Set-up with PiHole DNS & Nginx Proxy Manager

[lemel]

Not neccessairly a Proxmox question, but I'm curious as to how you would set-up Proxmox where there are 2 LXC's, one with PiHole for DNS and the other with Nginx Proxy Manager (NPM) for reverse proxy. My current set-up is fully functional except that certain local web services won't load.

When I set-up my laptop DNS to PVE's IP address, the DNS works fine, and I can see the Pihole tail log looking up my DNS requests, and all external sites load fine.
But when I look up an internal site, like Jellyfin, the page does not load. I see the DNS request in Pihole get answered fine, but the page itself never loads. This is the case for all internal sites I'm looking up.

The irony is that I do have a separate RPi with Pihole and that includes a local DNS record that points media.home.com to the PVE IP. That works fine in all cases!
So basically if I use an external Pihole, pointing internal domains to PVE, NPM works perfectly with no issue. But it's only when I use the LXC Pihole that I come across this problem.

I'm wondering if there is a strange loop happening since the DNS, reverse proxy, and web app are all in PVE?

Example situation after configuring my laptop DNS to PVE, and configuring PVE DNS to Pihole:
Laptop:

$ dig media.home.com

; <<>> DiG 9.10.6 <<>> media.home.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44976
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;media.home.com.        IN    A

;; ANSWER SECTION:
media.home.com.    0    IN    A    192.168.5.8

;; Query time: 114 msec
;; SERVER: 192.168.1.20#53(192.168.1.20)
;; WHEN: Mon May 22 16:58:33 EDT 2023
;; MSG SIZE  rcvd: 61

Pihole log:

20:58:56: query[A] media.home.com from 192.168.1.3
20:58:56: /etc/pihole/custom.list media.home.com is 192.168.5.8

But Jellyfin (or other similar apps) do not load and noting is noted in NPM's log

Laptop:

curl -S media.home.com
curl: (7) Failed to connect to media.home.com port 80: Operation timed out

Example situation after configuring my laptop DNS to external RPi, and pointing local DNS domains to 192.168.1.20 (PVE):

$ dig media.home.com

; <<>> DiG 9.10.6 <<>> media.home.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64141
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;media.home.com.        IN    A

;; ANSWER SECTION:
media.home.com.    0    IN    A    192.168.1.20

;; Query time: 156 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Mon May 22 17:13:04 EDT 2023
;; MSG SIZE  rcvd: 61

Pihole log:

May 22 17:15:43: query[A] media.home.com from 192.168.1.3
May 22 17:15:43: /etc/pihole/custom.list media.home.com is 192.168.1.20

NPM's Jellyfin access log during a curl

[22/May/2023:21:17:35 +0000] - 400 400 - GET http media.home.com "/" [Client 192.168.1.3] [Length 0] [Gzip -] [Sent-to 192.168.5.2] "curl/7.64.1" "-"

Example Setup:
PVE Host (eno1: 192.168.1.20 & vmbr1: 192.168.5.1) - DNS set to 192.168.5.5
- LXC1: PiHole (192.168.5.5)
- LXC 2: NPM (192.168.5.8)
- LXC 3: Jellyfin (192.168.5.2)

PVE /etc/network/interfaces

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
    address 192.168.1.20/24
    gateway 192.168.1.1

auto vmbr1
iface vmbr1 inet static
    address 192.168.5.1
    netmask 255.255.255.0
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
    
    post-up   iptables -t nat -A POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE

    #Forward TCP to Pihole LXC
    post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 53 -j DNAT --to 192.168.5.5:53
     post-down iptables -t nat -D PREROUTING -i eno1 -p tcp --dport 53 -j DNAT --to 192.168.5.5:53

     #Forward UDP to Pihole LXC
     post-up iptables -t nat -A PREROUTING -i eno1 -p udp --dport 53 -j DNAT --to 192.168.5.5:53
     post-down iptables -t nat -D PREROUTING -i eno1 -p udp --dport 53 -j DNAT --to 192.168.5.5:53

