Wake on Lan via docker blocked by firewall?

[oliv3r]

Hey @dhutchison

I've been going over your article listed here: https://github.com/dhutchison/dhutchison.github.io/blob/master/_posts/2020-06-14-homebridge-docker-and-wake-on-lan.markdown however, the wake-on-lan packets don't cross the container boarder. I can replicate half your tcpdump stuff, I see the data on the bridge interface; so that's good; The sysctl stuff works great; however it doesn't leave the system. I'm fearing there's some docker firewalling in place (change since 2020? But i'm a little careful to mess with that. Any idea's?

Secondly, but that's kind of unrelated; but wanted to drop you a line anyway, I dropped your need for jq (less dependencies and all that) and while I checked if I could drop the iproute2 dependency too, getting this via /proc or /sys remains painful to this day; though I vaguely remember doing it at one time. Sorry for not using temporary variables to make it slightly more readable :) though I feel this one liner is readable enough ... :-p

iface="$(ip route | \
               grep $(docker network inspect --format '{{json (index .IPAM.Config 0).Subnet}}' "${CONTAINER_NAME}" | \
                           tr -d '"') | \
                           cut -d ' ' -f 3)"
sysctl -w "net.ipv4.conf.${iface:?}.bc_forwarding=1"

[dhutchison]

It was a pain to track down the first time around, so hopefully nothing fundamental like that has changed!

I don't use this setup anymore (moved over to Home Assistant now, even though it also has issues with this TV), but happy to help see if I can work it out.

So just to be clear what you are seeing:

1. you have a container running in a docker network creating a WOL packet2.
2. tcp dump on that docker network can see the WOL packet
3. tcp dump on the target network for the WOL packet sees nothing? (so that's the bit not working)

[oliv3r]

Hey @dhutchison, actually, I was trying to get WoL to work with home-assistant ;)

Where I'm at right now, is I use the official HASS docker container, with awake "apt-getted" to help with experimentation. The container already included ether-wake. Furthermore I also added tcpdump. All of that is of course gone when I restart my container, which I start as:

#!/bin/sh

set -eu

CONTAINER_NAME="${1:-home-assistant_01-$(hostname -s)}"
DOCKER_BIN="${DOCKER_BIN:-$(command -v docker)}"
REGISTRY_IMAGE='index.docker.io/homeassistant/home-assistant:stable'

"${DOCKER_BIN}" network create "${CONTAINER_NAME}" || true
"${DOCKER_BIN}" volume create "${CONTAINER_NAME}" || true
"${DOCKER_BIN}" container stop "${CONTAINER_NAME}" || true
"${DOCKER_BIN}" container rm "${CONTAINER_NAME}" || true
"${DOCKER_BIN}" container run \
        --detach \
        --env TZ="Europe/Amsterdam" \
        --health-cmd 'curl --fail http://localhost:8123/' \
        --name "${CONTAINER_NAME}" \
        --network "${CONTAINER_NAME}" \
        --publish '8123:8123/tcp' \
        --pull 'always' \
        --restart 'unless-stopped' \
        --tty \
        --volume "${CONTAINER_NAME}:/config" \
        "${REGISTRY_IMAGE}"
"${DOCKER_BIN}" network connect "timescaledb-v14_01-$(hostname -s)" "${CONTAINER_NAME}"
"${DOCKER_BIN}" network connect "macvlan_iot0-$(hostname -s)" "${CONTAINER_NAME}"

echo "enable broadcast for wol network setting on '${CONTAINER_NAME}'"
iface="$(ip route | \
         grep $(docker network inspect --format '{{json (index .IPAM.Config 0).Subnet}}' "${CONTAINER_NAME}" | \
                tr -d '"') | \
         cut -d ' ' -f 3)"
sysctl -w net.ipv4.conf.all.bc_forwarding=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0
sysctl -w "net.ipv4.conf.${iface:?}.bc_forwarding=1"

(not a fan of compose ;)

I've got 3 networks added to the container; one, an isolated local one, because I do that for all my containers, secondly a postgresql container network (this one is shared on all postgres containers, needs some firewalling for sure) and 3 a macvlan, to connect to VLAN specific to connect all sensors etc in. The broadcast is expected to be pushed out via the main network. I see the request appear on br-XX so that's good; but nowhere else after that.