Before everything, please note:
- Pi-Hole has dropped support for Ubuntu 18.04. If your Firewalla is using Ubuntu 18.04, follow our guide to reflash your box. Gold New Image & Purple New Image
- This is a tech doc only for Pros.
- This is for Firewalla in Router mode.
- Incorrect settings of port forwarding will result in ports being opened on your WAN interface
- Pi-hole won't work with the following features of Firewalla on the same device. Firewalla's features always have a higher priority. These features are: Family Protect, Adblock, and DNS over HTTPS.
- You should not enable conditional forwarding in most cases or it might create a DNS loop.
1. Create Configuration Files
You have to choose
- a network as your docker network, we use 172.16.0.0/24 in this tutorial
- a static IP for your pi-hole instance, we use 172.16.0.2 in this tutorial
- a password for your pi-hole management console, we use firewalla in this tutorial
Use the values above unless you know exactly what you are doing and have a reason to change them.
Create the following folder/files
/home/pi/.firewalla/run/docker/pi-hole/docker-compose.yaml
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:v5.1.2
environment:
# set a secure password here or the default will be firewalla
WEBPASSWORD: 'firewalla'
# Volumes store your data between container upgrades
volumes:
- '/data/pi-hole/etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
- '/etc/localtime:/etc/localtime:ro'
restart: unless-stopped
cap_add:
- NET_ADMIN
networks:
default:
# static IP address for pi-hole
ipv4_address: 172.16.0.2
networks:
default:
driver: bridge
ipam:
config:
# your chosen docker network here
- subnet: 172.16.0.0/24
2. Start and Test Pi-hole
run the following commands to install and start pi-hole
cd /home/pi/.firewalla/run/docker/pi-hole sudo systemctl start docker sudo docker-compose pull sudo docker-compose up --no-start sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect pi-hole_default |jq -r '.[0].Id[0:12]') table lan_routable sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect pi-hole_default |jq -r '.[0].Id[0:12]') table wan_routable sudo docker-compose up --detach
If you are using Gold SE, run one more command to add SNAT for the docker network.
sudo iptables -t nat -A POSTROUTING -s 172.16.1.0/16 -o eth0 -j MASQUERADE
If everything is good, pi-hole will be booted and you can now access its management portal by visiting http://172.16.0.2 in your browser.
If you use docker_compose.yaml above, your docker web password is "firewalla"
3. Set Pi-hole as DNS for your network.
Now proceed to the network settings on Firewalla App, assign 172.16.0.2 as the primary DNS server for the networks that you want to enable Pi-Hole.
- Tap on Network Button
- Tap on the Top right edit button
- Tap on the LAN segment you want to change DNS to pi-hole
- Scroll down and change the primary DNS to 172.16.0.2
- Save and you should be able to see DNS requests coming up in the management console.
4. Persisting The Configuration
You must be on firewalla 1.971 or later for this
create folder /home/pi/.firewalla/config/post_main.d and the following file
/home/pi/.firewalla/config/post_main.d/start_pi_hole.sh
sudo systemctl start docker sudo ipset create -! docker_lan_routable_net_set hash:net sudo ipset add -! docker_lan_routable_net_set 172.16.0.0/24 sudo ipset create -! docker_wan_routable_net_set hash:net sudo ipset add -! docker_wan_routable_net_set 172.16.0.0/24 sudo systemctl start docker-compose@pi-hole
And you are ready to go.
BONUS: Use DoH on Pi-hole
Change your docker-compose file as following
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
cloudflared:
container_name: cloudflared
# Restart on crashes and on reboots
restart: unless-stopped
image: cloudflare/cloudflared:2020.12.0
command: proxy-dns
environment:
- "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query,https://9.9.9.9/dns-query,https://149.112.112.9/dns-query"
# Listen on an unprivileged port
- "TUNNEL_DNS_PORT=5053"
# Listen on all interfaces
- "TUNNEL_DNS_ADDRESS=0.0.0.0"
# Attach cloudflared only to the private network
networks:
default:
ipv4_address: 172.16.0.3
pihole:
container_name: pihole
image: pihole/pihole:v5.1.2
environment:
# set a secure password here or the default will be firewalla
WEBPASSWORD: 'firewalla'
DNS1: '172.16.0.3#5053'
DNS2: 'no'
# Volumes store your data between container upgrades
volumes:
- '/data/pi-hole/etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
- '/etc/localtime:/etc/localtime:ro'
restart: unless-stopped
networks:
default:
# static IP address for pi-hole
ipv4_address: 172.16.0.2
networks:
default:
driver: bridge
ipam:
config:
# your chosen docker network here
- subnet: 172.16.0.0/24
Restart your docker service and it's done
sudo systemctl restart docker-compose@pi-hole
Notes:
1. If the DNS Booster is enabled. The DNS requests from clients will be first redirected to the local DNS cache on Firewalla, which further uses pi-hole in docker as the upstream DNS server. So you will see all DNS requests from Firewalla's IP of docker network, which is 172.16.0.1. We strongly recommend keeping DNS Booster enabled.
2. In case docker service doesn't start, please follow this guide to reset your docker service. https://help.firewalla.com/hc/en-us/articles/360060535553
3. For those who have a local search domain, you might also want to check: Difference between Search Domain and Local Domain
All product names, logos, and brands are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. The use of these names, logos, and brands does not imply endorsement.
Known Issue
Note: This was fixed in our 1.976 release so this step is no longer necessary.
