Access to VLAN from docker container outside openwrt

matkoh · August 18, 2023, 7:44am

Hello,

at first I describe shortly my environment:
I install openwrt on a Fritzbox 4040 router.
The interface lan has the static ip address 192.168.1.1/24.
The interface wan get the ip address 192.168.178.73/24 from DHCP from my main router Fritzbox 7590ax.
The interface IOT has the static ip address 192.168.103.1/24 and is used with VLAN ID 103.
In wan is a OMV-NAS with ip address 192.168.178.57/24, which runs different docker container.

One of the container needs to access a device in the IOT VLAN and is not able (connection timeout). The container runs with bridge network and has ip address 172.25.0.2/16.

Strange is, that the connection works until 07/25. On next day I only change the docker-compose.yml, but this cannot lead to the issue.

When I put the device from VLAN into the main network and it has a ip address 192.168.178.x, the connection works. So the cause is not in the docker container.

I have a firewall rule, that allows access from any zone to IOT / ip address 192.168.103.111 and port 1502.

Has anybody an idea, what is going wrong? Or what I can do to find the cause of the issue?

I you need more information about my configuration, please ask.

Thanks in advance

Matthias

trendy · August 18, 2023, 9:38am

Start a tcpdump on the wan interface first, then to the iot interface to verify that OpenWrt receives and forwards packets.

matkoh · August 21, 2023, 8:04am

There is no traffic on wan-interface (eth1) for ip-address 192.168.103.111:

tcpdump -n -v -i eth1 | grep 192.168.103.111

returns nothing.

In IOT-Interface (br-IOT) I see some traffic for external ip-address:

tcpdump -n -v -i br-IOT | grep 192.168.103.111
tcpdump: listening on br-IOT, link-type EN10MB (Ethernet), capture size 262144 bytes
    192.168.103.111.49517 > 224.0.0.251.5353: 0 PTR (QU)? _sense_rpc_service._udp.local. (47)
    192.168.103.111.58276 > 224.0.0.251.5353: 0 PTR (QU)? _sense_rpc_service._udp.local. (47)
    192.168.103.111.52097 > 224.0.0.251.5353: 0 PTR (QU)? _sense_rpc_service._udp.local. (47)
    192.168.103.111.59790 > 167.94.174.2.443: Flags [P.], cksum 0x9a4e (correct), seq 3960597330:3960597381, ack 3239821367, win 2252, options [nop,nop,TS val 3879784232 ecr 1782224068], length 51
    167.94.174.2.443 > 192.168.103.111.59790: Flags [.], cksum 0x77d4 (correct), ack 51, win 17, options [nop,nop,TS val 1782258821 ecr 3879784232], length 0
    167.94.174.2.443 > 192.168.103.111.59790: Flags [P.], cksum 0x2b39 (correct), seq 1:52, ack 51, win 17, options [nop,nop,TS val 1782258874 ecr 3879784232], length 51
    192.168.103.111.59790 > 167.94.174.2.443: Flags [.], cksum 0x6e75 (correct), ack 52, win 2252, options [nop,nop,TS val 3879784292 ecr 1782258874], length 0

From inside the container I get:

tcpdump -n -v -i eth0 | grep 192.168.103.
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    172.25.0.2.44876 > 192.168.103.111.1502: Flags [S], cksum 0xd461 (incorrect -> 0x45c4), seq 2850470513, win 64240, options [mss 1460,sackOK,TS val 445251339 ecr 0,nop,wscale 7], length 0
    172.25.0.2.44876 > 192.168.103.111.1502: Flags [S], cksum 0xd461 (incorrect -> 0x41bd), seq 2850470513, win 64240, options [mss 1460,sackOK,TS val 445252370 ecr 0,nop,wscale 7], length 0
    172.25.0.2.44876 > 192.168.103.111.1502: Flags [S], cksum 0xd461 (incorrect -> 0x39dc), seq 2850470513, win 64240, options [mss 1460,sackOK,TS val 445254387 ecr 0,nop,wscale 7], length 0

And this I get on the NAS, on which the container is running:

tcpdump -n -v -i br-121504b50146 | grep 192.168.103.111
tcpdump: listening on br-121504b50146, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    172.25.0.2.34830 > 192.168.103.111.1502: Flags [S], cksum 0xd461 (incorrect -> 0xaecf), seq 518352184, win 64240, options [mss 1460,sackOK,TS val 445551988 ecr 0,nop,wscale 7], length 0
    172.25.0.2.34830 > 192.168.103.111.1502: Flags [S], cksum 0xd461 (incorrect -> 0xaad0), seq 518352184, win 64240, options [mss 1460,sackOK,TS val 445553011 ecr 0,nop,wscale 7], length 0
    172.25.0.2.34830 > 192.168.103.111.1502: Flags [S], cksum 0xd461 (incorrect -> 0xa2f1), seq 518352184, win 64240, options [mss 1460,sackOK,TS val 445555026 ecr 0,nop,wscale 7], length 0

The traffic seems to disapper between the NAS and openwrt. In the main router (Fritzbox 7590ax) I have a static route
network = 192.168.103.0
subnetmask = 255.255.255.0
gateway = 192.168.178.73 (which is the DHCP-address of the openwrt-router)

In general, the route is working perfect. I can access devices in VLAN IOT from other devices in wan (192.168.178.x), but not from the container.

Any ideas?

Matthias

trendy · August 22, 2023, 6:45am

If the OpenWrt doesn't get any packets from the other devices, there is little we can do.
You'll have to find where the packets are lost.

I would start by reverting this change.