search

oofnikj / docker-openwrt

OpenWrt running in Docker
GNU General Public License v2.0
310 stars 63 forks source link

LAN in 'macvlan' mode makes upstream hosts inaccessible to wifi clients #11

Open oofnikj opened 4 years ago

oofnikj commented 4 years ago

Setting LAN_DRIVER=macvlan in openwrt.conf makes upstream hosts, including the one hosting the OpenWrt container, invisible to Wi-Fi clients.

Setting proxy_arp_wifi on the LAN interface inside the OpenWrt container allows ARP packets through, e.g.,

sudo ip netns exec openwrt_1 ip l set eth0 type bridge_slave proxy_arp_wifi on

Monitoring with tcpdump confirms the packets are arriving at the host macvlan interface, but they don't get delivered:

$ sudo tcpdump -i macvlan0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on macvlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:03:03.993648 IP 192.168.18.185 > 192.168.18.249: ICMP echo request, id 85, seq 28, length 64
19:03:03.993764 IP 192.168.18.249 > 192.168.18.185: ICMP echo reply, id 85, seq 28, length 64
19:03:03.995644 IP 192.168.18.185 > 192.168.18.249: ICMP echo request, id 85, seq 29, length 64
19:03:03.995702 IP 192.168.18.249 > 192.168.18.185: ICMP echo reply, id 85, seq 29, length 64
19:03:05.004644 IP 192.168.18.185 > 192.168.18.249: ICMP echo request, id 85, seq 30, length 64
19:03:05.004762 IP 192.168.18.249 > 192.168.18.185: ICMP echo reply, id 85, seq 30, length 64

This doesn't affect wired clients, so I suspect it has something to do with 802.11 spec not playing nice with macvlan. Possible workaround might be to always create the bridge, and add an option to change the namespace of the LAN parent interface after bringing up the container if specified. Need to investigate.