man,
I've been at this for a week now and I can't figure it out
I have dnsmasq runnin along with a docker setup of traefik and a test nginx container with hello.docker.local attached to it
I can access the router via router.local from outside the openwrt device
I can access the container via ip (192.168.200.3) from outside the openwrt device
but i cant for the life of me access the same said container using the url from outside the openwrt device!!
the containers are on the default dock0 bridge
2d6c075be615 | bridge | bridge | docker0 | 192.168.200.0/24 | 192.168.200.1
my dnsmasq.conf is listening for *.docker.local on 192.168.100196
interface=docker0
listen-address=192.168.100.196
address=/docker.local/192.168.100.196
my dhcp seems ok
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].rebind_protection='0'
dhcp.@dnsmasq[0].domain='local'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].logqueries='1'
dhcp.@dnsmasq[0].filterwin2k='1'
dhcp.@dnsmasq[0].addnhosts='/root/config/hosts'
dhcp.@dnsmasq[0].ipset='192.168.100.1' '1.1.1.1'
dhcp.@dnsmasq[0].server='/docker.local/192.168.100.196'
dhcp.@dnsmasq[0].address='/router.local/192.168.100.196'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.force='1'
dhcp.lan.dhcp_option='6,192.168.100.1,192.168.100.196'
dhcp.docker=dhcp
dhcp.docker.interface='docker'
dhcp.docker.ignore='1'
dhcp.@domain[0]=domain
dhcp.@domain[0].name='*.docker.local'
dhcp.@domain[0].ip='192.168.100.196'
What am I missing?
brada4
December 12, 2024, 5:38am
2
Please post output of
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
use something other than .local.
root@router:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "router",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.5",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@router:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd73:24a7:2db9::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.100.196'
option gateway '192.168.100.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.4.4'
list dns '192.168.100.1'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
root@router:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option rebind_protection '0'
option domain 'local'
option cachesize '1000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option authoritative '1'
option expandhosts '1'
option logqueries '1'
option filterwin2k '1'
list addnhosts '/root/config/hosts'
list ipset '192.168.100.1'
list ipset '1.1.1.1'
option server '/docker.local/192.168.100.196'
list address '/router.local/192.168.100.196'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list dhcp_option '6,192.168.100.1,192.168.100.196'
config dhcp 'docker'
option interface 'docker'
option ignore '1'
config domain
option name '*.docker.local'
option ip '192.168.100.196'
root@router:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option log '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'docker'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'docker'
config forwarding
option src 'lan'
option dest 'wan'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
Why use something other than local?
brada4
December 12, 2024, 6:03am
5
I dunno, you are kind of unhappy with how it works?
Yeah kinda wondering why its not resolving the domain name thought this would have bee straight fwd.... openwrt is rather complicated
brada4
December 12, 2024, 6:21am
7
Nothing to do with OpenWRT, you are using reserved mdns domain in dns, install same broken setup in windows docker and call microsoft helpline.
1 Like
hmmm interesting did not realize .local was reserved to be quite honest
Hudra
December 12, 2024, 1:04pm
9
Can you please show your docker-compose or docker run command?
docker run -d --name hello --network bridge -l traefik.enable=true -l 'traefik.http.routers.hello.rule=Host(hello.dal
)' -l traefik.http.services.hello.loadbalancer.server.port=80 nginx
services:
container-hoster:
image: wollomatic/container-hoster
container_name: container-hoster
read_only: true
mem_limit: 100M
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /root/config/hosts:/hosts
network_mode: none
environment:
# - CH_HOSTSFILE=./hosts
# - CH_INTERVAL=10s
- CH_HOSTNAME_FROM_CONTAINERNAME=true
- CH_HOSTNAME_FROM_LABEL=true
# - CH_ONLY_LABELED_CONTAINERS=true
# - CH_NETWORK_REGEXP=.*
- CH_LOG_EVENTS=true
# labels:
# de.wollomatic.container-hoster.name: "my-container"
# de.wollomatic.container-hoster.enabled: "true"
the connectivity internally on openwrt is ok.... i can ping and lookup the domains normal.... but outside of it its just the ip address. Why would i advertise the ip but fail to match the domain?
