DSA vlan and dockerd - firewall issue

I am running OpenWrt with the latest snapshot and it runs great. I am also using DSA with vlans to separate IOT and guest devices. My goal is to run 1-2 critical services as docker containers on the router e.g. simple reverse proxy to offer SSL internally.

The issue is that as soon as I install dockerd with his guide https://openwrt.org/docs/guide-user/virtualization/docker_host and reboot the router, my clients inside the lan zone cannot communicate to each other any longer. The requests are blocked by the firewall despite all clients are in the same zone.

After countless tests and a lot of research I figured out that this is because net.bridge.bridge-nf-call-iptables=1 is set during dockerd install.
https://github.com/openwrt/packages/blob/master/utils/dockerd/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf

If I remove the bridge vlans and use br-lan for the lan interface it works and clients can communicate again.
Also setting net.bridge.bridge-nf-call-iptables to 0 fixes the issue but is probably not a good idea.

Can anyone of you help me how I can use dockerd with DSA and vlans?
Does anyone of you do something similar?

Thank you for your support!

Example config /etc/config/network:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan.11'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'eth1:u*'

/etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '6'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'testtest'
        option encryption 'psk2'
        option key 'xxxxxxxxx'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

I guess so much text scares people off…

Here some quick steps to reproduce it:

1. Start with plain openwrt (stable or snapshot)
2. Create a wireless network on lan interface
3. Create DSA vlan on br-lan
4. Install dockerd

Result: Clients in lan zone cannot communicate any more.

It would be great if someone would have an explaination, a solution or could just confirm the issue. Thanks!

Docker isn’t really designed to run on a router. When installed on OpenWrt, it activates net.bridge.bridge-nf-call-iptables by default, causing all traffic passing through your bridges to be processed by iptables. As a result, clients on the same VLAN may have their traffic filtered, breaking the normal LAN communication you’d expect.

My recommendation is to simply disable net.bridge.bridge-nf-call-iptables.

If you’re concerned about security, you still have options like setting up additional firewall rules, or consider alternative Docker networking modes such as host mode or macvlan.

Thank you very much for your reply and the very helpful answer. Could you please help me to unserstand the implications or possible concerns of disabling it?
Could this potentially affect other configurations on the router or the overall security of the router e.g. separation of wan and lan?
Or does it only affect traffic between the docker host (router) and the containers?

Thanks again!

Let me explain in more detail:

On OpenWrt, net.bridge.bridge-nf-call-iptables is disabled by default and only gets activated when installing dockerd:

# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings

# enable bridge firewalling for docker
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

So disabling it (in /etc/sysctl.conf) just returns your router to its original OpenWrt state.

What does this setting actually do?
When enabled (net.bridge.bridge-nf-call-iptables=1):

• All traffic passing through bridges is processed by iptables
• This includes traffic between devices on the same bridge/VLAN
• That's why your LAN clients can't communicate with each other anymore

When disabled (net.bridge.bridge-nf-call-iptables=0):

• Bridge traffic flows directly without being processed by iptables
• LAN clients can communicate normally
• Your regular firewall rules for WAN/LAN separation still work as they should

The main security impact of this setting (from dockers perspective) is only between Docker containers and how they communicate with each other. Your router's overall security, including the separation between WAN and LAN, is maintained through your firewall rules, which operate independently of this bridge setting.

If you need to restrict communication between Docker containers there are other ways....

Understood! Thanks again for all your effort.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.