Entware Pi-hole directly on the router? Yes!

[bibikalka]

Turns out... I had a bug in my build script and it never properly deleted the binary from the previously built package, making it use the same binary for all packages...
Update the package and let me know if the issue is gone now.

Alright, no errors now! That was indeed the issue.

Going forward, the github page could be tweaked a bit, based on the learnings from this thread.

The process is running as the 'pihole' user since I added that yesterday, I guess that does not matter one way or another:

# ps wT |grep pihole
2038537 pihole   13244 S <  pihole-FTL -- -u pihole -g pihole
2038546 pihole   13244 S <  {database} pihole-FTL -- -u pihole -g pihole
2038547 pihole   13244 S <  {housekeeper} pihole-FTL -- -u pihole -g pihole
2038548 pihole   13244 S <  {dns-client} pihole-FTL -- -u pihole -g pihole
2038549 pihole   13244 S <  {timer} pihole-FTL -- -u pihole -g pihole
2038550 pihole   13244 S N  {civetweb-timer} pihole-FTL -- -u pihole -g pihole
2038551 pihole   13244 S N  {civetweb-master} pihole-FTL -- -u pihole -g pihole
2041886 pihole   13244 S N  {civetweb-worker} pihole-FTL -- -u pihole -g pihole
2041887 pihole   13244 S N  {civetweb-worker} pihole-FTL -- -u pihole -g pihole
2041888 pihole   13244 S N  {civetweb-worker} pihole-FTL -- -u pihole -g pihole
2041889 pihole   13244 S N  {civetweb-worker} pihole-FTL -- -u pihole -g pihole
2051731 admin     5980 S    grep pihole

A small software engineering tweak. Could you change the compile flags to strip the debug symbols, and perhaps also to use dynamic libraries as well? Sort of how the official entware binaries look, see nmap:

admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/bin# file nmap
nmap: ELF 64-bit LSB executable, ARM aarch64, version 1 (GNU/Linux), dynamically linked, interpreter /opt/lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, stripped
admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/bin# file pihole-FTL
pihole-FTL: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, BuildID[sha1]=51bccd9df92de8a090037b8a93a08237a6ac2a52, with debug_info, not stripped

 

[jacklul]

Going forward, the github page could be tweaked a bit, based on the learnings from this thread.

Added suggestion to add 'pihole' user.
See updated README, what else would you add here? Device/firmware specific stuff should go into wiki though.

The process is running as the 'pihole' user since I added that yesterday, I guess that does not matter one way or another:

It should basically run as any user, it will log a few errors (chown_pihole() function) about not finding 'pihole' user but as far as I can tell that doesn't impact anything.

A small software engineering tweak. Could you change the compile flags to strip the debug symbols, and perhaps also to use dynamic libraries as well?

Pretty sure Pi-hole developers made it static for a reason - to use library versions they know that work, forcing it to use older libraries might break the build. No idea why they are not stripping it though but there might be a reason too.
Forcing it to use dynamic libraries means I would have to build toolchains and a lot of libraries from the Entware repo almost each time I want to build my binary, that would increase build time from ~5 minutes to maybe an hour.
I'm using their Docker builder images for building to make sure everything is assembled as it should.

 

[bibikalka]

Added suggestion to add 'pihole' user.
See updated README, what else would you add here? Device/firmware specific stuff should go into wiki though.


It should basically run as any user, it will log a few errors (chown_pihole() function) about not finding 'pihole' user but as far as I can tell that doesn't impact anything.


Pretty sure Pi-hole developers made it static for a reason - to use library versions they know that work, forcing it to use older libraries might break the build. No idea why they are not stripping it though but there might be a reason too.
Forcing it to use dynamic libraries means I would have to build toolchains and a lot of libraries from the Entware repo almost each time I want to build my binary, that would increase build time from ~5 minutes to maybe an hour.
I'm using their Docker builder images for building to make sure everything is assembled as it should.

