Hello everyone,
I've recently created an x86 machine with OpenWrt, and I wanted to have PiHole run on it inside a docker.
I've followed this tutorial and got the PiHole up, but it has no internet access. Every other device on the LAN has internet access, but this docker does not.
My questions are:
what rule was omitted in the guide to allow docker traffic to the internet?
Can I use this PiHole as my DHCP as well?
In an unrelated note, can I use this config with Squid cache with ssl bumping?
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
Then add the following line to it:
list network 'macvlan'
Restart the network and firewall services
your created a new interface (macvlan), if it is not assigned to a zone which is allowed to forward traffic to wan it will not able to go out to internet.
Sorry, I don't have SSH access on the computer that's connected to the LAN port right now, so these screenshots are the best I can do for now.
They show that macvlan is under the lan zone and lan is allowed to forward to wan.
I have made the changes through luci though, do I still need to restart the services?
Also, the luci web terminal app is not working for me, I just see a blank page.
The 10-fixroutes.sh is supposedly meant for enabling the internet on pihole by fixing the routes. Could you share the output of the following:
docker exec -it pihole ip a
docker exec -it pihole ip route
docker logs pihole
Personally i didn't do this in the tutorial because openwrt has almost the same dhcp features as pihole, meaning openwrt runs dnsmasq and pihole also runs dnsmasq. On the other hand, I'd think it could work by the idea of disabling dnsmasq on openwrt and enabling dhcp on pihole, because in this setup pihole has it own ip addresss in the network so pretty much isolated from openwrt's ip. There might be some added privileges needed in the docker-compose.yml and I remember that pihole docs cover this topic very well. I'd suggest you take things one step at a time, maybe complete the steps in the tutorial then try to enable dhcp on pihole.
I know squid and have used it before, but I do not know about squid cache and ssl bumping. If you could share with us some references or links so we could better understand what you're trying to achieve. Has there been any previous discussion or tutorial in the pihole forums maybe?
That's not entirely true, its a bit different than that. Macvlan was only meant to give pihole an ip in the lan network. For internet access to the container we rely on docker networking and natting which will eventually use openwrts ip to access the internet.
i see no contradiction between your and my comment: in general it is true if some interface is not in a zone which allows wan access then it will not able to go out to internet. if the new macvlan interface is in lan zone too then it is not the root problem but something else. (for example default docker restrictions if any.)
docker exec -it pihole ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: eth0@if4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default
link/ether 02:42:c0:a8:01:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
10: eth1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth1
valid_lft forever preferred_lft forever
docker exec -it pihole ip route
default via 172.18.0.1 dev eth1
172.18.0.0/16 dev eth1 proto kernel scope link src 172.18.0.2
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3 linkdown
docker logs pihole
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing...
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 10-fixroutes.sh: executing...
fixing routes
done fixing routes
[cont-init.d] 10-fixroutes.sh: exited 0.
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Assigning random password: plZlzZlE
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Configuring default DNS servers: 8.8.8.8, 8.8.4.4
[✓] New password set
DNSMasq binding to default interface: eth0
Added ENV to php:
"TZ" => "redacted",
"PIHOLE_DOCKER_TAG" => "2022.05",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
"ServerIP" => "0.0.0.0",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "0.0.0.0",
Using IPv4 and IPv6
::: setup_blocklists now setting default blocklists up:
::: TIP: Use a docker volume for /etc/pihole/adlists.list if you want to customize for first boot
::: Blocklists (/etc/pihole/adlists.list) now set to:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
[i] Enabling logging...
[✓] Logging has been enabled!
::: Docker start setup complete
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
Pi-hole version is v5.10 (Latest: ERROR)
AdminLTE version is v5.12 (Latest: ERROR)
FTL version is v5.15 (Latest: ERROR)
Container tag is: 2022.05
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting crond
Starting lighttpd
Starting pihole-FTL (no-daemon) as root
[services.d] done.
Stopping pihole-FTL
Stopping cron
Stopping lighttpd
[cont-finish.d] executing container finish scripts...
s6-svc: fatal: unable to control /var/run/s6/services/lighttpd-access-log: supervisor not listening
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svc: fatal: unable to control /var/run/s6/services/lighttpd-error-log: supervisor not listening
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing...
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 10-fixroutes.sh: executing...
fixing routes
done fixing routes
[cont-init.d] 10-fixroutes.sh: exited 0.
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Assigning random password: kIvpEopj
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Existing DNS servers detected in setupVars.conf. Leaving them alone
::: Pre existing WEBPASSWORD found
DNSMasq binding to default interface: eth0
Added ENV to php:
"TZ" => "redacted",
"PIHOLE_DOCKER_TAG" => "2022.05",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
"ServerIP" => "0.0.0.0",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "0.0.0.0",
Using IPv4 and IPv6
::: setup_blocklists now setting default blocklists up:
::: TIP: Use a docker volume for /etc/pihole/adlists.list if you want to customize for first boot
::: Blocklists (/etc/pihole/adlists.list) now set to:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
[i] Enabling logging...
