Last updated on 18 March 2025
Macvlan
Drop the compose below into your Project YAML section.
services:
pihole:
image: pihole/pihole:latest
container_name: pihole-macvlan
cap_add:
- CAP_NET_RAW
- CAP_NET_BIND_SERVICE
- CAP_CHOWN
# - CAP_NET_ADMIN #uncomment if you want to use DHCP
- CAP_SYS_NICE
- CAP_SYS_TIME
environment:
- PIHOLE_UID=1234 #CHANGE_TO_YOUR_UID
- PIHOLE_GID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- FTLCONF_webserver_api_password=YOURPASSWORD
- DNSMASQ_USER=pihole
volumes:
- /volume1/docker/pihole:/etc/pihole
networks:
macvlan:
ipv4_address: 192.168.0.129
labels:
- com.centurylinklabs.watchtower.enable=false
restart: always
networks:
macvlan:
name: macvlan
driver: macvlan
driver_opts:
parent: eth0
ipam:
config:
- subnet: "192.168.0.0/24"
ip_range: "192.168.0.254/24"
gateway: "192.168.0.1"Settings Amendments for the Macvlan
OK we now need to make some further edits to the compose and sort out DNS for DSM
| Section | Explanation |
|---|---|
| PIHOLE_UID= | This UID is the one you obtained when setting up your dockerlimited user in the earlier guide at the start of the page. This tells Pi-hole to run under this user rather than root and gives it access to the folders we created. |
| PIHOLE_GID= | As per the above this line will be the GID you obtained earlier. |
| TZ= | You will need to change this line to your own timezone code – you can find the correct list of ones to use on wikipedia.org/wiki/List_of_tz_database_time_zones |
| FTLCONF_webserver_ api_password= | Change this to the password you would like to use for the Web UI |
External DNS for DSM
Containers on a Macvlan cannot be accessed by the host they reside on (without network changes under the hood), this mean DSM cannot use Pi-hole for its own DNS requests. It’s better to put DSM on an external DNS provider to avoid it having any issues connecting to the Internet if your Pi-hole is down.
Go into the DSM Control Panel > Network and then in the ‘Manually configure DNS server’ set two good quality DNS providers such as Quad9 9.9.9.9 and Cloudflare1.1.1.1
Now you can make some edits to the compose information before moving on
| Section | Explanation |
|---|---|
| ipv4_address: 192.168.0.129 | Change to the IP address you want to use for the container. Make sure this is available and not in use by another device on your network. |
| parent: eth0 | This defines the network interface the container should use, I have used eth0 which will be the first Ethernet port on your NAS. If you want to use a different port change it accordingly. Note! If you have Virtual Machine Manager installed change this to ovs_eth0 |
| subnet: “192.168.0.0/24” | We need to change this in line with your networks’ subnet – in the example I have used 192.168.0.0/24. The super quick way to work out what to use is just take the IP of your NAS and change the final digit before the /24 to 0 |
| ip_range: “192.168.0.254/24” | This has to be changed to the highest available IP address within the range of your subnet. Again if your network is in the 192 range the final number used from the subnet above can be changed to 254 and added to this section. |
| gateway: “192.168.0.1” | This will be the IP address of your Router/Gateway/DHCP Server |
You can now jump ahead to Page 5 for the final configuration.
Followed the guide and it worked perfectly! Now it’s a few weeks later and I went to log into pihole and the password I set and was using does not work. I restarted the project, no luck.
I tried to reset the password using the instructions the page gives “sudo pihole setpassword” but pihole is not found. I think it’s because I’m logged in as my admin account in a terminal window and I should be the dockerlimited account (which is what I used in the yaml) but am not sure. Any guidance on how to reset the password? Feel really dumb lol.
Hey – We have had this a few times in Discord it feels like its a bug that has carried forward from the initial release..
Step should be..
1) Stop the Project and remove the password line from the compose
2) Build the Project (Save and say Yes to pop up)
3) Then in Container Manager > Pihole Container > Action > Open Terminal > Create..
4) Click on the bash window that is created enter the command “pihole setpassword” and it will let you set a password
Thanks for this guide!
i was struggling a bit, but in the end the bridge mode worked for me.
