*arr error: "Unable to connect to qBittorrent" (no access from local network)

[EpicLPer]

Heya,

I moved my containers away from Synology and now to a proper Ubuntu Docker host (due to outdated kernel stuff), however I'm facing a weird issue right now.

I'm trying to connect from various *arr containers to qBittorrent, but no matter what I try it simply just times out after a while. The loading icon keeps spinning (both on "Test" and "Save"), after about 1-2 minutes it throws the below mentioned error in the log.
When I use a wrong port or host it instantly times out, but using the correct information it takes the above mentioned 1-2 minutes before actually timing out. The web interface works just fine, no issues there. Another thing to note is that I can't ping the qbittorrentvpn container from any of the arr containers, also vice versa. I already tried throwing all containers into a single network (or rather docker-compose), even setting it to the bridged network won't make a difference.

When I move every container back to Synology it seems to work just fine again, however I'm using build "7871e66f8529db34ac58b54e1df56d9db51cf2e5" there. Maybe something broke with a newer build lately?

[Error] QBittorrent: Unable to test qBittorrent 
[v1.11.4.4173] NzbDrone.Core.Download.Clients.DownloadClientException: Failed to connect to qBittorrent, check your settings.
 ---> System.Net.WebException: Http request timed out
 ---> System.IO.IOException: Unable to read data from the transport connection: Operation canceled.
 ---> System.Net.Sockets.SocketException (125): Operation canceled
   --- End of inner exception stack trace ---
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
   at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource<System.Int32>.GetResult(Int16 token)
   at System.Net.Http.HttpConnection.InitialFillAsync(Boolean async)
   at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at NzbDrone.Common.Http.Dispatchers.ManagedHttpDispatcher.GetResponseAsync(HttpRequest request, CookieContainer cookies) in ./Prowlarr.Common/Http/Dispatchers/ManagedHttpDispatcher.cs:line 162
   at NzbDrone.Common.Http.HttpClient.ExecuteRequestAsync(HttpRequest request, CookieContainer cookieContainer) in ./Prowlarr.Common/Http/HttpClient.cs:line 171
   at NzbDrone.Common.Http.HttpClient.ExecuteAsync(HttpRequest request) in ./Prowlarr.Common/Http/HttpClient.cs:line 70
   at NzbDrone.Common.Http.HttpClient.Execute(HttpRequest request) in ./Prowlarr.Common/Http/HttpClient.cs:line 137
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrentProxyV2.IsApiSupported(QBittorrentSettings settings) in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrentProxyV2.cs:line 35
   --- End of inner exception stack trace ---
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrentProxyV2.IsApiSupported(QBittorrentSettings settings) in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrentProxyV2.cs:line 67
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrentProxySelector.FetchProxy(QBittorrentSettings settings) in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrentProxySelector.cs:line 83
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrentProxySelector.<>c__DisplayClass7_0.<GetProxyCache>b__0() in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrentProxySelector.cs:line 78
   at NzbDrone.Common.Cache.Cached`1.Get(String key, Func`1 function, Nullable`1 lifeTime) in ./Prowlarr.Common/Cache/Cached.cs:line 99
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrentProxySelector.GetProxyCache(QBittorrentSettings settings, Boolean force) in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrentProxySelector.cs:line 78
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrentProxySelector.GetProxy(QBittorrentSettings settings, Boolean force) in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrentProxySelector.cs:line 61
   at NzbDrone.Core.Download.Clients.QBittorrent.QBittorrent.TestConnection() in ./Prowlarr.Core/Download/Clients/QBittorrent/QBittorrent.cs:line 209
[Warn] ProwlarrErrorPipeline: Invalid request Validation failed: 
 -- Host: Unable to connect to qBittorrent 

[Trigus42]

I've tried it and with this config it works for me:

docker-compose.yml

version: "3.3"

services:
  qbittorrent:
    image: trigus42/qbittorrentvpn
    container_name: qbittorrent-test
    environment:
      ...
    volumes:
      ...
    ports:
      ...
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    networks:
      default:

  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
    environment:
      - PUID=1000
      - PGID=1000
    ports:
      ...
    restart: unless-stopped
    networks:
      default:

Radarr download client config:

Host: "qbittorrent"
Port: "8080"
Username: "admin"
Password: mypassword

---

That ping doesn't work is expected. You can allow pings to the container (not from the container) by running the following commands in the container:

nft "add rule inet firewall input icmp type {echo-request} accept"
nft "add rule inet firewall output icmp type {echo-reply} accept"

Please try to ping the qbittorrent container from the radarr container.

---

You can log dropped packets by running the following commands in the container:

nft "add chain inet firewall input { type filter hook input priority 0; log prefix \"qbt-nft.firewall_input_drop \"; policy drop; }"
nft "add chain inet firewall output { type filter hook postrouting priority 0; log prefix \"qbt-nft.firewall_output_drop \"; policy drop; }"

And the following command on your host:

echo 1 > /proc/sys/net/netfilter/nf_log_all_netns

Now you can see the packets being dropped by the firewall in your host's syslog.
Please post the logs of those dropped packets.

[EpicLPer]

Thanks for the help already!

Adding "SYS_MODULE" and the sysctls options didn't change anything sadly, same with adding "networks: default:". Pinging works now after setting those rules and the container replies accordingly :)

When running the dropped packets command I get the following output as soon as I press on "Test" in Prowlarr:

Jan 12 15:00:55 docker-host kernel: [112791.463053] qbt-nft.firewall_input_drop IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.80.1 DST=192.168.80.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30801 DF PROTO=TCP SPT=38442 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 12 15:00:56 docker-host kernel: [112792.482894] qbt-nft.firewall_input_drop IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.80.1 DST=192.168.80.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30802 DF PROTO=TCP SPT=38442 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 12 15:00:58 docker-host kernel: [112794.498863] qbt-nft.firewall_input_drop IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.168.80.1 DST=192.168.80.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30803 DF PROTO=TCP SPT=38442 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0

[Trigus42]

Can your run nft list ruleset in your container and post the output?

It appears that your issue could be tied to WEBUI_ALLOWED_NETWORKS or, more likely, the LAN_NETWORK environment variable, which might not include the network your Prowlarr container resides in. While LAN_NETWORK is now deprecated, it prevented other than the specified networks from accessing your WebUI, which is why I transitioned its contents to the new environment variable, WEBUI_ALLOWED_NETWORKS. However, prior to this change, local networks were able to access the WebUI, even when they weren't included in the LAN_NETWORK env var. I must admit, I hadn't fully considered the potential issues this could cause.

[EpicLPer]

Yep! Removing LAN_NETWORK did the trick :) Thanks a lot for the help!

How can I revert the debug outputs/ping rules again so I'm "back to standard"? :)

[Trigus42]

Once you restart the container they are gone :)

[EpicLPer]

Ah, awesome. Thanks again for the help ^^