[✓] Logging has been enabled!
::: Docker start setup complete
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
Current Pi-hole version is v5.10
Current AdminLTE version is v5.12
Current FTL version is v5.15
Container tag is: 2022.05
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting crond
Starting lighttpd
Starting pihole-FTL (no-daemon) as root
[services.d] done.
Stopping pihole-FTL
Starting pihole-FTL (no-daemon) as root
Stopping pihole-FTL
Starting pihole-FTL (no-daemon) as root
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing...
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 10-fixroutes.sh: executing...
fixing routes
done fixing routes
[cont-init.d] 10-fixroutes.sh: exited 0.
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Assigning random password: lD6ZxqW5
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Existing DNS servers detected in setupVars.conf. Leaving them alone
::: Pre existing WEBPASSWORD found
DNSMasq binding to default interface: eth0
Added ENV to php:
"TZ" => "redacted",
"PIHOLE_DOCKER_TAG" => "2022.05",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
"ServerIP" => "0.0.0.0",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "0.0.0.0",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
[i] Enabling logging...
[✓] Logging has been enabled!
::: Docker start setup complete
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
Current Pi-hole version is v5.10
Current AdminLTE version is v5.12
Current FTL version is v5.15
Container tag is: 2022.05
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting crond
Starting lighttpd
Starting pihole-FTL (no-daemon) as root
[services.d] done.
Stopping pihole-FTL
Starting pihole-FTL (no-daemon) as root
That's all the outputs.
I mainly used pihole as a dhcp just because that way i'd get the names of the machines to show up in pihole. if there's a way to do that, I'm good with it being just a dns.
yes I did, as part of testing if that's the cause.
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'configuration'
list network 'docker'
list network 'lan'
list network 'macvlan'
list device 'eth0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
list network 'WANtemp'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Preparation for deploy'
option src 'wan'
option src_dport 'port'
option dest_ip 'lan ip'
option dest_port 'port'
config nat
option name 'LAN => WAN'
list proto 'all'
option src 'wan'
option target 'SNAT'
option snat_ip 'WAN-IP'
config forwarding
option src 'docker'
option dest 'lan'
Hope this helps, also I did not see where I set the DNS for OpenWrt to be the PiHole, it's been a minute since I've used OpenWrt.
Once you have pihole running, you could modify the upstream DNS servers from the pihole admin or in the setupVars.conf.
I noticed that you're running the 2022.05 version of pihole instead of the 2021.09 as mentioned in the tutorial. Your pihole logs seem to say that things are working fine for most of the part. Could you tell if there are any other differences to the docker-compose.yml file compared the one in the tutorial?
Let us fix a few things in /etc/config/firewall to be similar to mine and do one more test. I've labelled with flashes >>>> <<<< the areas in your file to be modified. First create a backup of the file just in case:
cp -a /etc/config/firewall /etc/config/firewall.backup
Then apply the below changes:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'configuration'
>>>> START: Delete the below line <<<<
list network 'docker'
>>>> END <<<<
list network 'lan'
list network 'macvlan'
list device 'eth0'
....
config nat
option name 'LAN => WAN'
list proto 'all'
option src 'wan'
option target 'SNAT'
option snat_ip 'WAN-IP'
>>>> START: Delete the below section <<<<
config forwarding
option src 'docker'
option dest 'lan'
>>>> END: Delete the below section <<<<
Afterwards, run the following, it's going to reload firewall and network services and also delete the current pihole container and any docker networks to re-create them cleanly:
/etc/init.d/network restart
/etc/init.d/firewall restart
docker stop pihole
docker rm pihole
docker network rm lan
docker network rm root_internal
cd ~
docker-compose up -d pihole
Finally run the following and share the output:
docker exec -it pihole ip a
docker exec -it pihole ip route
docker logs pihole
docker exec -it pihole ping 8.8.8.8
Just the Timezone that has changed to my timezone.
docker exec -it pihole ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: eth0@if12: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default
link/ether 02:42:c0:a8:01:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
16: eth1@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth1
valid_lft forever preferred_lft forever
default via 172.18.0.1 dev eth1
172.18.0.0/16 dev eth1 proto kernel scope link src 172.18.0.2
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3 linkdown
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] 01-resolver-resolv: applying...
[fix-attrs.d] 01-resolver-resolv: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 05-changer-uid-gid.sh: executing...
[cont-init.d] 05-changer-uid-gid.sh: exited 0.
