Container/Docker -Adguard/Pihole For REAL.

RouterOS General
21

My bad Amm0 … not binary —- but refer to http://forum.mikrotik.com/t/v7-8rc-is-released/164314/118

22

I was searching for blocky with MikroTik, and came across this topic…

I wanted to use blocky over PiHole due to blocky’s native DoH support, whereas PiHole needs an additional binary (CloudFlared) for DoH (and probably not possible on the MT?)…

Regardless - it seems like running either blocky or PiHole (or any container for that matter?) on the MikroTik is probably more hassle than it’s worth? – Increased complexities with decreased performance, compared to a dedicated server or RPi - is this a fair assumption to make?

23

Dont necessarily agree. If the load is not signifcant to the router, doesnt slow other traffic down, why not.
Why should DNS be any slower one way or the other////

24

Depends on device, I have Pi-Hole and Unbound in different containers (Pi-Hole uses Unbound recursive as upstream DNS), 40 Firewall rules, 124 mangle rules, 39 queue tree rules, working every day from home, at evening mostly streaming torrents, etc…:
average_cpu.png

25

I’m trying to do this on my CCR2116, the Pi-Hole works fine, but the Unbound doesn’t, it doesn’t resolve domain names and I don’t know why.

santi@santi-NUC:~$ dig google.com @192.168.4.3 -p 5353

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> google.com @192.168.4.3 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 54933
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 192.168.4.3#5353(192.168.4.3) (UDP)
;; WHEN: Wed Jul 05 13:59:10 CEST 2023
;; MSG SIZE rcvd: 12

192.168.4.3 is the veth IP of the Unbound container, logically.
It doesn’t matter if you configure port 5353 or 53 on Unbound, the result is the same.

Can you tell me exactly how you have it configured?
I know you’ve shared your setup, but it’s hard for someone like me to parse it.
In such a setup I also can’t see what containers they are using for what.

For example, for my CCR2116, for Pi-Hole I am using:

remote-image=pihole/pihole:latest



26

This is an error from unbound, you will need to configure it to work as recursive resolver. Maybe just do-not-query-localhost setting is just causing problem (https://serverfault.com/questions/699094/unbound-nsd-returning-servfail-resolving-local-lan-dns-nsd-alone-works-fine) in your configuration, it needs to be configured to no value.
But there also other stuff that needs to be configured, depends on your neeeds and device resources. I’m using mvance/unbound-rpi:latest docker image in my ROS container with modified unbound.conf:

server:
    cache-max-ttl: 86400
    cache-min-ttl: 0
    directory: "/opt/unbound/etc/unbound"
    edns-buffer-size: 1232
    interface: 0.0.0.0@53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
    prefer-ip6: no
    rrset-roundrobin: yes
    username: "_unbound"
    log-local-actions: no
    log-queries: no
    log-replies: no
    log-servfail: no
    logfile: /opt/unbound/etc/dev/null
    verbosity: 0
    aggressive-nsec: yes
    delay-close: 10000
    do-daemonize: no
    do-not-query-localhost: no
    neg-cache-size: 4M
    qname-minimisation: yes
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    auto-trust-anchor-file: "var/root.key"
    root-hints: "/dns/root.hints"
    chroot: "/opt/unbound/etc"
    deny-any: yes
    harden-algo-downgrade: yes
    harden-below-nxdomain: yes
    harden-dnssec-stripped: yes
    harden-glue: yes
    harden-large-queries: yes
    harden-referral-path: no
    harden-short-bufsize: yes
    hide-http-user-agent: no
    hide-identity: yes
    hide-version: yes
    http-user-agent: "DNS"
    identity: "DNS"
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    ratelimit: 1000
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    unwanted-reply-threshold: 10000
    use-caps-for-id: no
    val-clean-additional: yes
    infra-cache-slabs: 2
    incoming-num-tcp: 10
    key-cache-slabs: 2
    msg-cache-size: 32m
    msg-cache-slabs: 2
    num-queries-per-thread: 4096
    num-threads: 3
    outgoing-range: 8192
    rrset-cache-size: 64m
    rrset-cache-slabs: 2
    minimal-responses: yes
    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    so-reuseport: yes
    include: /opt/unbound/etc/unbound/a-records.conf
    include: /opt/unbound/etc/unbound/srv-records.conf
remote-control:
    control-enable: no

You have more resources in CCR2116 so you can optimize configuration for your device, like increase threads count, cache memory sizes, etc… See unbound configuration documentation https://nlnetlabs.nl/documentation/unbound/unbound.conf/

27

This Unbound (remote-image=mvance/unbound-rpi:latest) works perfectly for me, I have used all the lines of the configuration that you shared, which refer to Unbound, logically adapting them to the configuration of my CCR2116.

But I haven’t even used the “unbound.conf” customization. It works for me directly once the container is created.

The Unbound container is for ARM architecture, but it works perfectly on the ARM64 of the CCR2116.

Could you tell me which container is the Linux you have installed?

And the Shadowsocks?

And if they would work on 64bit architecture.

Thank you very much for your help !!!



