Docker - no internet connection inside a container

Hi Guys!
That's my first post in OpenWrt forum So hello everyone !! It's great to join your community.

My problem is similar to this one. However it wasn't replied so far and my case could be a little bit different. That's why decided to open a new topic. Sorry in advance if it will turn out be the same. Hope it won't.

So basically I have 3 routers:

1. from internet provider
2. NanoPi R2S - with OpenWrt, as a main router, this one is direcly conneted with first one
3. TpLink (which is my main router where all my devices are connected to) - this one is connected with NanoPi

All from above has set up static addresses.

I'm a capable of pulling docker image without any problem. However let's assume it's going to be the ubuntu image. While a container is started and attached (in interactive mode) trying a such simple commands like :

• ping google.com
• apt get update

doesn't work because the ubuntu container has no connection to the internet.

My question is how can I fix it?
Of course I will provide all kind of information if needed. Please just tell me what to check and I'll post it.
Best regards

Try this:

Edit:
/etc/config/dockerd

… and uncomment list blocked_interfaces 'wan‘

Like this:

config firewall 'firewall'
        option device 'docker0'
        #list blocked_interfaces 'wan'

… then restart docker

But be aware if you publish ports through docker (like with the -p command) you normally expose your service to the internet because docker uses iptables (or in your case probably nftables) to open ports on the host (in your case your OpenWrt device).

Also if your intention is to make your service accessible from the internet you will have to put your isp router/modem into bridge mode or at least configure static routes to your OpenWrt device and then disable masquerading. Otherwise you will have Double nat and won‘t be able to access your docker container from the internet.Preformatted text

Hi Hudra,
Thank you for replay.
I have checked my dockerd file and it's look like follow:

config globals 'globals'
option data_root '/opt/docker/'
option log_level 'warn'
option iptables '1'
option auto_start '1'

config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'

config dockerman 'dockerman'
option socket_path '/var/run/docker.sock'
option status_path '/tmp/.docker_action_status'
option debug 'false'
option debug_path '/tmp/.docker_debug'
option remote_endpoint '0'
list ac_allowed_interface 'br-lan'

So there is no need to unccoment anything according to your suggestion.
My intention it isn't really to allow connection from outside my home lan. Just would like to be able use localy (at least for now).

Bellow confirmation that I'm stucked:

$ docker ps -a
CONTAINER ID   IMAGE     COMMAND       CREATED       STATUS                     PORTS     NAMES
8181d1363d4b   ubuntu    "/bin/bash"   4 weeks ago   Exited (255) 1 hour ago             thirsty_jepsen
23782fad21c9   ubuntu    "bash"        4 weeks ago   Exited (0) 4 weeks ago               sleepy_heyrovsky

# root @ FusionWrt in ~ [19:16:48]
$ docker start 8
8

# root @ FusionWrt in ~ [19:17:38]
$ docker attach 8
root@8181d1363d4b:/# ping google.com
bash: ping: command not found
root@8181d1363d4b:/# apt update
Ign:1 http://ports.ubuntu.com/ubuntu-ports jammy InRelease
Ign:2 http://ports.ubuntu.com/ubuntu-ports jammy-updates InRelease
Ign:3 http://ports.ubuntu.com/ubuntu-ports jammy-backports InRelease
Ign:4 http://ports.ubuntu.com/ubuntu-ports jammy-security InRelease
Ign:1 http://ports.ubuntu.com/ubuntu-ports jammy InRelease
Ign:2 http://ports.ubuntu.com/ubuntu-ports jammy-updates InRelease
Ign:3 http://ports.ubuntu.com/ubuntu-ports jammy-backports InRelease
Ign:4 http://ports.ubuntu.com/ubuntu-ports jammy-security InRelease
Ign:1 http://ports.ubuntu.com/ubuntu-ports jammy InRelease
Ign:2 http://ports.ubuntu.com/ubuntu-ports jammy-updates InRelease
Ign:3 http://ports.ubuntu.com/ubuntu-ports jammy-backports InRelease
Ign:4 http://ports.ubuntu.com/ubuntu-ports jammy-security InRelease
Err:1 http://ports.ubuntu.com/ubuntu-ports jammy InRelease
Could not connect to ports.ubuntu.com:80 (185.125.190.39), connection timed out Could not connect to ports.ubuntu.com:80 (185.125.190.36), connection timed out
Err:2 http://ports.ubuntu.com/ubuntu-ports jammy-updates InRelease
Unable to connect to ports.ubuntu.com:80:
Err:3 http://ports.ubuntu.com/ubuntu-ports jammy-backports InRelease
Unable to connect to ports.ubuntu.com:80:
Err:4 http://ports.ubuntu.com/ubuntu-ports jammy-security InRelease
Unable to connect to ports.ubuntu.com:80:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/jammy/InRelease  Could not connect to ports.ubuntu.com:80 (185.125.190.39), connection timed out Could not connect to ports.ubuntu.com:80 (185.125.190.36), connection timed out
W: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/jammy-updates/InRelease  Unable to connect to ports.ubuntu.com:80:
W: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/jammy-backports/InRelease  Unable to connect to ports.ubuntu.com:80:
W: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/jammy-security/InRelease  Unable to connect to ports.ubuntu.com:80:
W: Some index files failed to download. They have been ignored, or old ones used instead.
root@8181d1363d4b:/#

list blocked_interfaces 'wan' is right in the config you posted.