On ubuntu 22.04 and later, when docker starts up, it may load a kernel module br_netfilter which conflicts with ubuntu 22.04 if you are using Smart Queue. Dockers managed by Firewalla will automatically handle this, but if you create docker instance, you may need to run:
sudo rmmod br_netfilter
after starting docker service or the firewalla routing function may break.
References
https://github.com/pi-hole/docker-pi-hole/
https://docs.docker.com/compose/
https://mroach.com/2020/08/pi-hole-and-cloudflared-with-docker/
Comments
106 comments
Here is the script I use.
$ cat update_pihole.sh
#!/bin/bash
cd /home/pi/.firewalla/run/docker/pi-hole
sudo docker-compose pull
sudo docker-compose down
sudo docker-compose up --detach
sudo systemctl start docker-compose@pi-hole
@ chris, I also run this at the end:
to remove unused old Docker containers
Looking at pihole-FTL.conf, i do not see these lines below. Are we to manually add them in?
DBINTERVAL=60
MAXDBDAYS=30
Does anyone have trouble with failing IPv6 tests at sites like internet.nl and https://test-ipv6.com/
Yes, same here @kyee99
Having done a bit of research, it appears this is linked to how Docker handles IPv6.
Does anyone know how to tackle that?
@firewalla , any support for this pls?
Hi all,
if you want to update your Pi-Hole (pihole) on Firewalla, I've written a short update procedure, which I'd like to share:
(assuming your FW is on IP 192.168.218.1)
connect to Firewalla via SSH (use Terminal on Mac / Command prompt on Win):
-----------------------------------------
ssh pi@192.168.218.1 (Password from Firewalls App - SSH Console)
-----------------------------------------
copy-paste these commands in terminal and press enter:
-----------------------------------------
cd /home/pi/.firewalla/run/docker/pi-hole/
sudo docker-compose pull sudo docker-compose down sudo docker-compose up --detach sudo systemctl start docker-compose@pi-hole
-----------------------------------------
take care.
Firewalla, with all of this effort trying to hack it together, can't we just get a built in DNS server?
@Donny - Firewalla has plenty of built-in DNS services available. See these articles for more info.
https://help.firewalla.com/hc/en-us/articles/4570608120979-Firewalla-DNS-Services-Introduction
https://help.firewalla.com/hc/en-us/articles/360007210473-Where-Firewalla-Can-Block-
Installing Pi-hole on Firewalla is for advanced users who would prefer to use Pi-hole instead of Firewalla's built in services for DNS based ad blocking. You may be fine simply using the built in services provided by Firewalla. It's just nice that Firewalla does allow expansion like this to add enhanced functionality where needed.
@Donny Pi Hole is much more than a DNS server. It’s a means of blocking access to malicious and unwanted sites.
Creating, maintaining, and running a DNS server is nontrivial. It takes storage and CPU. if you really want to manage your own DNS function you can always use the /etc/hosts file.
Maybe I am missing something. Why do you want Firewalla to add DNS to the Gold?
@Chris
I have a small data center at home (5 servers, 20 services, 8 pieces of network gear, 10 cameras, etc.). I used to run a Fortigate (it EOL'ed). Everyone has gotten use to referring to resources by name. The FW/GW is a convenient location to host DNS services as everything is already pointed there anyway.
DNS is such a basic service that I assumed any gateway of this level would support it. I would love to open the Firewalla app, go to DNS, go to create zone, name it home.local, add some internal records, and then attach it to an interface.
Maybe after that, I create some empty zones for known Internet junk so that my users simply receive a not found response.
Hosts files are extremely antiquated. We access services by friendly names like files, camera1, VCS, etc.
If using pi-hole on firewalla, only way to get hostname to IP mappings shown on pi-hole is to instead run pi-hole on external server? can't we just edit /etc/hosts file manually?
Not using DNS booster.
This article was updated six days ago recommending to upgrade to the current Ubuntu 22 image. The reason that pie hole was dropped in 18, which is why I’m not sure how 22 would help but I support advised to do that and I needed to reinstall pie hole so I did it. The installation went smoothly but there is no pie hole in this image that works and there are multiple reports on that. I would expect Support to be more “supportive “because this is something that needs to work and was done at their proposal and this articles’s suggestion. If anyone else is having those issues, I suggest reporting them and advise against installing the image. I can’t use any online guides that require upgrading packages which is not allowed in Firewalla from my understanding and there is no up-to-date guide on what to do with the current image that does not support this functionality. You get the IP but not that you are or the functionality. I really hope someone can help on this thanks in advance
Can you be a bit more specific on the error you are getting?
Are you getting “dnsmasq: cannot access /etc/dnsmasq.d/lxd: No such file or directory”
If so remove the symlink for dnsmasq:
sudo rm /etc/dnsmasq.d/lxd
Remember that running Pi-Hole is something extra you do on your own at at your own risk. I’m not sure support should handle Pi-Hole issues. The post above covers this:
What do you mean by “ but there is no pie hole in this image that works”. Pi-Hole is not part of the Firewalla build. You have to install it yourself.
I am running Ubuntu 22.04 with no Pi-Hole issues
Did anyone already try with the 'development-v6' version?
When I try, the usual 'automatic' assignment of ports to the Pi-Hole docker doesn't happen.
However, when I try to declare the ports for Pi-Hole, I get a conflict on #53 as 0.0.0.0 is already using this, I presume this is Firewalla itself (I'm on a Purple btw)...
I don't get how the ports 'magically' appear for the current ('v5') Pi-Hole version...
And btw, for now v6 is only in development, however it will become the main version...
Please sign in to leave a comment.