SWAG + AdGuard Home DNS rewrites

It is not a DietPi issue (I assume), but I still hope someone here can help me.

Everything runs on Docker, below is my setup:

docker-compose.yml
# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
---
version: '3.9'
networks:
  internal:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/24
          gateway: 172.20.0.1
  external:
    driver: macvlan
    driver_opts:
      parent: wlan0
    ipam:
      config:
        - subnet: 192.168.1.0/24 # My network subnet
          gateway: 192.168.1.1 # My network gateway
          ip_range: 192.168.1.192/27 # Range from 192 to 222
services:
  duckdns:
    image: ghcr.io/linuxserver/duckdns:latest
    container_name: duckdns
    hostname: duckdns
    network_mode: host
    environment:
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
      - TOKEN=${DUCKDNS_TOKEN}
      - UPDATE_IP=ipv4
      - LOG_FILE=false
    volumes:
      - ${CONFIG_ROOT}/duckdns:/config
    restart: unless-stopped
  swag:
    image: ghcr.io/linuxserver/swag:latest
    container_name: swag
    hostname: swag
    depends_on:
      - duckdns
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
      - URL=${DUCKDNS_SUBDOMAINS}.duckdns.org
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=${DUCKDNS_TOKEN}
      - EMAIL=${EMAIL}
      - DOCKER_MODS=ghcr.io/linuxserver/mods:swag-auto-reload|ghcr.io/linuxserver/mods:swag-dashboard
    volumes:
      - ${CONFIG_ROOT}/swag:/config
    ports:
      - 443:443
      - 80:80
      - 81:81
    networks:
      internal:
      external:
        ipv4_address: 192.168.1.201
        aliases:
          - 192.168.1.201
    restart: unless-stopped
  adguardhome:
    image: adguard/adguardhome:latest
    container_name: adguardhome
    hostname: adguardhome
    environment:
      - PUID=${USER_ID}
      - PGID=${GROUP_ID}
      - TZ=${TIMEZONE}
    volumes:
      - ${CONFIG_ROOT}/adguardhome/workdir:/opt/adguardhome/work
      - ${CONFIG_ROOT}/adguardhome/confdir:/opt/adguardhome/conf
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 68:68/udp
      - 80:80/tcp
      - 443:443/tcp
      - 443:443/udp
      - 3000:3000/tcp
      - 853:853/tcp
      - 853:853/udp
      - 5443:5443/tcp
      - 5443:5443/udp
      - 6060:6060/tcp
    networks:
      internal:
      external:
        ipv4_address: 192.168.1.202
        aliases:
          - 192.168.1.202
    restart: unless-stopped

Raspberry Pi has address: 192.168.1.200
SWAG has address: 192.168.1.201
AdGuard Home has address: 192.168.1.202

Everything works well on the local network, all services are available at their respective IPs, also the SWAG server can be accessed externally at the address www.example.duckdns.org.

The problem now is this…

I installed the “Dashboard Docker mod for SWAG”, I would like it to be accessible at dashboard.example.duckdns.org, but I get the error 403 Forbidden.

Reading the mod documentation and searching online, I’m supposed to be using the “DNS rewrites” feature of AdGuard Home ( do I understand it right?), but the dashboard is still not externally accessible.

I don’t know if I’m misconfiguring the “DNS rewrites” feature of AdGuard Home, if I’m doing something else wrong, or if I’m totally off the rails… :sweat_smile:

If anyone has experience with similar configurations and DNS servers, I would be very grateful if they can help me.

I used this type of mechanism in past. you are mixing up the lan IP & internal docker IP (you are declaring ports & in one container you use host). theoretically your host machine is just one IP in your Lan system & docker compose create one more random IP chain. each docker having a access to docker declared contents & internal IP not to the host machines ports/resources. you have only options either access docker containers via names or make a docker compose which use predefined internal IP & you can give those fixed internal IP to other containers to use to access those applications.
you have to access your application like these template based on container names

just open the port 80 & 443 for swag & port 53 for adguard home. all other application access via reverse proxy / swag port 443 .

Its not possible to access other docker resource on the same host using macvlan. Its a limitation of this feature, not DietPi.

Still why using AGH within docker container? Its a single executable and quite lightweight compared to the overhead Docker engine is generating.

This is my previous configuration, it worked externally to the network, but not internally.

I need an internal DNS to make some apps accessible only from the internal network, but via the external domain instead of the IP, like precisely the SWAG dashboard mentioned above.

Basically if I connect to app1.example.duckdns.org from a device on the internal network it should work, from a device on the external network it should return 403 Forbidden, but this does not happen.


Sorry, maybe I didn’t understand… the resources are all accessible on my internal network, each at its own IP.

Because in addition to SWAG and AGH I have many other apps under docker, and for convenience I also added AGH to them. Anyway, I had also tried native installation via DietPi-Software before, but still I was unable to use my domain locally.


Just as a reference, this is what I want to do, and these are the guides I followed:

yes, you misunderstood. It’s not about accessing the resource from your local network. It’s about access from the very same Docker host system. It’s not really possible to access resources from host system itself using macvlan Host and Containers cannot communicate - MACVLAN - General - Docker Community Forums

Well you could use PiHole as it offering local DNS entries. Anyway I guess AGH has similar functionality. HomeLab: Adding Local DNS entry into AdGuard ( home.arpa ) and Pushing to Clients from UDM SE | by Life-is-short--so--enjoy-it | Medium.

Sorry, it’s the first time I’ve used macvlan… and in the two guides I linked, to do what I would like to do, they had docker configured just like this, with macvlan.

Yes, AGH has similar functionality, that’s exactly what I’m talking about.

did you checked on your desktop client if the DNS record is correct? On Windows you could use nslookup. And if this is not the case, you might need to check an AGH GitHub why this is not working.

nslookup dashboard.example.duckdns.org                                  
Server:		192.168.1.202
Address:	192.168.1.202#53

Non-authoritative answer:
Name:	dashboard.example.duckdns.org
Address: 192.168.1.201

Seems your DNS is correctly rewritten. You need to ensure your container is correctly up and running.

Some like this you should see on Docker logs

**** Applied the SWAG dashboard mod ****
[custom-init] No custom files found, skipping...
[ls.io-init] done.

Server ready

If there are still issues, check with container developer Issues · linuxserver/docker-swag · GitHub

Yeah, my container is correctly up and running.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.