I'd also add the NTP issue discussion to the Wiki. I moved around scripts, so that NTP is definitely started first (I made it 15, while PiHole stuff is 95/96):

# ls -l /opt/etc/init.d/
total 52
-rw-r--r-- 1 admin root 2822 Mar 19  2021 rc.func
-rw-r--r-- 1 admin root 4068 Jul  7 17:50 rc.func.syslog-ng
-rwxr-xr-x 1 admin root  966 Mar 19  2021 rc.unslung
-rwxr-xr-x 1 admin root  250 May 22 21:55 S01syslog-ng
-rwxr-xr-x 1 admin root  217 Jan  8  2025 S02haveged
-rwxr-xr-x 1 admin root  232 May 23 04:17 S10cron
-rwxrwxrwx 1 admin root  480 Jun 20 11:52 S15ntpd
-rwxr-xr-x 1 admin root 1460 Aug 18  2023 S33vnstat
-rwxr-xr-x 1 admin root  212 Jun  1 08:03 S61unbound
-r-xr-xr-x 1 admin root 1060 Nov  1  2024 S90taildns
-rwxr-xr-x 1 admin root  726 Aug 15 11:22 S95extra-ip
-rwxr-xr-x 1 admin root  289 Jul 15 06:58 S96pihole-FTL
-rwxr-xr-x 1 admin root  314 Jul 10  2024 S99sysstat

The other Wiki item is the updated extra IP script that I posted here - Link.

There are also config changes to discuss if one uses a separate DNS IP.

I did not realize PiHole developers wanted everything static ...

 

[jacklul]

I'd also add the NTP issue discussion to the Wiki. I moved around scripts, so that NTP is definitely started first (I made it 15, while PiHole stuff is 95/96):

Wiki pages already suggest disabling NTP feature, in the future releases there will be a config file shipped with the package which will have NTP feature disabled by default.

Also an important note: Do not rename/remove S65pihole-FTL - in many places there are hardcoded calls to it via /opt/etc/init.d/S65pihole-FTL.
Package updates will also recreate that file.

You could simply create a symlink to the ntp service with a name that would execute it earlier in the stack.

The other Wiki item is the updated extra IP script that I posted here - Link.

Updated. In your script, "brd + dev" on the delete line will most likely error out as it is only for broadcast address calculation when setting the address.

There are also config changes to discuss if one uses a separate DNS IP.

That is custom setup, most people will be fine replacing firmware's DNS server or making it forward requests to Pi-hole running on a changed port.
If you want, you can add a wiki article with your setup instructions.

I did not realize PiHole developers wanted everything static ...

This way people running on systems with outdated/incompatible libraries can still run it.
In a way you can compare this to Flatpaks.
Probably also saves them some headaches when people come report issues as that's one thing less to worry about.

 

[bibikalka]

Wiki pages already suggest disabling NTP feature, in the future releases there will be a config file shipped with the package which will have NTP feature disabled by default.

For some reason I disabled NTP in the config file, and still had those issues if Pihole started before the official ntpd.

Also an important note: Do not rename/remove S65pihole-FTL - in many places there are hardcoded calls to it via /opt/etc/init.d/S65pihole-FTL.
Package updates will also recreate that file.

OK, I renamed it back to S65*

It's probably safe enough to keep NPTD as S15*, given all the sequencing issues.

Updated. In your script, "brd + dev" on the delete line will most likely error out as it is only for broadcast address calculation when setting the address.


That is custom setup, most people will be fine replacing firmware's DNS server or making it forward requests to Pi-hole running on a changed port.
If you want, you can add a wiki article with your setup instructions.

No errors for IP removal with that command, but I guess it could be shorter if that info is not needed.

admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/etc/init.d# ./S65pihole-FTL stop
 Checking pihole-FTL...              alive.
 Shutting down pihole-FTL...              done.
admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/etc/init.d# ./S64extra-ip stop
Removed 192.168.1.20/24 from br0
admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/etc/init.d# ./S64extra-ip start
Added 192.168.1.20/24 to br0
admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/etc/init.d# ./S65pihole-FTL start
 Starting pihole-FTL...              done.

I think it does make sense to put a Wiki together - there were a few useful tricks on running Pihole in this config, so somebody may want to do that some day!

I may try to run the Pihole as the main DNS, just to see how that goes.

P.S. Peformance and memory consumption seems adequate on AC86u, although the web server does take a couple of seconds to start.

admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/etc/init.d# free
             total       used       free     shared    buffers     cached
Mem:        426020     391444      34576       3736      15180     165368
-/+ buffers/cache:     210896     215124
Swap:      2097148       3180    2093968

 

[jacklul]

For some reason I disabled NTP in the config file, and still had those issues if Pihole started before the official ntpd.

