Setting up AdguardHome and PiHole in MacVlans¶
Ads! We don't want them inside our home network. Trackers! We also don't want our apps tracking everything we do. Let's put a stop to it! On top of that we also have the benefit of our own DNS server!
Setting up DNS servers.¶
Adguard, PiHole, & Tailscale docker-compose.yml
services:
adguardhome:
image: adguard/adguardhome
container_name: adguardhome
restart: unless-stopped
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
# ports:
# - 53:53/tcp # Standard DNS
# - 53:53/udp # Standard DNS
# - 67:67/udp # if using as a DHCP server
# - 68:68/udp # if using as a DHCP server
# - 3000:3000/tcp # Initial Web Interface
# - 4422:80
# - 4433:433 # Web interface to be binding to host over bridge
# - 853:853/tcp # DNS over TLS (DoT)
# - 784:784/udp # DNS-over-QUIC
# - 853:853/udp # DNS-over-QUIC
# - 8853:8853/udp # DNS-over-QUIC
# - 5443:5443/tcp # add if you are going to run AdGuard Home as a DNSCrypt server.
# - 5443:5443/udp # add if you are going to run AdGuard Home as a DNSCrypt server.
networks:
adguard_macvlan_network:
ipv4_address: 192.168.4.100 # Choose a static IP within the subnet
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
# DNS Ports
- "53:53/tcp"
- "53:53/udp"
# Default HTTP Port
- "80:80/tcp"
# Default HTTPs Port. FTL will generate a self-signed certificate
- "443:443/tcp"
# Uncomment the line below if you are using Pi-hole as your DHCP server
#- "67:67/udp"
# Uncomment the line below if you are using Pi-hole as your NTP server
#- "123:123/udp"
environment:
# Set the appropriate timezone for your location (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones), e.g:
TZ: 'America/Denver'
# Set a password to access the web interface. Not setting one will result in a random password being assigned
FTLCONF_webserver_api_password: 'correct horse battery staple'
# If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
FTLCONF_dns_listeningMode: 'all'
# Volumes store your data between container upgrades
volumes:
# For persisting Pi-hole's databases and common configuration file
- './etc-pihole:/etc/pihole'
# Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards. Needs environment variable FTLCONF_misc_etc_dnsmasq_d: 'true'
#- './etc-dnsmasq.d:/etc/dnsmasq.d'
cap_add:
# See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
# Required if you are using Pi-hole as your DHCP server, else not needed
# - NET_ADMIN
# Required if you are using Pi-hole as your NTP client to be able to set the host's system time
# - SYS_TIME
# Optional, if Pi-hole should get some more processing time
- SYS_NICE
restart: unless-stopped
networks:
adguard_macvlan_network:
ipv4_address: 192.168.4.101
networks:
adguard_macvlan_network:
driver: macvlan
driver_opts:
parent: eno1 # Replace with the correct host network interface
ipam:
config:
- subnet: 192.168.4.0/24 # Adjusted subnet based on your network
gateway: 192.168.4.1 # Correct gateway (router IP)
A couple notes on our docker-compose.yml file. We're running these on a macvlan network, so we don't actually need to map any ports, they'll be exposed by default. Secondly, you do need to make sure you use the right host network interface, you can find this by running. You can also set the IP address to whatever you like as long as they're not taken on the router.
Taking between the Host and the MacVLan¶
By default even though your PC network can talk directly to the containers, you're host cannot. Go ahead and give it a try.
From your PC
It works! Oh yeah, you can also just navigate the websites in your browser.
How about from your host? It doesn't work. How about taking from the container to the host?
Uh oh, it doesn't work. See if it can ping your PC!
Ok so if we want the host and the macvlan to be able to communicate, which we do so that the host can use the DNS server as well as our nextcloud and collabora containers, we need to manually set up a link. I know, painful. It's not that bad though. Let's create a network interface for them to talk.
sudo ip link add macvlan0 link eno1 type macvlan mode bridge
sudo ip addr add 192.168.4.254/24 dev macvlan0
sudo ip link set macvlan0 up
By the way if your server restarts, you will need to run the above commands again to reset up the links.
Ok and now let's add routes to both of the DNS servers, although I suppose we only really need to do it with the AdguardHome.
Now see if they can talk!
Making it persistent across reboots¶
Our IP Link and routes are ephemeral meaning they'll be gone after a reboot so we need to create a service unfortunately. We need to add those commands to a shell script, setup-macvlan.sh.
ip link add macvlan0 link eno1 type macvlan mode bridge
ip addr add 192.168.4.254/24 dev macvlan0
ip link set macvlan0 up
ip route add 192.168.4.100 dev macvlan0
ip route add 192.168.4.101 dev macvlan0
Make it executable:
Create a systemd service to run it at boot
# /etc/systemd/system/macvlan.service
[Unit]
Description=Setup macvlan0 interface
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/setup-macvlan.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Enable the service
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable macvlan.service
sudo systemctl start macvlan.service
The Local Network¶
Windows¶
Ok, on your PC, you may need to tell set DNS to "Automatic". Go to
Settings -> Network & internet -> DNS server assignment
This should be set to automatic for your domain to work.
Android¶
Note with android, you will need to change Private DNS to Automatic if you want the domain to resolve to the local IP.