Doesn't appear to work on local network.

[MicahZoltu]

I managed to get everything setup and working such that I can access the web UI from the docker host, but no other devices on my local network are able to reach it. The web UI loads but it cannot establish a WebRTC connection with the backend and eventually complains about "No Local ICE"". I am on Windows so I cannot setup a docker macvlan.

After many hours of troubleshooting, the problem seems to be centered around the TURN/STUN/ICE server. It is unclear to me why this complication is necessary and why the server doesn't just listen on some ports and be accessed like any other IP endpoint out there. I suspect the answer may be "that is an issue with AgentDVR, not specific to the docker image" but this problem doesn't exist when Agent DVR is run outside of docker so I figured I would try here first (though, I think the reason the problem doesn't exist outside of docker is because of the weird TURN/STUN/ICE stuff).

[MicahZoltu]

When I look at about:webrtc in my browser and the browser console for the page I can see both the docker host browser and another device on my LAN trying to connect to the container's internal IP address. Since only the docker host can actually reach that IP address, this explains why the other devices on my LAN are unable to establish a connection. Is there some way I can tell Agent DVR to advertise the docker host's address instead of the container's address? I believe this would resolve the problem (and also maybe remove the need for the TURN/ICE stuff).

[MekayelAnik]

Please share the docker compose file or CLI cmd & what is your docker host ip and via which IP you are trying to access the webUI.

[MicahZoltu]

Docker Host IP: 192.168.50.7 Docker Container IP: 172.18.0.2 Web UI accessed via: http://192.168.50.7:8090/

services:
  agent-dvr:
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities: [gpu]
    image: 'mekayelanik/ispyagentdvr:vlc-hwaccel-5.5.4.0-01062024@sha256:dbe82e366c64f853015ea5a7ccee752705ab7fc4fae6c0508b20acfd1e446ebf'
    container_name: 'agent-dvr'
    environment:
      # PUID: '1000'
      # PGID: '1000'
      WEBUI_PORT: '8090'
      TZ: 'Asia/Singapore'
      NVIDIA_VISIBLE_DEVICES: 'all'
    volumes:
      - config:/AgentDVR/Media/XML
      - /path/to/recordings:/AgentDVR/Media/WebServerRoot/Media
      - commands:/AgentDVR/Commands
    ports:
      - '8090:8090'
      - '3478:3478/udp'
      - '50000-50010:50000-50010/udp'
    restart: 'unless-stopped'

volumes:
  config:
  commands:

Note: I commented out the PUID and PGID because they were causing a write error during startup.

[MekayelAnik]

Open Windows firewall RULES I am ALMOST certain the firewall is blocking inbound & outbound on the above ports. Or creat a macvlan & give the container a dedicated LOCAL IP. This will not hit the Firewall rather will communicate with the router. You should be able to create docker macvlan on Windows also, as it's a docker function.

[MicahZoltu]

I have an explicit Windows Firewall rule allowing all inbound traffic on all of the ports (both TCP and UDP) listed in the docker compose file.

The docker macvlan docs explicitly say the feature doesn't work on Windows.

[MekayelAnik]

The request u r seeing is redirected request by the docker engine. Many have run and reported perfectly fine container with Nvidia gpu accel on windows. Something is blocking the connection. If the problem was in iSpy agentDVR let alone the container image, your browser on the host would never be able to connect to the container. Only the connection which are originating from out side of the host is facing problem. Get the logic? You firewall is blocking something, I don't know what. MS Firewall is crazy. Open inbound & outbound. Sorry, I have no other solution besides, if this doesn't work at all, test by deploying a vm on windows or use linux host. Problem is on your host.

[MicahZoltu]

Hmm, I must be misunderstanding something then because the behavior I think I'm seeing wouldn't work on any OS as it doesn't make sense from a networking standpoint. If I open the web UI (on any computer on my LAN) I see in the console that it is attempting to connect to 172.18.0.2 which is only reachable from the docker host. This is regardless of Windows vs Linux, you cannot reach an internal NATed IP (which is what the internal docker network IPs are) from an "external" client. The only way I could imagine this working on linux is with docker macvlan, as then the docker container would have an "external" IP (something in the 192.168.50.0/24 range). For regular docker networking though this shouldn't work even on Linux (as I understand it, which means I am probably misunderstanding something).

Can you perhaps help me understand how the WebRTC connection is supposed to be made and why the UI appears to be attempting to connect to the IP that Agent DVR is bound to rather than to the IP of the Web UI? If I look at about:webrtc I see connections to 172.18.0.2 on the docker host, rather than connections to 192.168.50.7 which is what I would expect for this to work on other devices on the LAN. Most apps have a way of configuring the "publicly visible IP" (in this case 192.168.50.7), but I wasn't able to find any such configuration option in Agent DVR or this docker image.

Regarding my firewall, I'm reasonably confident that everything is reachable. I'm not particularly familiar with WebRTC though so I'm not sure what the best way to to verify firewall settings for it. Does the docker container actively listen for incoming packets on all of the ports in the docker-compose file? Perhaps there is a way I can verify it is reachable with standard linux tools like nc or something?

[MekayelAnik]

I am not an expert on the internals of the iSpy AgentDVR architecture, but I know this for certain if there is a WebRTC blocker on a browser, The WebUI will start to load but will not load on that browser (Have Faced this previously) Other then that, no other configuration is required. This should be a almost effort free setup. No other teaking should be needed.

Make sure that, there is NO WebRTC blocker on the Browser. That's it. You can try network_mode: bridge in the docker compose.

Now I am really out of cards of my sleeves.

[MekayelAnik]

Closing the issue as the issue is not THIS Docker image or ISpyAgnetDVR realted.