Are we talking about time sync issue here or the fact that Pi-hole's NTP feature tried to use NTP ports (that are probably in use by firmware)?

I made few changes on the development branch to promote running as 'pihole' user, while keeping method with 'nobody' user as fallback.
I tried to create the user just before starting the service but it seems like Entware's useradd command does not like passwd files being a symlinks.

 

[bibikalka]

Are we talking about time sync issue here or the fact that Pi-hole's NTP feature tried to use NTP ports (that are probably in use by firmware)?

...

The issue with NTP is that if PiHole starts first, even when config says ntp=false, then the proper ntpd never seems to start. Which hangs a bunch of other things.

And ntpd is configured to start quite late - S77ntpd, which is after S65pihole-FTL . So I had to start ntpd early. Perhaps your install should create a symbolic link from S77ntpd to S15ntpd ?

 

[jacklul]

The issue with NTP is that if PiHole starts first, even when config says ntp=false, then the proper ntpd never seems to start. Which hangs a bunch of other things.

And ntpd is configured to start quite late - S77ntpd, which is after S65pihole-FTL . So I had to start ntpd early. Perhaps your install should create a symbolic link from S77ntpd to S15ntpd ?

I would double check the config.
If ntpd doesn't start after Pi-hole it could mean the NTP feature is active and takes the required ports.
Can you run "pihole debug", upload the log when prompted and send me the link it returned?

 

[bibikalka]

I would double check the config.
If ntpd doesn't start after Pi-hole it could mean the NTP feature is active and takes the required ports.
Can you run "pihole debug", upload the log when prompted and send me the link it returned?

Yep, your hunch was correct about the config!

Somehow ntp active was true. I set it to false originally, but somewhere along the way the changes reverted back.

Btw, "pihole -d" port diagnostics is very nice.

 

[bibikalka]

@jacklul

This section below is a bit confusing. If my router is 192.168.1.1, do I still keep "192.168.1.0/24" in the config line below, or should it be "192.168.1.1/24" ?

Edit /opt/etc/pihole/pihole.toml and modify:

[dns]
revServers = [
"true,192.168.1.0/24,127.0.0.1#8053,lan"
]

Change 192.168.1.0/24 to match your LAN network, lan to match your LAN domain name and 192.168.1.1 to match your router's LAN IP address.

 

[bibikalka]

@jacklul

Another possible tweak is Unbound, your Wiki page here - link

There is this in amtm :

 7  open     unbound Manager             3.25

Running "unbound Manager" from amtm will start unbound on port 53535 (your Wiki says make it 5335 ...):

    udp:127.0.0.1:53535 is in use by unbound

I tried it, it's all smooth. Once unbound is configured via unbound Manager, I only had to do this:

   upstreams = [
     "127.0.0.1#53535"
   ]

Requests are now going upstream through unbound.

 

[bibikalka]

@jacklul

Alright, uninstalled Diversion and have everything flowing through PiHole on 192.168.1.20:53 .

Basically, kept stock DNS on 127.0.0.1:53. Then have unbound on 127.0.0.1:53535, and PiHole is only listening on 192.168.1.20:53, then redirecting requests to unbound on 127.0.0.1:53535. In "DNS Director" I have "Global Redirection" set to "User Defined 1" which is 192.168.1.20:53.

If one were to swap the on-router PiHole to the external PiHole, then just need to change the IP in "Global Redirection" for "User Defined 1" to this external PiHole, and add "No Redirection" to the external PiHole ethernet address itself.

If I want to bypass Pihole for everything, just need to change in "DNS Director" the setting of "Global Redirection" to "Router".

If I want to use Pihole without Unbound, just need to configure this back to the stock DNS:

   upstreams = [
     "127.0.0.1#53"
   ]

This config is a bit easier than in Wiki, since I only use AMTM's "Unbound Manager" and update everything in pihole.toml, there is no need to touch at all /jffs/scripts/dnsmasq.postconf . It's also very easy to disable via "DNS Director".