     #Foward TCP to NPM LXC
    post-up iptables -t nat -A PREROUTING -i eno1 -p tcp -m multiport --dports 1:21,23:8005,8008:65535 -j DNAT --to 192.168.5.8
    post-down iptables -t nat -D PREROUTING -i eno1 -p tcp -m multiport --dports 1:21,23:8005,8008:65535 -j DNAT --to 192.168.5.8

    #Foward UDP to NPM LXC
    post-up iptables -t nat -A PREROUTING -i eno1 -p udp -m multiport --dports 1:21,23:8005,8008:65535 -j DNAT --to 192.168.5.8
    post-down iptables -t nat -D PREROUTING -i eno1 -p udp -m multiport --dports 1:21,23:8005,8008:65535 -j DNAT --to 192.168.5.8

Pi-hole LXC's custom.list:

192.168.5.8 media.home
192.168.5.8 pi.home

NPM LXC's conf files (same set-up for all)

server {
  set $forward_scheme http;
  set $server         "192.168.5.2";
  set $port           8096;

  listen 80;
listen [::]:80;


server_name media.home.com;

access_log /data/logs/proxy-host-2_access.log proxy;
error_log /data/logs/proxy-host-2_error.log warn;
 
    location / {

    # Proxy!
    include conf.d/include/proxy.conf;
    }
# Custom
include /data/nginx/custom/server_proxy[.]conf;
}

Notes on above:
1. Ideally I would love to have the port range on PVE iptables to allow 57 DNS to go to NPM and then set-up a stream to Pihole, but that wasn't working, hence the 57 callout.
2. Next up, I do want to set-up Wireguard on the Pihole LXC, but I'm having similar situations where there is a handshake, but no connection. Hoping the Pihole fix can work there too.

 

[Spoonman2002]

Maybe I'm barking up the wrong tree, but...
home.com is an existing domain.
https://myip.ms/info/whois/35.237.212.184/k/2251948671/website/home.com

You can use it for your internal network,
but as soon as you go "external", you are connecting to the public home.com webserver and will be blocked.
(curl: (7) Failed to connect to media.home.com port 80: Operation timed out)

Instead of home.com, try using home.local or even better home.arpa for internal network.
https://www.ctrl.blog/entry/homenet-domain-name.html

 

[lemel]

Sorry for the confusion there. I did a find/replace on my real domain and called it home. The actual domain is registered/owned, but internally is accessed via local DNS, on both the pihole in the raspi and on the pve lxc. In the situation above I am trying to access local services, with a registered domain that has a local dns lookup.

 

[lemel]

I did some more research and troubleshooting and it seems that my problem is that the custom DNS entry in pi-hole is a 192.168.5.x network, while my laptop is on the 192.168.1.x network. Port 57 is open and forwarded to pi-hole, and I see my laptop requests get answered in the pihole log files. But since the DNS answer is on 192.168.5.x, I'm not sure how my laptop would connect to it.

Any thoughts on how to set this up properly?

 

[Spoonman2002]

add a (permanent) route from 192.168.1.0/24 to 192.168.5.0/24 on your laptop.

 

[Hades_Corps]

I did some more research and troubleshooting and it seems that my problem is that the custom DNS entry in pi-hole is a 192.168.5.x network, while my laptop is on the 192.168.1.x network. Port 57 is open and forwarded to pi-hole, and I see my laptop requests get answered in the pihole log files. But since the DNS answer is on 192.168.5.x, I'm not sure how my laptop would connect to it.

Any thoughts on how to set this up properly?

Could it be that your masquerade rule have quote around the ip range?

    post-up   iptables -t nat -A POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE

Maybe try change it to:

    post-up   iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eno1 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s 192.168.5.0/24 -o eno1 -j MASQUERADE