Hello. I installed Docker on a NanoPi R6S running OpenWrt. For some reason, I think the Docker containers cannot communicate with each other. I am having trouble bringing up Immich, it keeps restarting with this error:
Error: connect ECONNREFUSED 172.18.0.4:5432
at TCPConnectWrap.afterConnect \[as oncomplete\] (node:net:1645:16) {
errno: -111,
code: 'ECONNREFUSED',
syscall: 'connect',
address: '172.18.0.4',
port: 5432
}
What can I do? I don't have the first idea about how to even debug the issue.
Is the 172.18.0.4 your Nanopi's local Lan IP addresses? So that everything is inside Lan, without routing.
(If it is wan address, then you may need to configure firewall)
My LAN is on a standard 192.168.x.x subnet.
What then is the 172.18.0.4 ? Where is it coming from?
What is your WAN IP address on the router?
(Is it that 172.18.0.4? That would not be a public address.)
Are you behind an ISP carrier-grade NAT? (they are typically in the 172.x.x.x areas)
You likely need to configure your router's firewall to allow in the traffic that you want. Bu that may not help you
But it may also be that you are inside ISP NAT and you do not have a public IP at all, and then it might not work at all.
Solved it — thanks for the response, but the issue wasn't WAN-related at all. 172.18.0.4 was the internal IP of the Postgres container on Docker's bridge network, not anything routed over WAN, so ISP NAT wasn't a factor. The actual problem was that fw4's FORWARD chain has policy drop, and because OpenWrt has bridge-nf-call-iptables=1, container-to-container traffic on the same Docker bridge passes through the host's FORWARD chain instead of staying at L2. The default docker firewall zone in OpenWrt only covers the docker0 interface, but Docker Compose creates its own bridge per project (br-<networkid>), which wasn't matched by any zone — so packets between Immich containers were getting RST'd, surfacing as ECONNREFUSED rather than a timeout.
The fix was extending the docker firewall zone to cover Compose-created bridges. In /etc/config/firewall, the zone was bound by option network 'docker' (an indirection through /etc/config/network); I replaced that with direct device entries:
uci delete firewall.docker.network
uci add_list firewall.docker.device='docker0'
uci add_list firewall.docker.device='br-+'
uci commit firewall
service firewall restart
The br-+ wildcard covers all current and future Compose project bridges, so this works for any compose stack, not just Immich. After the firewall restart, container-to-container traffic on br-* bridges hits the accept rule and Immich starts cleanly.