*** [ DIAGNOSING ]: Ports in use
    udp:*:9999 is in use by infosvr
    udp:*:42000 is in use by eapd
    udp:127.0.0.1:53535 is in use by unbound
    udp:127.0.0.1:40500 is in use by wps_monitor
[✗] udp:127.0.0.1:53 is in use by dnsmasq (https://docs.pi-hole.net/main/prerequisites/#ports)
[✗] udp:192.168.1.1:53 is in use by dnsmasq (https://docs.pi-hole.net/main/prerequisites/#ports)
[✓] udp:192.168.1.20:53 is in use by pihole-FTL
    udp:*:51000 is in use by eapd
...
[✓] tcp:192.168.1.20:5443 is in use by pihole-FTL
    tcp:192.168.1.1:1990 is in use by wps_monitor
    tcp:127.0.0.1:47753 is in use by mcpd
    tcp:127.0.0.1:139 is in use by smbd
    tcp:192.168.1.1:139 is in use by smbd
    tcp:*:7788 is in use by cfg_server
[✓] tcp:192.168.1.20:80 is in use by pihole-FTL
[✗] tcp:127.0.0.1:80 is in use by httpd (https://docs.pi-hole.net/main/prerequisites/#ports)
[✗] tcp:192.168.1.1:80 is in use by httpd (https://docs.pi-hole.net/main/prerequisites/#ports)
    tcp:*:18099 is in use by pc_block
[✗] tcp:127.0.0.1:53 is in use by dnsmasq (https://docs.pi-hole.net/main/prerequisites/#ports)
[✗] tcp:192.168.1.1:53 is in use by dnsmasq (https://docs.pi-hole.net/main/prerequisites/#ports)
[✓] tcp:192.168.1.20:53 is in use by pihole-FTL
    tcp:*:3702 is in use by wsdd2
    tcp:192.168.1.1:22 is in use by dropbear
[✓] tcp:127.0.0.1:5080 is in use by pihole-FTL

...

 

[jacklul]

and 192.168.1.1 to match your router's LAN IP address.

This one actually referenced hosts config var, I just removed it since it's not needed at all.

Running "unbound Manager" from amtm will start unbound on port 53535 (your Wiki says make it 5335 ...):

That wiki page follows https://docs.pi-hole.net/guides/dns/unbound/

 

[bibikalka]

...
That wiki page follows https://docs.pi-hole.net/guides/dns/unbound/

See my updated post above, this one - link .

I think making instructions a bit more Asus Merlin specific will help to configure things faster. Basically, there is "Unbound Manager" for Merlin, and then a few config changes for pihole.toml, and things are good to go.

If sticking to the official PiHole instructions it's a bit more cumbersome to make things work on Asus Merlin specifically.

 

[jacklul]

upstreams = [ "127.0.0.1#53" ]

Probably better to insert the actual upstreams here instead, skip dnsmasq cache and issues it might cause.

I think making instructions a bit more Asus Merlin specific will help to configure things faster. Basically, there is "Unbound Manager" for Merlin, and then a few config changes for pihole.toml, and things are good to go.

I try to make those guides on the wiki a bit more generic, since the project itself isn't targeting only Asus routers. You can run Entware on a lot more devices.
And as I previously said - the wiki is open - every contribution is welcome!

 

[bibikalka]

I try to make those guides on the wiki a bit more generic, since the project itself isn't targeting only Asus routers. You can run Entware and a lot more devices.
And as I previously said - the wiki is open - every contribution is welcome!

Yep, you are right! I shall put together a Wiki page based on my experience. Basically, the idea is to make the install as streamlined as possible.

 

[jacklul]

What's on your mind with the pihole.toml wiki pages? I don't see any reason to post those on separate wiki pages.
You should include only the changed stuff on the Asus Merlin page, a page full of config file is daunting. Besides the default config is available in Pi-hole documentation.

 

[bibikalka]

What's on your mind with the pihole.toml wiki pages? I don't see any reason to post those on separate wiki pages.
You should include only the changed stuff on the Asus Merlin page, a page full of config file is daunting. Besides the default config is available in Pi-hole documentation.

I wanted to make those downloadable, but don't see how I can upload simple config files. It may be easier for people to grab the working version, and update. Any better solution?

 

[bibikalka]

@jacklul

Alright, an initial version of Step by Step guide is below. We need another tester!

Asus Merlin ‐ Step by Step

Pi-hole as an Entware package – run it on a router, NAS, or other devices! - jacklul/entware-pi-hole

github.com

 

[bibikalka]

I seem to get some requests going via Unbound (port 53535), but some through the regular DNS (127.0.0.1:53). Any idea what is happening?