OpenWRT In Docker: Luci Diagnostic Can Connect to Internet But LAN cannot

I've searched through the archives here and I've seen many posts with issues like mine. However, none of the solutions have worked for me.

I have OpenWRT running in a docker container. I am using docker's macvlan feature to map 2 NICs to the OpenWRT container. One goes to the PPPoE connection from my ISP and the other goes to a switch where LAN devices are connected.

I am able to connect to the LAN and access luci. There I see that the LAN and WAN interfaces are setup and the PPPoE connection is working.

The first problem is that when I run the ping diagnostic in luci I can ping IP addresses (e.g. 1.1.1.1) just fine but not domains, so DNS isn't working. After some digging I discovered that in /etc/resolv.conf the only nameserver entry is mapped to 127.0.0.11. If I change it to 127.0.0.1 DNS starts working immediately. Not sure why I have to do this but I could live with it.

My main issue is that while the luci diagnostics can connect to the internet none of my LAN devices can. It is not a DNS issue as I cannot even ping an IP address.

Here is my Dockerfile and the configs I am mapping.

FROM openwrtorg/rootfs:x86_64-21.02.1
COPY passwd /etc/shadow
RUN mkdir /var/lock && mkdir /var/run
COPY conf/resolv.conf /etc/resolv.conf
COPY conf/openwrt/network /etc/config/network
COPY conf/openwrt/system /etc/config/system
COPY conf/openwrt/dhcp /etc/config/dhcp
EXPOSE 80
USER root
CMD ["/sbin/init"]

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd88:7344:b6fc::/48'

config interface 'lan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option password '***'
	option username '***'
	option device 'eth1.201'

/etc/config/system

config system
	option hostname 'OpenWrt'
	option timezone 'UTC'
	option ttylogin '0'
	option log_size '64'
	option log_file '/var/log/sys'
	option urandom_seed '0'

config timeserver 'ntp'
	option enabled '1'
	option enable_server '0'
	list server '0.openwrt.pool.ntp.org'
	list server '1.openwrt.pool.ntp.org'
	list server '2.openwrt.pool.ntp.org'
	list server '3.openwrt.pool.ntp.org'

Just an update: I have resolved the first issue mentioned above. It was related to docker and not OpenWRT.

The solution was to add this flag to my docker run command:

--dns 127.0.0.1

The main issue mentioned above still remains.

For posterity, I have found a solution.

Running this on the openwrt command line fixes the problem immediately. I've set it up to run everytime the network service starts/restarts. I am not sure why I have to do this as the default firewall config should be taking care of it, right?

iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu 

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.