Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Pi-hole Administration from the Internet

Follow
Avatar
Chris Hewitt
  • Edited

We have quite a few Firewalla boxes running Pi-hole in docker containers.  The challenge has been how to access all the PiHole instances without having to be directly attached to the local Firewalla or local network or VPN in.  We get “Not Responding” when we try to access any Pi-hole that is not in a Docker Container on the local network.

We asked the kind support team here at Firewalla (sorry folks), StackOverflow, and even the Pi-hole Discourse page (they were a gumpy lot) and unfortunately no one had a recommendation or answer for us.

Well after lots of trial and error here is how you can access your Pi-hole admin page and access your all your Pi-hHoles at the same time from RocketScience’s Pi-hole app (https://apps.apple.com/in/app/pi-hole-remote/id1515445551).

Pi-hole Remote Administration Solution Network Diagram

 

Firewalla Configuration Changes

Port forward WAN interface traffic to the Firewalla (most likely 192.168.1.1 or something similar but with the third octet different or a class A IP address).  In this example we are using port 4444 on the Internet and NATting it to port 81 on the Firewalla.  We also only allowed traffic from the United States region during testing.  Now we only allow access from specific IP addresses and address ranges.

Configure Port Forwarding on Docker Compose

Edit the docker-compose.yaml file in /home/pi/.firewalla/run/docker/pi-hole. You will need to add the lines:

ports:
  - "81:80/tcp" # Port forward from host port 81 to container port 80

Be careful! Indentation is critical and “ports” must be nested under the “pihole” service definition. Who knew?! We don’t have a lot of Docker experience.

This is our docker-compose.yaml file (which also includes the use of unbound).

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    networks:
      default:
        ipv4_address: 172.16.0.2
    environment:
      TZ: 'America/New_York'
      DNS1: '172.16.0.4'
      DNS2: 'no'
      WEBPASSWORD: 'firewalla'
    volumes:
      - '/data/pi-hole/etc-pihole:/etc/pihole'
      - './etc-dnsmasq:/etc/dnsmasq.d'
      - '/etc/localtime:/etc/localtime:ro'
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    links:
      - unbound
    ports:
      - "81:80/tcp" # Port forward from host port 81 to container port 80

  unbound:
    image: klutchell/unbound
    networks:
      default:
        ipv4_address: 172.16.0.4
    ports:
      - 5335:5335/tcp
      - 5335:5335/udp
    restart: unless-stopped

networks:
  default:
    driver: bridge
    ipam:
      config:
      - subnet: 172.16.0.0/24

Restart Docker (and Pi-hole) and Clean Up Docker Environment

Restart the Pi-hole Docker image. We have a script that runs these commands:

cd /home/pi/.firewalla/run/docker/pi-hole
sudo docker-compose pull
sudo docker-compose down
sudo docker-compose up --detach
sudo systemctl start docker-compose@pi-hole
sudo yes y | sudo docker system prune -a

Pi-hole Browser Access

Now you should be able to access your (Pi-hole) admin page from anywhere. You should be able to use your Firewalla WAN IP address or the Firewalla DDNS URL (if you have set it up).

 

You have to specify the admin page or you will get a 403 Forbidden.

 

App Configuration

Setting up the RocketScience iPhone Pi-hole app.

  • Start the app and select settings in the lower right.
  • Either Add Pi-hole or edit an existing one.
  • Make the name the WAN IP address of your Firewalla or enter the DDNS URL for the box.
  • Change the Port to the external port that you forwarded to port 81 above (4444 in our example).
  • Add your API Token (out of scope of this post).
  • Save your changes by clicking Save in the upper right.
  • Click Home in the lower left.

 

Accessible From Anywhere

Now your remove Pi-hole should have a green check next to its name and you can access it from anywhere – not just the network protected by the Firewalla.

For some reason, we haven’t been able to figure out yet, the configuration test fails (bottom of the app Edit Instance screen) even though the Pi-hole can (obviously) accessed.  We will leave that to someone else to sweat over (suspect it’s trying another, unforwarded / unNATted port).