Even if i injected the host file with the ip and name it still can't seeit
is openwrt blocking ? i don't have any addons at the moment and my firewall is good else i probably wont see the containers in the first place correct?
Just odd really. Did not think openwrt would be this complex
Hudra
December 12, 2024, 2:31pm
13
It might be related to the same issue discussed here:
Dockerd containers cannot connect to each other #25471
On OpenWrt, the default Docker bridge network often causes problems with container-to-container communication and DNS resolution. Switching to a user-defined Docker network and integrating it properly into OpenWrt’s firewall and network settings can help.
1 Like
rwl408
December 12, 2024, 3:14pm
14
karneaud:
docker run -d --name hello --network bridge -l traefik.enable=true -l 'traefik.http.routers.hello.rule=Host(hello.dal
)' -l traefik.http.services.hello.loadbalancer.server.port=80 nginx
Change "--network bridge" to "--network home" and see what happens. The docker "home" network driver removes the isolation between the container and the docker host (OpenWrt).
1 Like
Man i've tried this 100 ways and still no dice. But I'm baffled
I reconfigured the zones
i got a new interface
docker1 Link encap:Ethernet > HWaddr 52:89:78:3D:C9:0F
inet addr:172.18.0.1 Bcast:172.18.255.255 Mask:255.255.0.0
inet6 addr: fe80::d85c:d7ff:fe3d:2a0b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:476 (476.0 B) TX bytes:7973 (7.7 KiB)
My custom bridge network docker-bridge is setup to use docker1 interface
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option rebind_protection '0'
option domain 'lan'
option cachesize '1000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option authoritative '1'
option logqueries '1'
option filterwin2k '1'
list ipset '192.168.100.1'
list ipset '1.1.1.1'
list addnhosts '/root/config/hosts'
list server '/*.dal/192.168.100.196'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list dhcp_option '6,192.168.100.1,192.168.100.196'
config dhcp 'docker'
option interface 'docker'
option ignore '1'
Routing looks ok.
What else am I missing? host files?
I have a container with a label .....Host(hello.lan
) (using traefik for dns/proxy) and again I can ping the ip address but can't nslookup hello.lan
but
Server: 127.0.0.1
Address: 127.0.0.1:53
Name: router.lan
Address: 192.168.100.196
Name: router.lan
Address: 127.0.0.1
Name: router.lan
Address: fd73:24a7:2db9::1
Name: router.lan
Address: ::1
Is it that openwrt cant really handle custom domains? Like..... what domains arer recommended as default for this sort of thing? ".local" seems pretty ok I would have guessed
Hudra
December 12, 2024, 7:05pm
17
Hmm, so that wasn’t it. Generally, the default bridge prevents name resolution between containers on the Docker bridge, and I thought it might have a positive effect in your case as well.
Regardless of your issue, I would definitely recommend checking your firewall settings and removing any forwarding from WAN to Docker. Masquerading from Docker to WAN probably isn't needed.
I assume your Traefik container is also deployed on OpenWRT? You could try binding the container directly to a LAN IP and then binding all the containers you want to connect to it to the same IP. Here’s an example:
version: "3.3"
services:
traefik:
image: "traefik:v3.2"
container_name: "traefik"
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
ports:
- "192.168.100.196:80:80"
- "192.168.100.196:8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: "traefik/whoami"
container_name: "simple-service"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)"
- "traefik.http.routers.whoami.entrypoints=web"
This is just an example (I personally use Nginx and don’t have much experience with Traefik).
although this might interfere with luci on port 80.
Honestly I Gave Up.....So much so that I switched to BerryOS . Not only did it work (some what) but ALL the USB WiFi adapters that DID NOT work with OpenWRT are now Working with this OS( and I assume with latest Raspbian)
I am no expert but I think it maybe the kernel. I don't know.
You OpenWRT devs should check it out.