Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

pi-hole in a podman rootless container with firewalla

Follow
Avatar
GZ

Note: This does not run pi-hole directly on the firewalla box. Nor is it likely the simplest way. 

Here is how I installed pi-hole in a rootless container on a Debian host. It follows [this guide](https://help.firewalla.com/hc/en-us/articles/360062551673-How-to-run-an-external-pi-hole-with-Firewalla) pretty closely.

Step 1 - Prepare the pi-hole host

  • On a separate VLAN, prepare a host for pi-hole. I use a proxmox VM that runs Debian 12.9. Let the subnet of this VLAN be 192.168.111.1. 
  • You may want to consider static IP address for this host.
  • Install podman. As of now, the latest version on Debian is 4.3.1.
  • Run the following command to install pi-hole from the official image:
podman run -d -v ./etc-pihole:/etc/pihole -v ./etc-dnsmasq.d:/etc/dnsmasq.d \
       --name pihole \
       -p 53533:53/tcp -p 53533:53/udp -p 127.0.0.1:8080:80/tcp \
       -e TZ=America/Chicago \
       -e PIHOLE_DNS_=192.168.111.1 \
       -e WEBPASSWORD=firewalla \
       -e INTERFACE=tap0 \
       --rm \
       docker.io/pihole/pihole:latest
  •  Run the following rules on the host:
sudo iptables -t nat -A OUTPUT -p udp --dport 53533 -j REDIRECT --to-port 53

sudo iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 53533

sudo iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 53533

Some notes:

  • You may also want to set up additional rules to block port 53533 on the host.
  • Persist the iptables rules if necessary 
  • The password to the web interface is 'firewalla`.
  • You may choose to also to expost the web interface to your network. I use local SSH port forwarding to access it.
  • By default, podman will exit once you log out. You may want to find some way to keep it running. One possibility is to make it a systemd service (see Podman Quadlet). A shorter-term way may be to run it under tmux. 

Step 2 - Tell firewalla to use pi-hole

  1. For the corresponding LAN/VLAN that you want to use pi-hole, go to the firewalla app; in the corresponding DHCP setting, set DNS server to the pi-hole's IP address.
  2. If you are using firewalla DNS services like Unbound, you may need to exclude the devices you want to use pi-hole.

Some interesting additional notes 

  1. The official pi-hole Docker image expects the interface to be called `eth0` by default; we need to set an environment variable `INTERFACE=tap0` to change it to the correct name, or it won't start.
  2. As you see, pi-hole is running completely rootless. A side-effect is that it cannot directly bind to port 53. Hence, we need the three iptable rules to redirect the port.
  3. As the Firewalla guide mentioned, only one client is visible in pi-hole, because Firewalla is forwarding all the DNS requests through the pi-hole host's gateway. But in this setup there is a second reason: when these packets are forwarded inside the container, the source IP address is again lost and replaced with the container's IP address.  

Have fun.

 

0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post