Hi All,
Running OpenWrt X86/64, everything working great until I install docker. Once I installed it, my device loses the ability to access the internet and there's nothing I can see to help me figure out why.
My topology for this device:
Eth0 -> Bridge1 (Br-lan): Spare port, used for direct connection to device when needed
Eth1 -> connected to ISP --------------------------} -> Bridge2 (Firewalled-Br)
Eth2 -> connected to downstream router ------} -> Bridge2 (Firewalled-Br)
Firewalled-Br: Meant to bridge ISP connection directly to downstream router, without being directly connectable by ISP or downstream router (i.e no ip address assignment to or from either to this device, a transparent bridge is the intent)
VLan (802.1q device from Eth2): Used to create a secure connection from the downstream router directly to this device without circumventing the intent of the Firewalled-Br device. Allows me to also funnel internet access in a on/off manner to the device when I want via downstream router firewall rules
This is my default setup and worked as expected prior to installing docker. I see docker added a device, interface, and firewall rules, but nothing stands out to me as to what could have caused it to kill internet access for my device as I have no idea what it changed to screw it up, so I'm hoping can help. below is my network and firewall configurations, if anything else is needed, please let me know.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'dead:beef::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option type '8021q'
option ifname 'eth2'
option vid '4'
option name 'VLan'
option mtu6 '9000'
config device
option type 'bridge'
option name 'Firewalled-Br'
list ports 'eth1'
list ports 'eth2'
option mtu6 '9000'
config interface 'Firewalled_int'
option proto 'none'
option device 'Firewalled-Br'
option defaultroute '0'
config interface 'Internal_Net'
option proto 'static'
option device 'VLan'
option ipaddr '172.24.4.40'
option netmask '255.255.255.0'
option gateway '172.24.4.4'
list dns '172.24.4.4'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
option defaultroute '0'
config device
option type 'bridge'
option name 'docker0'
Firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Firewalled'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Firewalled_int'
config zone
option name 'Internal_Network'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Internal_Net'
config rule
option src 'Internal_Network'
option name 'Internal Access to GUI'
list proto 'tcp'
option src_port '80 443'
option dest_port '80 443'
option target 'ACCEPT'
config rule
option src 'Internal_Network'
option name 'Allow ping from Internal net'
list proto 'icmp'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'Internal_Network'
option name 'Allow DHCP in Internal Lan'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option enabled '0'
config forwarding
option src 'Internal_Network'
option dest 'lan'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'