Pihole install struggles

Right, it definitely has got something to do with shorewall.

nmap 192.168.1.249
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 21:34 BST
Nmap scan report for 192.168.1.249
Host is up (0.0097s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http

If I run shorewall clear, then the DNS queries work. When I re-enable the firewall, the DNS queries stop.

I only have 1 interface which is br0 and it is assigned the Green LAN.

What Shorewall rule(s) do I need to add to make this work?

It should work without using firewall rules. Maybe there’s more info in firewall log?

Are there custom templates in /etc/e-smith/templates-custom/ that could cause issues?

Which software do you have installed?

rpm -qa "nethserver-*" | sort

[root@fileserver shorewall]# ls /etc/e-smith/templates-custom/
etc
[root@fileserver shorewall]# ls /etc/e-smith/templates-custom/etc/
shorewall
[root@fileserver shorewall]# ls /etc/e-smith/templates-custom/etc/shorewall/
policy
[root@fileserver shorewall]# ls /etc/e-smith/templates-custom/etc/shorewall/policy/
[root@fileserver shorewall]#

So no custom templates.

For the software, here is the list:

[root@fileserver shorewall]# rpm -qa "nethserver-*" | sort
nethserver-avahi-1.1.0-1.ns7.noarch
nethserver-backup-config-2.5.2-1.ns7.noarch
nethserver-backup-data-1.7.6-1.ns7.noarch
nethserver-base-3.9.0-1.ns7.noarch
nethserver-cockpit-1.10.9-1.ns7.noarch
nethserver-cockpit-lib-1.10.9-1.ns7.noarch
nethserver-collectd-3.1.1-1.ns7.noarch
nethserver-cups-1.2.3-1.ns7.noarch
nethserver-dc-1.8.4-1.ns7.x86_64
nethserver-diagtools-1.0.4-1.ns7.noarch
nethserver-dnsmasq-1.7.2-1.ns7.noarch
nethserver-docker-1.0.13-1.ns7.noarch
nethserver-duc-1.7.0-1.ns7.noarch
nethserver-firewall-base-3.18.2-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-httpd-3.12.2-1.ns7.noarch
nethserver-httpd-admin-service-2.7.0-1.ns7.noarch
nethserver-httpd-virtualhosts-3.12.2-1.ns7.noarch
nethserver-lang-cockpit-1.4.6-20.ns7.noarch
nethserver-lib-2.2.11-1.ns7.noarch
nethserver-lsm-1.2.4-1.ns7.noarch
nethserver-mail-smarthost-2.31.6-1.ns7.noarch
nethserver-mysql-1.1.5-1.ns7.noarch
nethserver-netdata-2.0.2-1.ns7.noarch
nethserver-nethforge-release-7-3.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
nethserver-openssh-1.8.0-1.ns7.noarch
nethserver-phonehome-1.4.0-1.ns7.noarch
nethserver-php-1.3.0-1.ns7.noarch
nethserver-pihole-1.0.1-1.ns7.noarch
nethserver-release-7-19.ns7.noarch
nethserver-restore-data-2.0.7-1.ns7.noarch
nethserver-samba-4.6.0-1.ns7.noarch
nethserver-samba-audit-1.3.2-1.ns7.noarch
nethserver-shellinabox-0.1.6-1.ns7.sdl.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-sssd-1.7.1-1.ns7.noarch
nethserver-stephdl-1.1.9-1.ns7.sdl.noarch
nethserver-subscription-3.6.8-1.ns7.noarch
nethserver-subscription-inventory-3.6.8-1.ns7.x86_64
nethserver-subscription-ui-3.6.8-1.ns7.noarch
nethserver-transmission-1.1.16-1.ns7.sdl.noarch
nethserver-vsftpd-1.1.1-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch

Here is a sample from the firewall logs:

Apr  9 08:21:57 fileserver kernel: Shorewall:macvl2net:REJECT:IN=macvlan0 OUT=br0 MAC=4e:1b:5b:fc:6f:29:02:42:c0:a8:01:f9:08:00 SRC=192.168.1.249 DST=8.8.4.4 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=7948 DF PROTO=UDP SPT=45162 DPT=53 LEN=46 
Apr  9 08:22:12 fileserver kernel: Shorewall:macvl2net:REJECT:IN=macvlan0 OUT=br0 MAC=4e:1b:5b:fc:6f:29:02:42:c0:a8:01:f9:08:00 SRC=192.168.1.249 DST=8.8.8.8 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=8515 DF PROTO=UDP SPT=52843 DPT=53 LEN=46 
Apr  9 08:22:12 fileserver kernel: Shorewall:macvl2net:REJECT:IN=macvlan0 OUT=br0 MAC=4e:1b:5b:fc:6f:29:02:42:c0:a8:01:f9:08:00 SRC=192.168.1.249 DST=8.8.4.4 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=14236 DF PROTO=UDP SPT=52843 DPT=53 LEN=46 
Apr  9 08:22:17 fileserver kernel: Shorewall:macvl2net:REJECT:IN=macvlan0 OUT=br0 MAC=4e:1b:5b:fc:6f:29:02:42:c0:a8:01:f9:08:00 SRC=192.168.1.249 DST=8.8.8.8 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=11685 DF PROTO=UDP SPT=52843 DPT=53 LEN=46 
Apr  9 08:22:17 fileserver kernel: Shorewall:macvl2net:REJECT:IN=macvlan0 OUT=br0 MAC=4e:1b:5b:fc:6f:29:02:42:c0:a8:01:f9:08:00 SRC=192.168.1.249 DST=8.8.4.4 LEN=66 TOS=0x00 PREC=0x00 TTL=63 ID=16311 DF PROTO=UDP SPT=52843 DPT=53 LEN=46 

Although that sample shows for OUT traffic, there are DROPs for IN traffic to the PiHole.

Which also begs the question (which maybe a seperate topic - why the crackers are there a lot of IP Addresses on the Public Internet trying to communicate with my PiHole when its located behind two (2) NATted routers with no port forwarding to it and there is no DMZ either? This suddenly raises quite a large security concern - 1652 attempts since 5th April and this isn;t even production ready and been offline half the time which is super concerning.

This PiHole will definitely need to be behind a firewall.

Hi @bwdjames

There’s probably no hacker or botnet out in the wild trying to access YOUR PI-Hole / NethServer…

24x7x365 there are hackers / script kiddies / russians / chinese and others (Choose what term you prefer) out in the wild, using port-scanners and other tools to “probe” for vulnerabilities. Any IP in use can be affected, this usually depends from where the attack / probe is comming from, and how good are the capabilities of the potential attackers.

The only difference between you and a typical home user is that you actually look at the logs of the firewall box, most others don’t even know they exist.

Think of a city house or appartment. A potential burglar will first ring on the bell.
If anyone answers, they’ll put some BS story…

If no one answers, they try to see if the place is locked, by trying the door handle / knob…

If it’s not locked, it’s what they call “an easy job”…

→ And these are the logs you’re seeing…

Just placing a placebo camera (fake) reduces door knob attacks by around 80%.

Just “testing” the door knob doesn’t mean that you must install a “zapper” system on the doorknob.
But seeing the faces on the (hidden) camera after being zapped might be amusing…

A firewall and fail2ban are musts!

My 2 cents
Andy

I’m still fighting with reproducing your issue, I installed the same packages, rebooted, reset pihole to aqua, aeria and back to macvlan without success. So I need to ask some more questions…

Is the aeria network still enabled? We don’t need it so let’s disable it to avoid issues.

[root@testserver2 ~]# docker plugin ls
ID             NAME                         DESCRIPTION                          ENABLED
2f1febf7f90f   devplayer0/net-dhcp:latest   Docker host bridge DHCP networking   false

To disable:

docker plugin disable 2f1febf7f90f

Let’s check the complete structure:

find /etc/e-smith/templates-custom/

I don’t get these entries at all.

My entries look like this (192.168.1.65 is the pihole, I changed pihole dns servers to 1.1.1.1 and 9.9.9.9):

Apr 9 12:41:36 testserver2 kernel: Shorewall:net2loc:DROP:IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vb-nsdc MAC=02:42:c0:a8:01:41:80:ee:73:f2:45:49:08:00 SRC=1.1.1.1 DST=192.168.1.65 LEN=95 TOS=0x00 PREC=0x00 TTL=56 ID=26763 DF PROTO=UDP SPT=53 DPT=45758 LEN=75

Check macvlan interface:

[root@testserver2 ~]# ip a | grep macvlan
20: macvlan0@br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.64/27 scope global macvlan0

Let’s check macvlan settings in shorewall:

[root@testserver2 ~]# grep -iR macvl /etc/shorewall/
/etc/shorewall/interfaces:# macvl macvlan network
/etc/shorewall/interfaces:macvl      macvlan+     optional
/etc/shorewall/policy:# accept macvl macvlan network from localhost
/etc/shorewall/policy:$FW macvl ACCEPT
/etc/shorewall/policy:macvl $FW ACCEPT
/etc/shorewall/zones:# macvl macvlan
/etc/shorewall/zones:macvl  ipv4

Check bridges:

[root@testserver2 ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
aqua0		8000.02426f9c5390	no		veth974e02f
br0		    8000.b2e69f14be62	no		eth0
			    		          		vb-nsdc
docker0		8000.0242a9e3974c	no

Check networks:

[root@testserver2 ~]# db networks show
br0=bridge
    bootproto=none
    gateway=192.168.1.11
    ipaddr=192.168.1.162
    netmask=255.255.255.0
    nslabel=
    role=green
eth0=ethernet
    bridge=br0
    role=bridged
ppp0=xdsl-disabled
    AuthType=auto
    FwInBandwidth=
    FwOutBandwidth=
    Password=
    name=PPPoE
    provider=xDSL provider
    role=red
    user=

This is just traffic between the pihole and it’s DNS servers so usually nothing to worry about.

[root@fileserver ~]# docker plugin ls
ID             NAME                         DESCRIPTION                          ENABLED
91c2062860ef   devplayer0/net-dhcp:latest   Docker host bridge DHCP networking   true
[root@fileserver ~]# docker plugin disable 91c2062860ef
91c2062860ef
[root@fileserver ~]# find /etc/e-smith/templates-custom/
/etc/e-smith/templates-custom/
/etc/e-smith/templates-custom/etc
/etc/e-smith/templates-custom/etc/shorewall
/etc/e-smith/templates-custom/etc/shorewall/policy
[root@fileserver ~]# grep -iR macvl /etc/shorewall/
/etc/shorewall/interfaces:# macvl macvlan network
/etc/shorewall/interfaces:macvl      macvlan+     optional
/etc/shorewall/policy:# accept macvl macvlan network from localhost
/etc/shorewall/policy:$FW macvl ACCEPT
/etc/shorewall/policy:macvl $FW ACCEPT
/etc/shorewall/zones:# macvl macvlan
/etc/shorewall/zones:macvl  ipv4
[root@fileserver ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
aqua0		8000.0242e04aeecd	no		veth637b2ea
br0		8000.4a87ea2f39ad	no		enp1s0
							vb-nsdc
docker0		8000.02425c12d031	no		
[root@fileserver ~]# db networks show
br0=bridge
    gateway=192.168.1.11
    ipaddr=192.168.1.5
    netmask=255.255.255.0
    role=green
enp1s0=ethernet
    bridge=br0
    role=bridged
ppp0=xdsl-disabled
    AuthType=auto
    FwInBandwidth=
    FwOutBandwidth=
    Password=
    name=PPPoE
    provider=xDSL provider
    role=red
    user=
[root@fileserver ~]# dig @192.168.1.249 bbcnews.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> @192.168.1.249 bbcnews.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Let’s check shorewall macvlan config:

[root@testserver2 ~]# shorewall show | grep macvlan
   50  6197 ~comb0     all  --  macvlan+ *       0.0.0.0/0            0.0.0.0/0           
    5   260 macvl_frwd  all  --  macvlan+ *       0.0.0.0/0            0.0.0.0/0           
    4   646 ACCEPT     all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           
    0     0 aqua2macvl  all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           
    0     0 net2macvl  all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           
    0     0 dock2macvl  all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           
    0     0 loc2macvl  all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           
    0     0 sfilter    all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 sfilter    all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 sfilter    all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 sfilter    all  --  *      macvlan+  0.0.0.0/0            0.0.0.0/0           [goto]

Maybe it helps to remove the containers config files and data (which also resets to container to default settings and removes the stats data) and the macvlan network?

Destroy container:

pihole destroy

Remove data::

rm -rf /var/lib/pihole/*

Get ID of macvlan network:

docker network ls

Remove macvlan network, use ID of previous output:

docker rm <ID>

Recreate macvlan network:

signal-event nethserver-docker-update

Build container:

pihole build

And that appears to have fixed it @mrmarkuz , thank you for all of your help and patience. THis has been a fairly difficult case to troubleshoot.

Weirdly enough, and I don;t know why this has happened, PiHole only showing the server showing as making the DNS query and not the different devices.

So although I find that a bit confusing as I expect the macVlan to provide the ability to show which device made the DNS query, I am at a point where I am happy to go with that if needs be.

Great! You’re welcome.

Your clients need to use pihole instead of NethServer as only DNS server, see also the pihole wiki page.

You can also set the clients DNS by DHCP in server manager:

grafik593×531 21.4 KB

As you are using AD and the pihole doesn’t know about your AD devices you may need to enable conditional forwarding for your domain in pihole Settings/DNS (scroll down to bottom):

grafik957×456 98.1 KB

Now the devices should be recognized in pihole and your clients should be able to ping your AD:

ping ad.domain.local