Pi-hole on FreeNAS (VM Ubuntu 18.04.3) rocks

vafk

Contributor
Joined
Jun 22, 2017
Messages
132
I am writing this report on the occasion that a friend urged me to install Pi-hole to protect from undesired advertisement attacks (and many more negative aspects). He uses a Raspberry pi but I was not looking to get another hardware device because have FreeNAS and some old hardware among them IGEL H710C which I could use to experiment.

I started with IGEL and installed Debian 8.4, later 10.2 but failed (not the fault of Debian but my IGEL does not like it or is too old), then tried ubuntu-18.04.3-server-amd64 which installed well (using Rufus to create the bootable USB-stick).

Then I wondered if this was possible to do use Pi-hole within a VM on my FreeNAS-11.2-U7. I used Google a little bit (now without the annoying adds thanks to Pi-hole on Ubuntu server 18.04 on my IGEL) but did not find any clear answers if and how FreeNAS and Pi-Hole work.

As always someone is asking how to achieve the task, gets some "don't do this and do that" and at the end of the question there is missing if he succeeded or was hit by a stone. I experimented with jails few years ago but had no real use for it (I confess that I use FreeNAS only for using it as "NAS" so far) but today I tried its VM-feature. It is a long time ago that I enjoyed the night (and the bourbon) like today...

In a nutshell, Pi-hole and FreeNAS (VM on Ubuntu) rocks. To make the story short, here are the steps:

1) Create a VM (in my case 1 CPU / 768 MB RAM / 10 GB Disk)
2) Point to installation file ubuntu-18.04.3-server-amd64.iso (this is really cool because FreeNAS GUI just browses to any place in your file structure and so unlike Citrix etc. you do not have to create/mount iso/nfs directory first to be able to boot from the iso. So in a minute or less you're fine to install :)
3) Follow the next steps (confirm all and start the VM).
4) The VNC feature to connect to the VM is a pretty cool part, working well so even my granny could have managed this if she was still alive.
5) Leave everything as suggested except maybe "Install security updates automatically" and install "OpenSSH server" (because I like to conect to my VM's by SSH)
6) After finalizing the installation and rebooting you log in as the user you created during the Ubuntu install. So you need to change the root password with sudo passwd root.
7) Check with ifconfig the IP your VM received from your DHCP-server (I need this for Bitvise SSH Client to log in with the user I created before). Note: you cannot login as root now because you have to enable root ssh first.
8) I had problems to manage the VM via the VNC-interface because my German keyboard would print ß instead of - so I could not use the necessary console commands but that problem can be due the selection of a German keyboard so may not affect everybody.
9) I like things comfortable so I do sudo apt-get install mc to get Midnight Commander (I remember Norton Commander from DOS-times and like it better than pressing 100 keys while MC can do this for me).
10) Use MC (with sudo to get rights) and go into /etc/netplan and edit 01-netcfg.yaml to change from DHCP to your static IP. In my case I changed:


dhcp4: no
dhcp6: no
addresses: [192.168.2.254/24]
gateway4: 192.168.2.1
nameservers:
addresses: [8.8.8.8, 8.8.4.4]

save and enter sudo netplan generate / sudo netplan apply

Now the IP changed and you have to sign out and in again.

sudo mc

change to /etc/ssh, edit sshd_config and change

#PermitRootLogin prohibit-password

to

PermitRootLogin yes

restart SSH server

service ssh restart

(or reboot VM for the lazy) and log in as root.

Now you can install Pi-Hole (for Linux this is really magic, only one command and it installs completely)

curl -sSL https://install.pi-hole.net | bash

It takes some time (in my case the install did not complain at all - I know you don't believe it, but it is true). At the end best take a screen-shot of the last message where it presents you the login-password to the GUI!!! - I use Screenshot Captor.

You can change Pi-hole's password from console pihole -a -p

Make sure you switch off the DHCP in your current router before you start using Pi-hole in your new VM and from there it is basic, when you start configuring your Pi-Hole with

your-ip-address/admin

enable DHCP in Pi-hole (Settings), reboot your PC's and you're done.

I get no credits for the software I mentioned but I was so fascinated that it worked and only took me one night that I had to share my experience with you.

Ciao from Germany/Eifel mountains/Nürburgring
 
Last edited:
Joined
Jan 27, 2020
Messages
577
Hello from Germany, too!
Thank you for this guide, it looks really easy. I got my self a pihole + unbound working in my home network, neat little device.

