do you use reload_config; ifup docker or the opposite order?
and no, ruleset should not change between ping. the correct order of things is: create bridge+interface, bring it up and notify fw4 about a new interface to insert the interface related rules. my guess ifup notifies fw4 via ubus call that interface is up hence i suggest to be that command as last. but uciadd which creates docker0 device+interface only runs at boot, so if you start/stop dockerd service it will not trigger network stuff changes. so if there is no lock somewhere this is not normal that ruleset changes when you ping from container. maybe you should wait network to settle down and only after do ping test, then if that solves the problem add some delay to init script.
the ruleset by the way is correct, this is the expected.
it solves my problem but is it safe to do this (forward docker to wan) ?
and should i leave all to accept (input, output, forward), or should i change one of them to another value ?
please answer me kindly, as i'm noob in networking
X forward to Y is unidirectional, allowing traffic initiated in zone X to be forwarded to zone Y - but not vice versa! even reply traffic is prohibited by default, you'll need extra rule which usually is done using conntrack module (traffic marked as related+established, i.e. the reply) is allowed back from Y to X.
so if your docker needs to go directly to WAN then this rule is correct. if you set additional protection (which is commented out by default) in the docker config file, it will drop everything which is not related traffic. so recommend to enable that.
but. dockerd is using iptables and there is slow to no progress to make it nftables compatible, thus you might want to add fw4 rules just to be on the safe side and not purely rely on dockerd config.
and you can verify if docker->wan forward is correct or not by trying to connect to docker instance from wan. if without explicit allow rule you cannot connect then you are protected.
I have the same problem: network works only in the first docker container. After the first one, there is no network inside docker containers. I've applied all fixes and I can't seem to figure it out. Any ideas?
I'm running OpenWrt 22.03.3, it was working on 21.02.3.
My solution was very simple as descibed in /etc/config/dockerd since I don't need fw4 features.
Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
naively translates iptables rules. For the best compatibility replace the following dependencies: firewall4 -> firewall iptables-nft -> iptables-legacy ip6tables-nft -> ip6tables-legacy
between 21.x and 22.x there was a big change, fw3 vs fw4. former is iptables based, latter is nftables. and docker is not (yet) nftables compatible. also docker run vs docker-compose works differently in terms of network usage, so it is not that convenient to use docker on owrt ... at least this is my experience. it is not owrt's fault, the docker package is just one package of the thousands which is more or less maintained and/or aligned with owrt network/firewall/uci architecture.
if docker is critical for you and want more comfort think about remaining on 21.x.
it is not impossible to use on 22.x though.
just to write that I also have the same problem with docker. my2cents if can help on the analisys
I can add that if (for example) you install nextcloud as per composer below, the two containers within the same nexcloud docker network are unable to talk to each other. If you disable the firewall everything works (but it's not a solution).
To reach the nexcloud container (apache frontend) you must necessarily add it to the "bridge" network, otherwise even by correctly exposing the ports in the nexcloud docker network alone they will not be reached by the LAN.
I am following the continuation of the thread with interest
Had the same problem with my docker containers not accessing internet, and also some misbehavior talking to each other.
My Nginx Proxy Manager container gave me some errors while downloading ip-ranges
(ERROR - Fetching https://ip-ranges.amazonaws.com/ip-ranges.json).
Also I was unable to create a proxy from NPM (Nginx Proxy Manager) using the name of the container plus port. Like: http://portainer:9000. I had to map the port and also use the host IP address to be able to properly connect. As expected, was unable to request SSL/TLS from LetsEncript.
These steps solved the problem:
1. Did a new image build changing the packets:
firewall4 -> firewall
iptables-nft -> iptables-zz-legacy
ip6tables-nft -> ip6tables-zz-legacy
2. Add firewall rule for interface docker for Input/Output/Foward with Accept to WAN.
Not sure if firewall (fw3) is safe as firewall4 (fw4), but everything is working as expected now.
Date: November 3, 2024
I recently tried OpenWrt version 23.05.5 on my PC. It took me a few days to find the right configuration, but I wanted to share my experience and thank everyone for the amazing updates to OpenWrt and its Docker hosting support. Here are the steps I took to resolve issues with Docker daemon connectivity:
Modify the /etc/config/dockerd file (scroll to the bottom of the file):
### Retain default lines
config firewall 'firewall'
option device 'docker0'
# list blocked_interfaces 'wan' # Comment this line to allow access from the WAN interface
option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # Allow outbound connections (this line is commented by default)
Modify the /etc/config/firewall file :
### Retain default lines
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config forwarding # Allow docker0 to WAN
option src 'docker'
option dest 'wan'
config redirect # Expose Portainer to WAN
option name 'Portainer'
option src 'wan'
option src_dport '9002'
option dest 'lan'
option dest_ip '172.17.0.1' # Change this IP to match your docker gateway IP
option dest_port '9002'
option proto 'tcp'
Reboot the system.
Test internet connectivity within the containers: You can use ping or curl to ensure the container can reach the internet.
docker run --rm -it yauritux/busybox-curl sh
I hope this helps anyone facing similar issues. Thank you again for the fantastic support and updates to OpenWrt!