Let’s try it another way. Go to your Firewall and allow docker zone Forwarding to your wan:

Go to Network – Firewall – General Settings – edit your docker zone

First of all commented out :

list blocked_interfaces 'wan' 

and restarted a service:

 /etc/init.d/dockerd restart

It didn't work.
After in firewall options allowed forwarding to :

(sorry for language version, but I just don't have English here). If any from following is fine for you, just please let me know and I'll resend any picture:

You don‘t need masquerading on docker zone

Ok turned off, but it doesn't change anything with my case.

Mmmh hard to say whats causing the issues. Seems like you are using a custom build. Maybe something else is setup wrong. When i enable docker zone forwarding to wan i get instant Internet access.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board; \

cat /etc/config/network; \

cat /etc/config/dhcp; \

cat /etc/config/firewall

Hi Hudra,
Sorry for a late replay. I was very bussy.
So straight to the point. Output from my configs is:

{
"kernel": "5.4.143",
"hostname": "FusionWrt",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4S",
"board_name": "friendlyarm,nanopi-r4s",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"target": "rockchip/armv8",
"revision": "R21.8.6 2021-09-01",
"description": "DHDAXCW 20210901 @ FusionWrt "
}
}

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fda9:d09c:acde::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device 'lan_eth1_dev'
option name 'eth1'
option macaddr '7a:37:10:ac:b7:82' - it's fake and copied down bellow, no warries;) 

config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'

config device 'wan_eth0_dev'
option name 'eth0'
option macaddr '7a:37:10:ac:b7:82'

config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'

config interface 'vpn0'
option ifname 'tun0'
option proto 'none'

config interface 'docker'
option ifname 'docker0'
option proto 'none'
option delegate '0'

config device 'docker0'
option type 'bridge'
option name 'docker0'
list ifname 'docker0'


config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option localuse '1'
option port '53'
list server '127.0.0.1#5553'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option noresolv '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config srvhost
option srv '_vlmcs._tcp'
option target 'FusionWrt'
option port '1688'
option class '0'
option weight '100'


config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '0'
option flow_offloading_hw '0'
option fullcone '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'

config include
option path '/etc/firewall.user'

config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config include 'gowebdav'
option type 'script'
option path '/var/etc/gowebdav.include'
option reload '1'

config include 'luci_app_ipsec_server'
option type 'script'
option path '/var/etc/ipsecvpn.include'
option reload '1'

config include 'socat'
option type 'script'
option path '/var/etc/socat.include'
option reload '1'

config include 'ssr_mudb_server'
option type 'script'
option path '/var/etc/ssr_mudb_server.include'
option reload '1'

config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'

config include 'openclash'
option type 'script'
option path '/var/etc/openclash.include'
option reload '1'

config rule 'openvpn'
option name 'openvpn'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'

config zone 'vpn'
option name 'vpn'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'vpn0'

config forwarding 'vpntowan'
option src 'vpn'
option dest 'wan'

config forwarding 'vpntolan'
option src 'vpn'
option dest 'lan'

config forwarding 'lantovpn'
option src 'lan'
option dest 'vpn'

config include 'passwall'
option type 'script'
option path '/var/etc/passwall.include'
option reload '1'

config include 'passwall_server'
option type 'script'
option path '/var/etc/passwall_server.include'
option reload '1'

config include 'softethervpn'
option type 'script'
option path '/usr/share/softethervpn/firewall.include'
option reload '1'

config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'

config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'

config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'

config include 'vssr'
option type 'script'
option path '/var/etc/vssr.include'
option reload '1'

config include 'wrtbwmon'
option type 'script'
option path '/etc/wrtbwmon.include'
option reload '1'

config include 'pptpd'
option type 'script'
option path '/etc/pptpd.include'
option reload '1'

config rule 'pptp'
option name 'pptp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1723'

config rule 'gre'
option name 'gre'
option target 'ACCEPT'
option src 'wan'
option proto '47'

config zone 'docker'
option network 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'

config forwarding
option dest 'wan'
option src 'docker'

Seems like you are using a vpn… Is your default routing via WAN or VPN? If it’s via vpn you probably have to allow forwarding from your docker zone to your vpn firewall zone aswell…

Like this

config forwarding
option src 'docker'
option dest 'vpn'

Not at all. Yeap, I have installed by default a VPN soft in that particular version of OpenWrt. It comes with build. I haven't configured it yet (that's next point on my list to menage and after handling current issue I'm going to ask on that forum for help with VPN or Proxy Server as well..). Also I'm sure I don't use VPN because of fact that after reqesting information from service like "what is my ip" I always receive my internet provider assigned ip.
Never the leas, I really appriciate fact that you take your time and check my settings! Thank you Hudra!
What else can we check?