One thing I like to add: You don't need to use DHCP through pihole, it does work with router-side DHCP as well. Maybe even better, for when your VM goes down. It also reduces the load of your machine.
 

vafk

Contributor
Joined
Jun 22, 2017
Messages
132
@mistermanko

I hoped that it would be so. If you own Speedport Hybrid (the old version, not the black trash can), you cannot change DHCP-settings the way FritzBox and other router do.

There is a perfect tutorial on stricted.net to mod SPH (add serial to USB-adapter to be able to change the script, which I am going to do now).

At the end of the journey I will use my own router running pFsense. That can take a few months when we finally get our "fast internet"...
 
Joined
Jan 27, 2020
Messages
577

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
148
Personally I just did mine on a CentOS VM with docker using the official docker image also works fine.

Docker-compose I use
Code:
version: '2'
services:
  pihole:
    restart: unless-stopped
    container_name: pihole
    image: pihole/pihole:latest
    network_mode: bridge
    volumes:
      - /opt/rancherstorage/pihole-monitorr/pihole/etc-pihole:/etc/pihole/
      - /opt/rancherstorage/pihole-monitorr/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/
    environment:
      - DNS1=1.1.1.1
      - DNS2=1.0.0.1
      - TZ="AMERICA/NEWYORK"
    cap_add:
      - NET_ADMIN
    ports:
      - "53:53/udp"
      - "9080:80"
 

vafk

Contributor
Joined
Jun 22, 2017
Messages
132
@drinking12many

Did you install CentOS in FreeNAS as VM? If so which version did you use?

Do you believe the usage of the resources especially if you use containers is better than as I run it currently on Ubuntu server? Thank you.

Edit: I am downloading the CentOS minimal ISO and will try.
 
Last edited:

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Nice guide! Pretty much what I'd done last month to get Pi-hole working on my FreeNAS box. It's working very well for me too, although I can't seem to get it to play nicely with my Apple Airport Extreme. If I sent the Pi-hole IP address as the DNS on the router, it loses the internet connection. If I set it back to a public DNS and assign the Pi-hole on each device DNS, it works just fine.

Otherwise, a much neater solution that the DNS jail I'd created following a guide to be found elsewhere on here, with lots more functionality including a really nice UI.
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
148
@drinking12many

Did you install CentOS in FreeNAS as VM? If so which version did you use?

Do you believe the usage of the resources especially if you use containers is better than as I run it currently on Ubuntu server? Thank you.

Edit: I am downloading the CentOS minimal ISO and will try.


I just used centos because I am more familiar with it, I am on version 8 but no reason 7 shouldnt work even. I think the container vs non-container depends on what you are doing. I run multiple containers on that host. I have 3 servers in my house. Freenas and 2 with ESX I like to turn off the ESX boxes to save power when I am not using them. so on my Freenas I run one window 2016 VM as a domain controller, and one CentOS machine for Rancher. I used to use the RancherOS vm in 11.2 but its no longer supported so I moved it to CentOS, between 11.3 and CentOS its a lot quicker and more stable cant say which it is due too. I also run several other services in a container (monitorr, grafana, influxdb, pi-hole, etc) so it works fine for me. I also run zoneminder in a container because it never quite worked right as a plug-ing. Part of why I chose to run them in containers where that several use the same ports using containers made it easy to moves them and I just wanted to learn more about docker. Resource wise eh its probably about the same, not as many resources as running each in its own VM, but not bad in the container.
 
Last edited:

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
FWIW, I run mine on two dedicated pi's that now run on separate power supplies (after a Amazon Basic unit failed). While I might be OK with a extended outage due to the server going down, the queen bee would unlikely be placated. Hence, redundant, independent DNS servers!
 

AlexMata

Dabbler
Joined
Aug 31, 2017
Messages
12
Great guide! I have Pi-hole running on a Pi2 but I like you set-up. I will do the same.
 

Soren

Dabbler
Joined
Nov 4, 2019
Messages
13
I have followed a long way, when I come to edit 01-netcfg.yams I'm lost, mine looks like this:

GNU nano 2.9.3
# This file describes the network interfaces available on your system
# For more information, see netplan(5)
network:
version: 2
renderer: networkd
ethernets:
enp0st4:
dhcp4: yes

When I try to install pi-hole my keyboard is completely bumf*cked, is there a way to force a keyboard layout, or import the text ?