2

Comments

5 comments

Sort by Date Votes
  • Avatar
    Michael Bierman

    Interesting, but why would you want remote access without using VPN? Seems a bit scary to me. 

    2
    Comment actions Permalink
  • Avatar
    Chris Hewitt
    • Edited

    Because I have MANY Pi-holes to manage and I want to be able to check on them all from one app and at the same time.

    Not risky at all. I only forward traffic from my phone and laptop and only when at home or the office. When I am away from home I always VPN to my home Gold so my IP address is always known.

    With so many rules when I have an issue I want to replicate it to all my instances. 

    0
    Comment actions Permalink
  • Avatar
    Lammiwinks

    This is cool but I would use a Cloudflare tunnel over bashing open a port direct to the internet (even if it is locked down to only known IP's). 

    2
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    That doesn’t solve the issue to be able to centrally manage scores of PiHole systems.

    0
    Comment actions Permalink
  • Avatar
    Braedach
    • Edited

    Great post.

    Interesting how many docker containers are you running on each FWG?
    I bumped my FWG to 8GB Ram - best thing I have done.
    Did you set a single docker bridge or are they generated on the fly - looks to be the later?

    docker network create -d bridge --subnet=192.168.3.0/24 --gateway=192.168.3.1 -o parent=eth0 firewalla-gold

    Example docker-compose file

     

    -------------------------------------------------------------------------------------------------------------

    version: "3.8"

    # change the default container as its broken
    # found this container as its commits ahead of the main brancch
    # bookmarked the container in github

    services:
      nginx-proxy-manager:
        container_name: nginx
        image: zoeyvid/nginx-proxy-manager
        restart: always
        volumes:
          - ./data:/data
          - ./data/letsencrypt:/etc/letsencrypt
          - ./data/www:/var/www 
        environment:
          - "TZ=Australia/Perth"
        #connect this container to the firewalla-gold docker network and set an permanent ip address
        networks:
          firewalla-gold:
            ipv4_address: 192.168.3.6

    networks:
        firewalla-gold:
           external: true

    -------------------------------------------------------------------------------------------------------------

     

    As you can see, I have dropped the data in the local FWG docker run directory.

     

    Are you using the persistence code after restart - shell commands in:

    ~/.firewalla/config/dnsmasq_local/[containername]
    /home/pi/.firewalla/config/post_main.d/
     
    Have you created a separate shell script if running multiple containers in addition to container scripts?
     
    For example
     
    -------------------------------------------------------------------------------------------------------------
    #!/bin/bash

    # Start-docker-net.sh
    # Reinitialise the docker system
    # This code needs to be placed in the following location ~/home/pi/.firewalla/config/post_main.d/

    sudo systemctl start docker

    # Do I need to rebuild the bridge network - this needs testing - code errors out if it already exists - acceptable
    sudo docker network create -d bridge --subnet=192.168.3.0/24 --gateway=192.168.3.1 -o parent=eth0 firewalla-gold

    # Reset the ipset routes for the containers
    sudo ipset create -! docker_lan_routable_net_set hash:net
    sudo ipset add -! docker_lan_routable_net_set 192.168.3.0/24
    sudo ipset create -! docker_wan_routable_net_set hash:net
    sudo ipset add -! docker_wan_routable_net_set 192.168.3.0/24

    # Add routing rule for docker network

    sudo ip route add 192.168.3.0/24 dev br-$(sudo docker network ls | awk '$2 == "firewalla-gold" {print $1}') table lan_routable
    sudo ip route add 192.168.3.0/24 dev br-$(sudo docker network ls | awk '$2 == "firewalla-gold" {print $1}') table wan_routable


    # The remaining code needs to be configured in each containers script
    # They are to include the mapping the IP address of the container in dnsmaq and restarting the service
     
    -------------------------------------------------------------------------------------------------------------
     
    Had any issues on FWG restart??
    Maybe I better reboot my FWG and check to see what breaks myself.
     
    Thanks for replying by the way.
     



    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post