Traefik + Portainer + Pihole on UGreen NAS is not working

Goals

• I want to achieve that I use traefik with portainer
• I have a pihole running for my DNS and Adblocking stuff

Current situation

• I'm on a UGreen NAS 4800+
• I have Portainer established, pihole is running in portainer currently
• My Fritz!Box is using pihole as DNS resolver

Current problems

• UGreen NAS tries to resolve itself always first
• My dns won't work locally with my domain (local.mydomain.de)
• (Pihole is running in macvlan-mode) - I don’t know if this is a problem, but it seems like it is from what I found out currently

Current status

• nslookup on the NAS fails
  nslookup ``nas.local.mylab.de`` ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: timed out
• nslookup on local client works
  nslookup ``nas.local.mylab.de
Server: pi.hole
Address: 192.168.178.IPADDRESS
Name: ``nas.local.mylab.de
Addresses: 2606:4700:3030::6815:IPADDRESS
2606:4700:3037::ac43:IPADDRESS
192.168.178.IPADDRESS
• The traefik-dashboard loads, but I'm unable to access it with username / password - I also tried setting a now one, nothing changes. I get a 401 unauthorized.
• The ssl certificate is successfully issued and added to the traffic dashboard

Config files

Pihole

########################### NETWORKS
networks:
macvlan_net:
driver: macvlan
driver_opts:
parent: eth0 # In my case is eth0 check your own parent using ifconfig.
ipam:
config:
- subnet: 192.168.178.0/24  #Replace with your desired subnet.
gateway: 192.168.178.1 #On your UGREEN NAS, go to Control Panel / Network / General Tab / Check your Default Gateway.

########################### SERVICES
services:
pihole:
image: pihole/pihole
container_name: Pi-Hole
networks:
macvlan_net:
ipv4_address: 192.168.178.5  #Assign a static IP within subnet to avoid conflicts.
security_opt:
- no-new-privileges:false
restart: unless-stopped
volumes:
- /volume2/docker/pihole/dnsmasq.d:/etc/dnsmasq.d:rw
- /volume2/docker/pihole/pihole:/etc/pihole:rw
environment:
FTLCONF_webserver_api_password: Z2VaCeGKQ5Rh6ZxG6ayt5LFL2Fhacc6C2uXkjWsCu4RKVtg3wKURXXZvyXEIpuK1
FTLCONF_webserver_port: 8080
FTLCONF_dns_listeningMode: all
TZ: Europe/Berlin
DNSMASQ_USER: pihole #or root NOT recommended to use root.
PIHOLE_UID: 1001
PIHOLE_GID: 10
cap_add:
- SYS_TIME
- SYS_NICE

traefik-docker-compose

version:"3.8"
services:

  traefik:
    image: traefik:v3.5
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      # - ./data/config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.mylab.de`)
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.mylab.de`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.mylab.de"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.mylab.de"
      - "traefik.http.routers.traefik-secure.service=api@internal"

secrets:
  cf_api_token:
    file: ./cf_api_token.txt

networks:
  proxy:
    external: true

traefik.yml

traefik.yml
api:
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false

file:

filename: /config.yml

certificatesResolvers:
cloudflare:
acme:
email: @gmail.com
storage: acme.json
#caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
#delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"

Guides I used until now:

• Setting up Portainer https://mariushosting.com/how-to-install-portainer-on-your-ugreen-nas/
• Setting up Pihole: How to Install Pi-Hole on Your UGREEN NAS – Marius Hosting
• Setting up traefik: Traefik 3 and FREE Wildcard Certificates with Docker | Techno Tim

I can’t figure out where exactly the issues come from - is it only the pihole being not reachable on ugreen? Is anything wrong with traefik?
Thank you for any help in advance!

Hello,

Just replying for follow up. To add also, I have a similar issue (without traefik) but looks like to docker stack from UGreen (as I have this migrated from Syn used for years to Ugreen lately). but I’m not able to find appropriate information related to this.

Cheers,