More Docker-Behind-NAT Issues

[programmingphil]

Forgive me, I realise there seem to be a number of posts with this issue or issues related to this, but I cannot seem to discern what the solution is with any clarity.

The DOCKER_HOST_ADDRESS setting, if set to the local IPv4 network address of the docker host, allows communication between local clients. I can get this working to 3 clients.

If I try to connect from OUTSIDE my local network, via NAT, I find that any external client cannot view video (but can view the UI, can connect to the "room". The UDP port 10000 is forwarded to the Docker Host as is the 443 port for HTTPS. The ports are correctly exposed as per the default docker-compose.yml

My guess would be that STUN is failing. But for me, this seems to be a nonsense (I don't need STUN to get my external IP address, it is a known and fixed address). An unusual symptom is that I have logs from my firewall which suggest that JVB is trying to advertise its docker IP address, not the actual public IP address nor the DOCKER_HOST_ADDRESS.

I cannot simply set DOCKER_HOST_ADDRESS to the public IP, as I have clients who need to connect from the local network and cannot do so via the external IP address.

I cannot find a setting anywhere which seems to allow me to set a known external IP address (certainly I have not found one that works), but for me, this would be a good option if someone can explain it to me slowly and clearly.

Better still would simply to be able to specify a DNS address (I have a split-horizon DNS for exactly this reason).

[RandomGHUser]

I had struggled with this, but found another thread with the solution: You'll want to keep your DOCKER_HOST_ADDRESS set to your public IP, but then you'll need to create a hairpin NAT internally so that internal requests to that public IP on the UDP/TCP ports for audio/video traffic reroute to the internal docker host IP. Then both WAN and LAN a/v connections should work.

I'm not sure why there isn't an option in jitsi to redirect based on ip, or why the browsers require IP addresses for the a/v streams rather than DNS in the first place.

[tierpod]

Hi @programmingphil , have you found a solution? I see here and here that org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS is always internal ip address of docker container. And it seems wrong for setup with split-horizon DNS. I assume that:

• external clients should connect via external (public) ip address
• internal clients at the same time should connect via internal ip address

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.x.x.x/192.168.x.x (internal IP address)
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS={{ .Env.DOCKER_HOST_ADDRESS }} (external IP address)

[programmingphil]

@tierpod - in the end, we gave up with this for the time being.

My gut feeling is that right now this is not designed to work behind a NAT. We briefly considered moving our network to IPv6 to cope with this (removes NAT) but that proved somewhat onerous.

RandomGHUser's solution should work if you have control over the networking.

Moreover, to allude to @RandomGHUser's question - Jitsi and the related browser tech it requires seem extremely concerned with ensuring that network traffic follows the shortest possible network between two locations. This makes some sense for video networking applications, but seems to have led to all sorts of leaky abstractions which lead to issues like this.