search

oofnikj / docker-openwrt

OpenWrt running in Docker
GNU General Public License v2.0
299 stars 63 forks source link

Port forwarding troubles #37

Open saket424 opened 1 year ago

saket424 commented 1 year ago

@oofnikj I have a computer with two physical Ethernet ports and I am using the example configuration pretty much as is and dedicating one physical port to wan and the other to lan

While I experiment with docker-openwrt, My wan port is connected to my home Ethernet and pulling a DHCP ip address of 192.168.155.204

On the lan side I have 192.168.16.[1,2,3,4] representing the Ubuntu host, openwrt container, grafana container and influxdb container

I enabled port forwarding of 22 and 3000 for ssh and grafana respectively using the luci gui. I am able to ping the wan side 192.168.155.204 and access the ssh port 22 from a laptop connected to my main home router on my 192.168.155.x network but access to port 3000 hangs with no response on the wan side. It works fine on the lan side

Any idea what I am doing wrong? Is this because I am trying to access the wan side from a natted ip.and it'll fare better if the wan side was a public ip?

saket424 commented 1 year ago

with config below, i am pulling 2 wan dhcp ip addresses -- one by the container and one by the ubuntu host. is this normal? I am still facing portforward issues from openwrt even though the containers themselves can ping and reach each other

Here is the config. Anything obviously wrong? do i need to be using macvlan for LAN or setting some hairpin options? I'd appreciate if someone has got this working recently who can advise.

### Sample OpenWrt config file ###

## General
# OpenWrt version. Set to 'snapshot' to build from latest snapshot
OPENWRT_SOURCE_VER=19.07.7
#OPENWRT_SOURCE_VER=19.07.10
# Architecture: one of x86-64, armvirt-32 (Raspberry Pi 2 / 3 / 4),
# armvirt-64 (Raspberry Pi 3 / 4 running 64-bit OS, ODroid-C2 or similar),
# or bcm2708 (Raspberry Pi Zero)
ARCH=x86-64
# Image & tag for pre-built Docker image, or if building locally
IMAGE=oofnik/openwrt
TAG=19.07.7-x86-64
#IMAGE=asetlur13/openwrt
#TAG=19.07.10-x86-64
# container name
CONTAINER=openwrt_1

## Docker network settings
# name of the WAN Docker network
WAN_NAME=openwrt-wan
# Docker network driver for WAN interface. Use 'macvlan' for
# wired (Ethernet), 'ipvlan' for wireless (experimental).
WAN_DRIVER=macvlan
# Host interface which will provide the WAN link for OpenWrt.
WAN_PARENT=enp5s0
# upstream DNS for OpenWrt (optional, leave blank for default).
UPSTREAM_DNS_SERVER=8.8.8.8

# name of the LAN Docker network
LAN_NAME=openwrt-lan
# Docker network driver for LAN interface, can be one of
# 'bridge', 'macvlan', or 'ipvlan'.
# Don't change this unless you have good reason.
LAN_DRIVER=bridge
# For bridge driver, LAN_PARENT will be added to the LAN bridge.
# For macvlan or ipvlan driver, used as LAN parent interface.
# Can be a physical interface or a VLAN interface if
# operating with a single NIC (router on a stick).
# For example if WAN_PARENT is eth0, LAN_PARENT can be eth0.10 for
# VLAN 10. VLAN interface will be created if it doesn't exist, and
# destroyed on shutdown.
LAN_PARENT=enp6s0
# DNS search domain for LAN DHCP clients
LAN_DOMAIN=home
# Subnet configuration for LAN network
LAN_SUBNET=192.168.16.0/24
# Set LAN_ADDR to something other than the first available address
# in the subnet - Docker will claim this address for the host.
LAN_ADDR=192.168.16.2
# openwrt doesn't accept CIDR notation; must match LAN_SUBNET
LAN_NETMASK=255.255.255.0

## Wifi settings
WIFI_ENABLED=true
WIFI_IFACE=wlo2
WIFI_SSID=odyw1-wifi
WIFI_ENCRYPTION=psk2
WIFI_KEY=odyw1-passwd
# See README.md for explanation of this mode
WIFI_HAIRPIN=false

# Only one of the following sections at a time (5 / 2.4 GHz) are supported!
## 5GHz 802.11ac (if your hw supports it)
# WIFI_HW_MODE=11a
# WIFI_HT_MODE=VHT80
# WIFI_CHANNEL=36
## 2.4 GHz 802.11g
WIFI_HW_MODE=11g
WIFI_HT_MODE=HT20
WIFI_CHANNEL=8

Here is the output

make run
./run.sh
* setting up docker network
01e41a1ee38182f34ed5b95c40a8102afdfe59551bdc390f1ce67127ad5119d0
ff32a3dd5f501bcda769c4504a9fe99ec4d7444efc39745fcfadeb8690e8cedd
* creating container openwrt_1
* generating network config
* got 'phy0' for device 'wlo2'
openwrt_1
* creating netns symlink 'openwrt_1'
[sudo] password for mike: 
* setting interface 'wlo2' to unmanaged
* moving device phy0 to docker network namespace
* getting address via DHCP
* reloading firewall rules
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.3 (legacy): can't initialize ip6tables table `mangle': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
* ready
saket424 commented 1 year ago

I think I am running into the same issue as reported here but I don't understand how to do the hairpin of lan loopback. Can anyone elaborate? https://forum.openwrt.org/t/running-openwrt-in-a-docker-container/56049/78

saket424 commented 1 year ago

It turns out the problem is the grafana and influxdb docker containers need to be told their default gateway should be 192.168.16.2 instead of 192.168.16.1

https://stackoverflow.com/questions/36882945/change-default-route-in-docker-container

Once this change is made, the port forwarding works as expected

saket424 commented 1 year ago

This workaround seems to fix the default route on the containers

for i in influxdb grafana do

echo $i pid=$(sudo docker inspect -f '{{.State.Pid}}' "${i}") sudo mkdir -p /var/run/netns sudo ln -s /proc/$pid/ns/net /var/run/netns/$pid sudo ip netns exec $pid ip route del default  sudo ip netns exec $pid ip route add default via 192.168.16.2

done