 28 '21 at 18:45
  • @SoftwareEngineer Thank you. I will have a look at that, cannot judge from a first glance :D – Phteven Jan 28 '21 at 18:57
  • @J.ScottElblein In the past 2 hours I have been taking a look at macvlan in docker. This seems to be pretty much the spirit of what you are describing, right? Do you have any experience with macvlan? See Edit 1 for details and links – Phteven Jan 28 '21 at 19:00
  • I have briefly read about macvlan in the past, but never have used it myself, so I can't really say if it's possible or not with any confidence. – J. Scott Elblein Jan 28 '21 at 19:08
  • I don't think squid would work since that's only at the http level. This is the first time I'm hearing of macvlan but it sounds awesome and exactly what you need @Phteven – lvrf Jan 29 '21 at 20:23

1 Answers1

2

First timer here and bad english.

I struggled for whole two weeks with this, but finnaly managed to run multiple instances of Pi-hole with docker and macvlan.

My TEST hardware Orange pi PC 512mb, 16gb sd card. OS: Armbian 21.02.2 Buster with Linux 5.10.16-sunxi

i am running dockers on separate vlan.

create docker VLAN:

docker network create -d macvlan  \
--subnet=10.0.10.0/24 \
--ip-range=10.0.10.128/25 \
--gateway=10.0.10.1 \
-o macvlan_mode=bridge \
-o parent=eth0.10 macvlan10

-o macvlan_mode=bridge \ this part is wery important if container need acces to internet, gave me gray hair to find this out, but not necesary if container dont need internet, works for LANtoLAN. --ip-range=10.0.10.128/25 \ not neccesary.

next:

Create folder: /home/pihole/ - or folder at your choise. Create file inside folder: sudo nano docker-compose.yml insert: - its just my working sample, you can use yours.

  version: "3.6"
  services:
pihole:
  container_name: Pi-Hole
  hostname: pihole
  privileged: true
  image: pihole/pihole:latest
  ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "80:80/tcp"
    - "443:443/tcp"
  environment:
    ServerIP: '10.0.10.11'
    TZ: 'Europe/London'
    WEBPASSWORD: '1234'
    PIHOLE_DNS_: '10.0.0.1'
    WEBTHEME: 'default-dark2'
    SKIPGRAVITYONBOOT: 0
  volumes:
    - './etc-pihole/:/etc/pihole/'
    - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
  cap_add:
    - NET_ADMIN
  restart: unless-stopped
  networks:
    macvlan10:
      ipv4_address: 10.0.10.11
  networks:
    macvlan10:
      external:
        name: macvlan10

run sudo docker-compose up -d in folder "pihole". Should be any errors

if you will have some database WRITE error in Pihole GUI. run sudo chown -R www-data:pihole /home/pihole, not in container.

if you need another instance... create folder /home/piholeGuest or /home/piholeIOT or folder with any name and copy previuos docker-compose.yml file. Change Container_name, ServerIP, ipv4_address and password, leave ports as they are, because is using different IP an container name, so no PORT conflict.

Its like running baremetal instances with own IPs :)

As i read, there is some limit to mac addreses per LAN port, but i am not sure how, i run 4 instances on Rock64 2gb, works fine and fast.

You will not see IPs in your router/FW, but firewall rules and other stuff will work fine, you just need to remember IP, i have pfSense.

Files are preserved if you upgrade docker container.

I dont run Pihole baremetal, all in docker containers.

Works for me yust fine, my approach :)

I am not PRO in anymean, just share my expirience.

Sorry for confused guied, i am not good at explaining.

Hope some my info will help you to finnish your goal.

HboskO
  • 21
  • 2