I ran into a similar problem. Hereby my solutions and follow up question:
I am using 22.03.5 on armv8 device (Fast Rhino R68S) the original tutorial docker image 2021.09 couldn't be pulled. So I have to use the :latest pihole docker image.
PROBLEM 1:
When docker compose up the pihole docker, logs shows 10-fixroutes.sh not found ??!! Can't start the container normally.
Work around: comment out 10-fixroutes.sh script in the volumn section, then the run them manually by: docker exec -it pihole /bin/bash
PROBLEM 2:
LAN PC and ping 192.168.1.3. From PiHole webadmin, DNS query can be received from LAN, but couldn't proceed them to dns.google (no reply)
From the shell of pihole docker, it can ping all the lan devices IP EXCEPT 192.168.1.1 (the router). Pihole docker can't ping any external IP.
Work around: luci Firewall - Zone Settings - General Setting - Forward : change from reject to accept
Bingo!
Now the pihole docker can ping 8.8.8.8, LAN device can also do nslookup openwrt.org 192.168.1.3
QUESTION:
What is the safety risk of changing default Forward from REJECT to ACCEPT? Any other more safe way of tuning the firewall to allow pihole-docker to reach the internet?
I'm not sure if this is possible with pi-holes image, but I believe what you can do is turning the docker container into a host container you might have to do this inside lucis dockerman or maybe it is already a hosted container?
Which basicly means that docker image gets its own bridge device, then you can create a unmanaged interface and use this bridge under a custom firewall zone.
Having the global forward option to accept is considered unsafe although only if the device is directly connected as a isp modem, basicly that kinda disables the firewall.
Then the only thing you want to do is...
go to firewall>traffic rules and then create a new rule, src is the zone of your lan clients and destination zone is the new zone you created, optional you could also choose to use the ip from your new container in the dhcp dns forwardings options that way if clients uses your router ip as dns it forwards to pi-hole.
Thank you for your reply. Yes I read a bit on the default firewall, setting forward to accept is not an good idea.
Re: src is the zone of your lan clients and destination zone is the new zone you created,
Excuse I am bit confused,
"src is the zone of your lan clients" - OK
"destination zone is the new zone you created" - what new zone? Did I miss anything?
Thank you!
The new zone I was refering to is the one you have created for the unmanaged interface, in theory if the docker image just has a ip on docker0 you can use docker0 as fw zone and set the destination ip to it aswell.
But I think it may be better if it is a host container as I had stated before, I'm not sure it is one?
thank you for your info.
I found this detailed setup guides for adguard is very helpful, it explains how to use uci to set dnsmasq port to 54, then reverse dns it 53 on adguard to 54 on localhost. Shall be able to apply the same logic to setup pihole as you and @xize mentioned.