Wabuo
January 9, 2024, 11:32pm
1
I tried everything I could find, spend hours on reading up on vlans and mac-vlans and still 60h in and I can't seem to get it to work.
I really like the setup this guy is going for, but well, I can't ping anything from inside the container.Install PiHole …and do the other networking stuff to support it )https://paul-mackinnon.medium.com/openwrt-raspberry-pi-docker-vlan-project-9cb1db10684c
I'm currently running a double NATed setup behind a Starlink v1 router, that the R4S is supposed to replace when things are running smooth.
Cheers for your time
1 Like
Wabuo
January 9, 2024, 11:33pm
2
My current /etc/config/network:
root@OpenWrtR4S:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd19:7219:b304::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option promisc '1'
config device
option name 'eth1'
option macaddr 'XXXXX'
option promisc '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0'
option macaddr 'XXXXX
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'vlan20'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option device 'br-lanmac0'
option delegate '0'
config device
option type 'macvlan'
option ifname 'br-lan'
option mode 'bridge'
option name 'br-lanmac0'
option ipv6 '0'
option mtu '1500'
option macaddr 'XXXXX'
root@OpenWrtR4S:~#
My /etc/config/firewall:
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vlan20'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'podman'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'podman'
config forwarding
option src 'lan'
option dest 'podman'
config forwarding
option src 'podman'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'podman'
config rule
option name 'Allow-Podman-DNS'
option src 'podman'
option dest_port '53'
option target 'ACCEPT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
root@OpenWrtR4S ~#
Wabuo
January 9, 2024, 11:46pm
3
The docker-compose.yml that's supposed to work with it:
version: "3.3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
hostname: pihole.lan
environment:
TZ: 'Pacific/Auckland'
WEBPASSWORD: 'asdf'
volumes:
- './pihole/etc-pihole:/etc/pihole/'
- './pihole/etc-dnsmasq.d:/etc/dnsmasq.d/'
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
lan20:
ipv4_address: 192.168.20.3
networks:
lan20:
name: vlan20
driver: macvlan
driver_opts:
parent: br-lanmac0
ipam:
config:
- subnet: 192.168.20.0/24
gateway: 192.168.20.1
I don’t really see the OpenWrt connection in your question but have you tried this youtube docker network guide?
And you really doesn’t say what doesn’t work either.
https://youtu.be/bKFMS5C4CG0?si=Dw2lPGkK3qasvQm7
Wabuo
January 10, 2024, 7:07am
5
Well, it looked like its working, but everything was unreachable.
I have no clue what my sleep-deprived brain did last night and this morning ...
But I just went over it again setting everything up again and boom everything just works ...
Sorry for wasting the time of everyone who read this, cheers tho.
I'll post the configs and a little tutorial in the next post.
1 Like
Wabuo
January 10, 2024, 7:38am
6
I managed to get it to work, so here a little tutorial.
Open your /etc/config/network and find the config interface 'lan' section:
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
Note the device under option device in this case br-lan.
Now add the new sections for the macvlan to the bottom of your /etc/config/networkdevice in this case br-lan.20 and the ifname br-lan I think that's where I messed up yesterday and then started experimenting which made things worse.
config interface 'vlan20'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option device 'br-lan.20'
config device
option type 'macvlan'
option ifname 'br-lan'
option mode 'bridge'
option name 'br-lan.20'
option acceptlocal '1'
option ipv6 '0'
Now the corresponding docker compose file.br-lan.20
version: "3.3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
hostname: pihole.lan
environment:
TZ: 'Pacific/Auckland'
WEBPASSWORD: 'asdf'
volumes:
- './pihole/etc-pihole:/etc/pihole/'
- './pihole/etc-dnsmasq.d:/etc/dnsmasq.d/'
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
lan20:
ipv4_address: 192.168.20.3
networks:
lan20:
name: vlan20
driver: macvlan
driver_opts:
parent: br-lan.20
ipam:
config:
- subnet: 192.168.20.0/24
gateway: 192.168.20.1
If docker-compose up -d --force-recreate --renew-anon-volumes pihole complains that it can't find a network, go and check with docker network ls that there isn't a docker network with the same name already that's left over from a previous experiment ... if so delete it, or change the name.
Have fun and enjoy containers with their own routable IP so it's like another physical machine in your network.
1 Like
system
January 20, 2024, 7:39am
7
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.