Soren
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
An alternative to Pi-Hole is to use pfSense and pfBlockerNG, they are pretty awesome, and also FreeBSD based.
 

KenNashua

Explorer
Joined
Feb 24, 2012
Messages
62
Has anyone had issue with this approach? I have Google WiFi and had pointed the router at my ubuntu/pihole VM and devices would drop off the internet on occasion. While I like Google Wifi, one of the frustrations for me is no access to logs, so it's up to Google tech support to tell me that DNS is failing and of course very little way other than perhaps Wireshark to figure out what's going wrong.
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
Are you using two devices in a failover config?

I find that my edgerouter sends about 90% of the traffic To the first pi hole and the rest to the backup.
 

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
An alternative to Pi-Hole is to use pfSense and pfBlockerNG, they are pretty awesome, and also FreeBSD based.

jep, can reccomend pfSense. there are much more features, also in terms of blocking potentially unwanted traffic.
I asume there is some kind of rule or filter which checks the urls. so there are a lot false positives but also a lot which is not captured by the common lists.
 

KenNashua

Explorer
Joined
Feb 24, 2012
Messages
62
Are you using two devices in a failover config?

I find that my edgerouter sends about 90% of the traffic To the first pi hole and the rest to the backup.

No, just a single byhve ubuntu VM. Not sure if it's a networking issue or what. I'm going to try switching my install over to a Pi Zero and see if I suffer similar issues.
 

kappclark

Explorer
Joined
Oct 16, 2019
Messages
99
Going to try this today -

--------------------- update ----------------
BRILLIANT !! Thank you for sharing the nice guide ---no issues and Big improvement ..
1587049228601.png
 
Last edited:

vafk

Contributor
Joined
Jun 22, 2017
Messages
132
@seanm

When I set up the above configuration, I was using Speedport Hybrid on a 6000 DSL connection plus LTE. Lately we got a 100 Mbps line and finally I was able to connect my pFSense. Thanks to your reminder I set up pfblocker yesterday. The problem I faced with Pihole running in a VM on Freenas was that after a reboot of Freenas or if something happened with the VM it did not start automatically and I had to connect to VNC. I think this is a bug reported also by others and not sure if it got fixed meanwhile. So my DHCP was not available until my interaction.
I am not yet familiar with pfblocker and after some trying I got it up and running and because my pFSense has 8 GB of RAM and the CPU was only loaded with 8% I also could switch on TLD (CPU now on 12%). So I could switch off Pihole on the Freenas which only has 16 GB of RAM and I guess this is a better solution in my case. What I liked about Pihole was the fancy statistic but after a while and by the end of day, who cares about statistic. I will now use the free resource on Freenas to set up Asterisk to get rid of my good old FritzBox which is doing VoIP.

So @seanm good point and for someone using pFSense pfblocker is maybe the better choice.
 

kappclark

Explorer
Joined
Oct 16, 2019
Messages
99
Interesting post - the DHCP here at home is controlled at a pfsense box, so I don't have a plm there -- maybe you can setup a split dns, where there are 2 dhcp servers on the lan - just be certain the scopes don't overlap ...this avoids the single point of failure but also introduces more complexity..

but my pihole VM is set to start on boot, and honestly it starts up just fine. It is blocking about 25% of the requests...I am running the latest FreeNas..did you check the Start on Boot checkbox ? It is avail in the Edit section of the VM --

1588422600453.png
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
Once the primary DNS server times out, MacOS allegedly doesn't try switch back to its primary DNS server until the next reboot or secondary DNS server failure. Hence, Mac users shouldn't rely on using just one pi-hole or pfSense DNS server and a ISP as backup. I use two pi-holes for that reason - allow DNS queries to fail over to a different one in case the first one times out. Other than the power supply failure (should have used an Anker!), they have been rock solid.

If you collect stats with pi-hole, be sure to use high-endurance flash drives and make copies of the flash drives after you have the units fully configured. Storage space is cheap, the relevant software is free, and the time it saves you re: installing a new copy of Raspbian, all the updates, installs, configs, etc. is considerable. Some Pi-hole experts have even engineered solutions where blacklist and like settings are shared between the two Pis. I'm too dumb for all that so I just set them up and update them separately.
 
Top