But I could not figure out why unbound was not complying.
turned out that unbound and pi hole is running in separate containers. Unbound for me refused to expose port 5335 to anybody, and pi hole was not able to reach the unbound container on either my nas ip (like my own subnet ip: 192.168.0.122 for example), neither on 127.0.0.1.
what i ended up doing is: since unbound was exposing port 53, and unbound and pi hole was on the same docker network, setting
unbound#53
as the only upstream DNS server in the pi hole did the trick.
i am not sure if i was doing something wrong, or if it is a good idea to do it this way, (i have no idea what i am doing) but at least it is working now.
Thanks for the update – Until I can do some more thorough testing here, I am removing the Unbound element of the guide. I have been really lacking time recently and that has shown in the quality of the guide Unbound element. I usually spend a month or more using in real life before doing guide updates.. You are likely doing this correctly and it’s my error.
Thanks for these… I’ve been running Synology pihole (macvlan) for a while and just setup tailscale…
However once my PC is added to Tailscale, I cannot access webpage or ping pihole
I can ping everything else on same subnet, just the pihole is not responding
Synology is set as Exit node
pihole ip is in the Tailscale DNS
I’ve also set pihole Settings > DNS > Interface Settings >
was local
now permit all origins
Also tried “allow local network access” on the tailscale menu…
Once I disconnect the PC from Tailscale, ping/web to pihole works.
Is there something I missed?
Keep in mind when Pi-hole is in macvlan the Host (your NAS) cannot access it along with anything running on the NAS. To combine with Tailscale you will need to run in Host or Bridge mode.
Hi,
I have a little issue i can’t resolve.
I followed the mcvlan guide and it’s up and running.
But the issue is the following.
I’ am able to browse my local network but can’t go outside so no websites are available.
When i go into the PiHole settings and set google as my dns everything is working.
I think there is an issue with the unbound in my docker but don’t know where to look.
Any thoughts?
Hey – let me come back to you shortly, I may have made an error in the combination of both network wise.
Thx.
I case it may help to rule out a user error.
Here’s my yaml.
[SNIP]
Hey snipped your compose – see White Swan’s comment for the fix – I will be adjust the guide very shortly!!
Thx to you two guys for the fix, it’s up and running.
My DS932+ has something to kill the time and i can rest my Raspberry.
Only thing i noticed after installation and still monitoring.
I had to change the port in the custom dns setting from #5335 to #53.
Don’t know why but did so after still seeing ads and wondered why.
After changing the port it worked.
See my replies above to similar comments such as ZarqEon.
Hi
Your unbound.conf file contains the following
server:
interface: 0.0.0.0
port: 53
When I set up unbound following the macvlan method for pihole, the dns service does not resolve addresses, and I’ve had to reinstate 1.1.1.1 as my dns provider in pihole.
I don’t think it’s related, but I had previously set up pihole through macvlan using your tutorial, and I now want to install unbound too.
Hi
The issue is that Unbound is installed on a bridge network, while Pi-hole is running on a Macvlan network. Containers on Macvlan networks cannot communicate directly with the host (your Synology DSM, in this case).
I’ve found a workable solution: place Unbound on the same Macvlan network as Pi-hole. This ensures that both Pi-hole and Unbound can communicate with each other directly, as they would both be on the same network segment. This can be done as follows:
unbound:
image: klutchell/unbound
container_name: unbound
ports:
– “5335:53/tcp”
– “5335:53/udp”
volumes:
– /volume1/docker/unbound:/etc/unbound/custom.conf.d
networks:
macvlan:
ipv4_address: 192.168.0.130
of course substituting the desired ip address for your unbound instead of 192.168.0.130
Then, the instructions for Point Pi-hole at your Unbound instance (Optional) change to:
Click on Settings, then DNS. You will need to turn off any existing public DNS providers if any are ticked (Usually Google). Then click the Custom DNS drop down and enter your chosen Unbound IP address:
For example 192.168.0.130
Thank you beat me to the punch, been AFK all day 🙁
I will get the mistake fixed ASAP.
Happy to contribute; here are some points:
– In “If you used Macvlan enter the ip you used for the Unbound container followed by #5335” on page 5 – for me #53 works, not #5335
– In terms of updating the router DNS, I’m using pihole so the router DNS points to the pihole which is on a macvlan, not (for) “Macvlan = The address you chose for the container on the line ‘ipv4_address:’ ” , and the pihole specifies the ip address for Unbound; is there a different way it should be done?
– The Unbound logs consistently report problems with DNSSEC
I’d appreciate your input
Hey, see my reply to ZarqEon. – I am pulling the Unbound element of the guide until I can do further tests here.
Based on our Discord group, the above should have worked with #5353, but something is not right.