I followed this excellent guide to installing pihole on routerOS https://www.youtube.com/watch?v=UMcJs4oyHDk&t=8s
The DNS service resolves (although, unlike the tutorial, I had to enable Allow Remote Requests for anything to be resolved) and I can access the pihole admin pages, but it doesn’t block any ads, as far as I can tell. It also refuses to do a gravity update, claiming that the DNS cannot be resolved.
I can browse away, but it clearly doesn’t work.
How can I fix this?
Is anyone able to help? I’ve posted my config, if that helps.
I toggled my first masquerade rule on and off, to see if that was the issue, but no luck. The container doesn’t seem to be able to connect to the WAN but the Container was pulled off the internet from the router, so it should be able to reach the WAN fine.
Any suggestions?
piholeconfig.rsc (9.03 KB)
Thanks. I believe I needed the DNS address for my previous config to make DoH work (?). I can change that. I also need to have Allow Remote Requests on to get any DNS at all (with or without the pihole).
I used 172.17.0.2, as per this video https://www.youtube.com/watch?v=UMcJs4oyHDk , which I followed exactly. In that guide Allow Remote Requests isn’t turned on, which I don’t know whether is right or wrong?
PS. Is there a docker image you recommend I use to enable DoH? It seems that I can’t access any low-level files on the Mikrotik Containers.
Darren.
My generic suggestion would be to make the setup like this:
so your LAN users query the PiHole, it blocks the ads, but itself queries the router for DNS information, and the router is securely asking that to a DoH serer, for example CloudFlare family (which also blocks stuff). This is the most secure setup in my opinion.
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
Clients will use the router as DNS server, so it depends on the DNS IP addresses configured in RouterOS.
Why not set the DNS server to your PiHole server within the /ip dhcp-server network config.
Thank you both for your replies. I think I understand what you are suggesting. However, trying this did not work. I followed the video guide and it’s not clear to me why that wouldn’t just work.
Setting the DNS server in DHCP sounded like a sensible suggestion (putting aside DoH for the moment until I can get pihole to work at all) but that didn’t work.
It seems that the pihole instance can’t access the WAN (it never has any traffic) and I think this is the first problem, which I think is a router issue.
I haven’t changed or set any of the default pihole settings.
Any suggestions on how to fix or fault find this?
To test out the source of the problem I set up a pihole server on a Raspberry Pi. Having verified the RPi was set up correctly and connected to the internet I simply changed the DNS server address in the DHCP settings, as per Normis’s suggestion to point pihole at the DoH DNS server on the Mikrotik box and all works absolutely fine.
I clearly have some issue with the Container not connecting to the internet. If I try to update the Gravity lists it fails with a DNS connection error - it can’t find a DNS server for some reason. This suggests to me that I have the wrong Container/network pumbing settings in the Mikrotik box or there is a Container problem.
Any thoughts?
Can you access any external IP from container?
Open container shell
/container shell 0
and for eg.
root@pihole:/# ping 8.8.8.8
If not ping replying, I guess your config ip firewall filter rule add action=drop chain=forward comment=“Drop all Else” blocks it.
try to add
/ip/firewall/filter add action=accept chain=forward in-interface=dockers out-interface-list=WAN
above it.
Thanks - that fixed the connectivity issue.
Next step is to get the pihole working, but it can see the internet, update lists, run Gravity, etc.
Thanks for your help.
I think this is almost there. Although the Container can connect to the internet now, if I set the DNS server to 172.17.0.2 in the DHCP settings config I get no internet connectivity and the pihole does not seem to do anything either. 172.17.0.2 should be the DNS server address, as per the setup guide I followed.
I think that this should all work fine (as per my Raspberry Pi pihole server, which in on my main LAN network 10.160.100.0/24) but the network plumbing needs another tweak (I’m guessing the filtering?) to get it to work with a different IP address range. Or it could be another problem 
Can anyone help with that issue?
PS. If I make 172.17.0.1 the DNS server I can get a DNS response and ping but if I set 172.17.0.2 (where I believe the DNS lookups should be pointed to) I get no DNS or ping response.
I suspect that 172.17.0.1 actually uses the router’s DNS lookup. The pihole dashboard confirms that there have been no lookups.
So I can connect to some addresses on the 172.17.0.0/24 domain, so perhaps it isn’t a network plumbing issue.
For whatever reason, it is not working as a DNS server.
OK. Something weird is going on. I checked the settings as per the video tutorial. This command add address=172.17.0.2/24 gateway=172.17.0.1 gateway6=“” name=veth1 doesn’t work - it adds the address 0.0.0.0/0, not 172.17.0.2/24. Without that being corrected the Container won’t even start up. If I manually change it it still doesn’t work.
The above appears to be a bug.
I made some updates to the config. If anyone can spot why the pihole DNS server won’t work (the admin interface and WAN connectivity is fine) that would be much appreciated.
Container.rsc (9.34 KB)
I think you have same forward rule issue as it for docker->WAN, you will need to accept forward from interface which is using Pihole DNS to docker.
/ip/firewall/filter add action=accept chain=forward in-interface=<interface> out-interface=dockers
also above “Drop all Else” rule.
You can also create interface list if have many that needs to use Pihole and add it in single rule, use in-interface-list=<list_name> instead in-interface= in above rule.
Thanks. I added the rule where Local Bridge is the in interface. I can now ping the DNS server and get a response. I can see that, for the first time, the pihole is receiving DNS requests and blocking some of them. However, web pages don’t load with DNS errors. I wonder if the DNS responses are not getting back successfully.
Frustratingly almost working!
Have I got that rule right? Is there something else I’m missing?
Resolving any host is not working or some? Which upstream DNS is Pihole using?
I have two piholes currently. One of them is an actual RPi that I set up when the container didn’t work. This works flawlessly. It’s on my LAN DHCP range and it’s served by the DHCP server as the DNS server. This then uses my router as the upstream DNS. This works as expected, so I know this part is fine.
I also have the container set up in the same way, i.e., with the router as the upstream DNS server (but the DHCP server is not advertising it). I use the router as the upstream DNS, by the way, so I can use a DoH service (Cloudflare). I think the container should work in a similar config because the RPi has been running for about 2 days like this.
I added the two firewall rules you suggested, which fixed, in order, the Container WAN access and then the access from clients to the pihole. If I configure my desktop to use the Container as DNS (manually set in Windows) the pihole now receives DNS requests from the desktop - as seen in the Dashboard and query logs. The desktop doesn’t load any pages though.
I wonder if a rule is missing to allow the DNS requested to go back to the LAN. Do I need something like:
/ip/firewall/filter add action=accept chain=forward in-interface=dockers out-interface=localBridge
??
No, using ROS as upstream DNS in Pihole on external device and containers is different setup. Container VETH interface does not get IP from DHCP, it’s static IP set in VETH configuration (in your case 172.17.0.2), that’s why you cannot get ROS DNS from DHCP, it needs to be added as static IP in Pihole config for upstream DNS, in your case 1_72.17.0.1._.
Also you need to add input filter rules in firewall for docker connection to ROS DNS (port 53 for udp and tcp):
/ip/firewall/filter
add action=accept chain=input dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input dst-port=53 in-interface=dockers protocol=tcp
add this above rule add action=drop chain=input comment=“block everything else”
That did it.
I’d already configured the upstream DNS server on the container as ROS but the filter rules did the trick.
Many thanks to you and the others who helped me fix this.
D.
Hello again,
Although my pihole is working like a charm, something in these changes has blocked my Wireguard VPN and my Plex NAT access from working. It’s not obvious to me why these should be affected at all by the pihole.
Any thoughts on why these might now be broken?