28

Default configuration from that image doesn’t setup Unbound as recursive resolver. It uses Cloudflare as upstream DNS, see /opt/unbound/etc/unbound/forward-records.conf from container shell. You can use directly in Pi-hole Cloudflare DNS if you want to use it as upstream and not local recursive. I removed line which includes that configuration in unbound.conf among other modifications.


linuxserver/openssh-server:latest


teddysun/go-shadowsocks2:latest


Yes, both have arm64 build, you can see that in Tags tab on Docker page for image, eg. https://hub.docker.com/r/linuxserver/openssh-server/tags

29

As you know I was interested in several things that I saw in your configuration, linux works perfectly for me, but I can’t do anything that I know how to do with it, I suppose that you have it to facilitate other functionalities, it doesn’t seem that you have anything configured by whim, or I don’t get to know it. For example, I can’t install any package, or at least I haven’t known how to do it.

I also tried to find out what Shadowsocks is, but I still didn’t have time to learn anything about it, only to understand that I was interested. What did happen to me is that I tried to install the container and when it didn’t start, it stopped immediately, I guess I did something wrong, I share the lines I added.

/interface/veth/add name=veth4 address=192.168.4.5/24 gateway=192.168.4.1 comment=Shadowsocks
/interface/bridge/port add bridge=dockers interface=veth4 comment=Shadowsocks

/container/envs/add name=shadowsocks_envs key=TZ value=“Europe/Madrid”
/container/envs/add name=shadowsocks_envs key=DNS_ADDRS value=192.168.4.2 <---- This is the Pi-Hole veth address
/container/envs/add name=shadowsocks_envs key=PASSWORD value=“xxxxxxx” <---- obviously my password don’t apears
/container/envs/add name=shadowsocks_envs key=SERVER_PORT value=443
/container/envs/add name=shadowsocks_envs key=METHOD value=AEAD_AES_128_GCM
/container/envs/add name=shadowsocks_envs key=ARGS value=“-plugin v2ray-plugin -plugin-opts server;tls;host=xxx;logLevel=none” <---- and I don´t know if “host=xxx” is the problem

/container/mounts/add name=shadowsocks_acme src=nvme1-part1/disk1/shadowsocks/root/acme.sh dst=/root/.acme.sh
/container/mounts/add name=shadowsocks_tmp src=nvme1-part1/disk1/shadowsocks/root/tmp dst=/root/tmp

/container/add remote-image=teddysun/go-shadowsocks2:latest interface=veth4 root-dir=nvme1-part1/disk1/shadowsocks envlist=shadowsocks_envs mounts=shadowsocks_acme,shadowsocks_tmp comment=“[SS] Shadowsocks” workdir=/root dns=192.168.4.2



30

Image is based on Alpine linux distribution which is using apk package manager https://wiki.alpinelinux.org/wiki/Alpine_Package_Keeper. You can install other software pakages using that tool.


These environment variables are described at https://hub.docker.com/r/teddysun/go-shadowsocks2, PASSWORD is masked because I don’t want to share it, must be set same at server and client side (METHOD also must be the same on both sides since this defines protocol cipher algorithm).
Arguments for v2ray-plugin (in ARGS) and tls certificate creation/renewal with acme.sh script are described here: https://github.com/teddysun/v2ray-plugin#usage and some not described arguments can be found in source code https://github.com/teddysun/v2ray-plugin/blob/master/main.go (part of source

var ( ... flag.*

). Also these plugin options must be aligned in your client configuration (tls;host;path).
Masked host argument must be set to your public host.domain if you have or you can create it on some dyndns service and tls certificate must be created for it. Created cretificate with full chain (all certificates in chain must be in single PEM file with name fullchain.cer) and key (PEM file with name <your_public_host_domain>.key) must be placed into /root/.acme.sh/<your_public_host_domain>, more info about acme.sh at https://github.com/acmesh-official/acme.sh. Eg, if you have host with name myhost.net it will be:

/root/.acme.sh/myhost.net/fullchain.cer
/root/.acme.sh/myhost.net/myhost.net.key

I mounted /root/.acme.sh dir so that its content is persisted if I need to recreate container with new version and /root/tmp is for file transfer from ROS to container (read-only in container).

I guess your container is not starting because you didn’t place any certificate but it is mandatory when using tls. To troubleshoot service, enable logging for this container and also set v2ray-plugin argument logLevel=debug and examine log in ROS.

31

Question…

I’m using Adguard in a Container (adguard/adguardhome:v0.108.0-b.25)

Everything works fine, except when i lose power for a second (storms) on the 5009 (and also on modem) where Containers are running. Then, for some reason Adguard Would not start after power is restored. I get bunch of errors in LOG but don’t realy know what they mean. Then after few minutes if i reboot 5009 one more time via reboot command Adguard starts without problem and works normaly. What could be causing this? Ironicly this often happen when i’m not at home, and then DNS isn’t working so nothing is working until i come home. If i put another DNS server as an option, for safety, then i get bombed with ads everywhere.

Any ideas?

Other Container, that i use, UDPXY, starts and works normally.

32

Could you share the configuration for deploying the go-shadowsocks2 client mode container?


33

ShadowsocksX-NG (Mac) Server Preferences:
ss-ng.png

34

I meant something else. Is it possible to run this container in client mode on Mikrotik. My server is set to ubuntu

35

I think yes, at least for non transparent proxy, but I never tried so I don’t have something to share. Ofc, for non transparent setup you will need manually to add proxy address (container’s IP/hostname) and proxy port in client OS/browser.
For transparent connection over proxy you will need something like tun2socks (https://github.com/xjasonlyu/tun2socks) in container and route traffic over it, but I’m not sure is this possible with container virtual interface. Alternative is to setup this in some external OpenWRT/Linux device.