PiHole on Synology/docker does not recognize all VLANs IPs

Seen many "help" posts all over the internet about Pihole not recognizing all VLANs IPs. I experimented with so many of these suggestions for a few months now, none worked. Maybe, just maybe the OpenWRT community can help me, and possibly others.

  1. My home network has a Linksys WRT3200ACM running OpenWRT 22.03.0; it is used as router/smart switch with three VLANs: LAN (br-lan.10), Guest (br-lan.20) and IoT (br-lan.30).
  2. Four Belkin RT3200 APs are hardwired in the WRT3200ACM; all Belkins are running OpenWRT22.03.3.
  3. A few smart home clients and computers are connected to the various VLANs, both hardwired and on WiFi.
  4. Almost everything in the network has been assigned a static lease, according to their intended VLAN, the Docker container as well.

Home network works just fine.

  1. A Pihole runs happily on a Synology NAS, in a Docker container, with a MacVLAN setup. Pihole recognizes it's own subnet clients' IPs, services clients on the other subnets but, reports them as being "the router".
    In terminal, I can ping the Docker container and "arp -a" reports it.

I've experimented with all the settings in the Pihole DNS, I added a router firewall port 53 forward, I added traffic and NAT rules... nothing worked. All DNS requests from other VLANs are always reported to be coming from the LAN subnet.

I'm not a network professional, I don't know Linux except for a few basic commands... but was able to vi into conf files and make a few good changes... some not as good.

This is definitely not a life and death project, but help would be highly appreciated… I need to stop waking up in the middle of the night to again try something else.


Broadly speaking, there are 3 ways to do this:

  1. use the router as the DNS server, and set router's DNS as the PiHole. This will result in all requests coming from the router, not the clients.
  2. use DHCP option 6 to advertise the PiHole as the DNS server via DHCP -- this will tell, but not force, the clients to use the PiHole. This is used in conjunction with appropriate firewall rules to allow the clients to reach the PiHole
  3. hijack the DNS requests and send them to the PiHole. This can be done in conjunction with 1 or 2, but requires a few more rules to achieve. The typical goal here is to prevent clients from using any other DNS.

What is your general strategy at this point (what is currently implemented, what do you think meets your goals best)?

Peter, many thanks for the prompt response.

  1. "set router's DNS as the PiHole"
    This was the very first attempt: on the OpenWRT router, in Network -> Interfaces -> Guest/Edit -> Advanced Settings -> Use custom DNS servers, I entered the Docker's static IP address.
    I have also entered the same address as the preferred DNS server for all my devices.

    Pihole services all VLANs, but no individual IPs showing for any of the clients on the Guest subnet.
    The IoT subnet is not allowed to see the WAN.

  2. "DHCP option 6"
    Somewhere in my quest I did find that suggestion, "6,<Docker's static IP address>"... I think.
    I don't have the details just now (way too many tries), but I could dig the details out from ny record.
    It didn't help either.

  3. "hijack the DNS "
    Yes please, this sounds like the very best!!
    Have looked at this option as well (OpenWRT Wiki / DNS hijacking). Guidelines for "DNS redirection" were a bit tough, was not able to "decifer" them.
    But, I tried Jeff Keller's guide (https://jeff.vtkellers.com/posts/technology/force-all-dns-queries-through-pihole-with-openwrt/), it seemed to be the same approach, and that didn't work either. Could be a VLAN induced problem.

    1. "general strategy"
      The home network works just fine, and so is the Pihole.
      I would like though to know where are my devices calling. Even with my VLAN-IP-resolving challaged Pihole, I can see my Apple HomePods making lots of home calls... not necessarily the worst thing.

    Thanks again for taking the time to help.