Not for PiHole but I was testing this recently with traefik. This has a bunch of traefik stuff in there (I’m on mobile so it’s too hard to edit it) but hopefully you see how the networks work

# Testing macvlan setup for traefik
# Will only work on linux because of macvlan network

version: '3'

services:
  traefik-whoami:
    image: traefik/whoami
    container_name: traefik_whoami
    networks:
      - bridge_network
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.test`)"
      - "traefik.http.routers.whoami.entrypoints=http"
  
  traefik-reverse-proxy:
    image: traefik:v2.10
    container_name: traefik_reverse_proxy
    command:
      - "--api.insecure=true"  # Enable the API dashboard (insecure for testing)
      - "--providers.docker=true"  # Enable Docker provider
      - "--providers.docker.exposedbydefault=false"  # Disable exposing all containers by default
      - "--entrypoints.http.address=:80"  # HTTP entrypoint
      - "--entrypoints.http.forwardedheaders.insecure=true"  # Insecure forwarding (for testing)
      - "--providers.docker.network=bridge_network"  # Use bridge network for traefik discovery
    ports:
      - "1180:80"  # Expose HTTP entrypoint
      - "12345:8080"  # Expose Traefik dashboard
    networks:
      bridge_network: {}
      macvlan_network:
        ipv4_address: 192.168.1.69
    volumes:
      # TODO: Use docker.sock proxy instead of mounting directly
      # https://github.com/Tecnativa/docker-socket-proxy
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reverse-proxy.rule=Host(`traefik.test`)"
      - "traefik.http.routers.reverse-proxy.entrypoints=http"

networks:
  bridge_network:
    driver: bridge

  macvlan_network:
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1
          ip_range: 192.168.1.69/32  # Must be outside router's DHCP range

Why not? You can just connect the PiHole container to both networks and inter-container communication should work as usual. I haven’t tried this with PiHole specifically but I’ve done it with other services in the past

Sure, the docs are pretty minimal though: https://wiki.servarr.com/prowlarr/settings (just click on Proxy)

Basically you can configure a proxy (from your VPN provider for example) for each indexer (or font add a tag to apply it to all of them), and queries to indexers will run through there. This avoids Sonarr making calls to TVDB or whatever through the VPN and getting blocked.

Trash guides say you shouldn’t run the *arr’s through a VPN because you’re likely to get blocked by metadata servers. I only run my download client through the VPN + also use gluetun’s HTTP proxy for Prowlarr’s indexers

Use gluetun, look up how to configure for your provider. Run a 2nd container for your torrent client, using network_mode: “service:gluetun” to run all your traffic though the vpn. Note that if you’re forwarding ports from your client to e.g. access the web UI, you’ll need to forward them from the gluetun container instead.