For other devices to use Pi-hole, we must expose its container on the LAN so that the router sees it as a device, just as it sees the NAS. This is done with a Docker macvlan network namedpi_macvlan.

Pi-hole also needs a bridge network to communicate with other NAS services - this is whatnas_network is for.

Confirm the name of the interface connecting the NAS and LAN - typicallyeth0.

# Run this + look for interface where inet = NAS static IPifconfig

Look at your router and identify 4 sequential IP addresses not in use.

# Router LAN192.168.1.0/24# Subnet192.198.1.1# Default Gateway# I have IPs 216 - 219 available# In the Docker command below we use the second IP192.168.1.217/30# The /30 gives us 2 usable IPs on the LAN, but occupies 4 IPs192.168.1.216# Network = Pi-hole will default to this192.168.1.217# Gateway = Unbound will default to this192.168.1.218# First + Last192.168.1.219# Broadcast

# Escalatesudo -ipassword# macvlandocker network create -d macvlan -o parent=eth0 --subnet=192.168.1.0/24 --gateway=192.168.1.1 --ip-range=192.168.1.217/30 pi_macvlan

# Escalatesudo -ipassword# Go here and make these dirscd /volume1/dockermkdir -p pi-hole/etc-piholemkdir -p pi-hole/etc-dnsmasq.d# Create .env filecd pi-holenano .env# Add these lines to .envTZ="America/New_York"WEBPASSWORD="oectBU0UaOCga82KnoA5"# Get docker-compose.ymlcurl -f https://raw.githubusercontent.com/wcDogg/synology/main/docker/pi-hole/docker-compose.yml -o docker-compose.yml# Docker upcd ..docker-compose up -d

Thedocker-compose.yml adds Pi-hole and Unbound tonas_network. Additionally, both need to be manually added topi_macvlan.

1. DSM > Docker > Networks
2. Highlightpi_macvlan and click the Manage button
3. Order matters:
   1. Click Add and select the unbound container
   2. Click Add and select the pi-hole container
   3. Net result is that pi-hole is listed first :)

At this point both Pi-hole and Unbound can resolve DNS requests viapi_macvlan. Test externally from a new shell:

# Pi-holenslookup -port=53 pi-hole.net 192.168.1.216# Unboundnslookup -port=53 pi-hole.net 192.168.1.217

1. DSM > Control Panel > Network > General
2. Manually Configure DNS Server = True
   1. Preferred = Pi-hole nas_network IP = 172.29.7.4
   2. Remove Alt = blank
3. Apply

Test internally from an SSH shell:

# This should be resolved by# Server Address 172.29.7.4#53nslookup pi-hole.net

At this point, Pi-hole is accessible at:

• pi_macvlan -http://192.168.1.216/admin
• nas_network -http://192.168.1.209:7480/admin

Sign in to the pi_macvlan address using the password you supplied in.env.

For pi_macvlan, if you get 'Site cannot be reached' tryhttp://192.168.1.217/admin. If this works, the containers were added to thepi_macvlan network in the wrong order. Go to Docker > Networks, remove the containers frompi_macvlan, then add them again as described above.

1. Pi-hole > Settings > DNS tab
2. Upstream DNS Servers
   1. Uncheck all boxes for existing services - probably just Google.
   2. Check the Custom 1 and Custom 2 boxes
   3. Fill each with: 192.168.1.217 (Unbound pi_macvlan IP)
3. Interface Settings = Allow only local requests
4. Scroll down and click Save
5. Settings > System tab > Restart DNS Resolver button (bottom right)

# Test from external shellnslookup -port=53 pi-hole.net 192.168.1.216

Because I don't have a redundant Pi-hole, it's best if I implement Pi-hole per-device - vs on my router.

Start by pulling up a Pi-hole test site:

• https://fuzzthepiguy.tech/adtest/
• https://canyoublockit.com/

On a Windows PC the process is:

1. Start > Settings > Network & Internet > Ethernet
2. DNS Server Assignment > Edit
3. Change from Automatic (DHCP) to Manual
4. IPv4 = On
   1. Preferred DNS = 192.168.1.216
   2. DNS over HTTPS = Off
5. IPv6 = Off
6. Save

I needed to reboot for changes to take effect.

# Go hereDSM> Docker> Containers> Unbound> Details> Logs# Note this error[1664924122] unbound[1:0] error: Could not open logfile /dev/null: Permission denied