[cont-init.d] 10-fixroutes.sh: executing...
fixing routes
done fixing routes
[cont-init.d] 10-fixroutes.sh: exited 0.
[cont-init.d] 20-start.sh: executing...
::: Starting docker specific checks & setup for docker pihole/pihole
Failed to set capabilities on file `/usr/bin/pihole-FTL' (Operation not supported)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
Assigning random password: TuDdo_sB
[i] Installing configs from /etc/.pihole...
[i] Existing dnsmasq.conf found... it is not a Pi-hole file, leaving alone!
[✓] Installed /etc/dnsmasq.d/01-pihole.conf
[✓] Installed /etc/dnsmasq.d/06-rfc6761.conf
Existing DNS servers detected in setupVars.conf. Leaving them alone
::: Pre existing WEBPASSWORD found
DNSMasq binding to default interface: eth0
Added ENV to php:
"TZ" => "redacted",
"PIHOLE_DOCKER_TAG" => "2022.05",
"PHP_ERROR_LOG" => "/var/log/lighttpd/error.log",
"ServerIP" => "0.0.0.0",
"CORS_HOSTS" => "",
"VIRTUAL_HOST" => "0.0.0.0",
Using IPv4 and IPv6
::: Preexisting ad list /etc/pihole/adlists.list detected ((exiting setup_blocklists early))
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
::: Testing lighttpd config: Syntax OK
::: All config checks passed, cleared for startup ...
::: Enabling Query Logging
[i] Enabling logging...
[✓] Logging has been enabled!
::: Docker start setup complete
Checking if custom gravity.db is set in /etc/pihole/pihole-FTL.conf
Current Pi-hole version is v5.10
Current AdminLTE version is v5.12
Current FTL version is v5.15
Container tag is: 2022.05
[cont-init.d] 20-start.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
Starting lighttpd
Starting crond
Starting pihole-FTL (no-daemon) as root
[services.d] done.
docker exec -it pihole ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 172.18.0.1 icmp_seq=1 Destination Port Unreachable
From 172.18.0.1 icmp_seq=2 Destination Port Unreachable
From 172.18.0.1 icmp_seq=3 Destination Port Unreachable
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2086ms
Ok, I know you've mentioned that the devices on the LAN have internet access, I'm just wondering if Openwrt has internet access. Can you run the following (more diagnosing commands):
ip a
ip route
ping 8.8.8.8
docker exec -it pihole ping 192.168.1.1
I am connecting to the SSH from the WAN side for now, so the ping goes through for sure, but here are the results of the last command:
docker exec -it pihole ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.3 icmp_seq=1 Destination Host Unreachable
From 192.168.1.3 icmp_seq=2 Destination Host Unreachable
From 192.168.1.3 icmp_seq=3 Destination Host Unreachable
From 192.168.1.3 icmp_seq=5 Destination Host Unreachable
From 192.168.1.3 icmp_seq=6 Destination Host Unreachable
^C
--- 192.168.1.1 ping statistics ---
7 packets transmitted, 0 received, +5 errors, 100% packet loss, time 6217ms
pipe 4
ip route
default via "WAN" dev eth0 src "WAN Address"
172.18.0.0/16 dev br-05b2f1342e81 scope link src 172.18.0.1
172.24.0.0/16 dev br-bbea65257fa0 scope link src 172.24.0.1
192.168.1.3 dev br-lan.20 scope link
WAN Network/24 dev eth0 scope link src WAN Address
LAN Network/24 dev br-lan scope link src LAN Address
Can't seem to tell where the problem is, from the container side it seems that docker network is OK but the macvlan is not. On the other hand, OpenWrt shows that docker networks are OK though the container can't reach the internet, has a working WAN, and it seems that the macvlan is OK. Gonna need to do more digging, I'm thinking of spinning up a clean OpenWrt VM and go through a test for the tutorial, try the updated image and so, hopefully to get the same problem as yours. Could you share with me the output of the below:
I think I found the culprit (and also went down the memory lane). Few things I discovered:
OpenWrt 22.03-rc4 uses nft instead of iptables, I'm currently running OpenWrt version 21.02 which uses iptables (docker version is 20.10.8). I'm not an expert in either of them, but it seems some things have changed with nft. I opened the firewall (under status in luci) while running the ping from within the pihole container, and found one rule which had the packets count increasing which is under "PREROUTING". It looks like the packets are getting stuck there.
I compared using iptables (though this may not be the right way of doing this), and found that there are some rules different compared to my working setup, particularly the docker related ones. Most rules were there except that they didn't have the same order (in iptable, order matters) and there was one extra rule added (shown below) which I didn't find in my working setup. So I tried removing it using iptable, but that didn't help.
-A DOCKER-USER -i eth1 -o docker0 -j REJECT --reject-with icmp-port-unreachable
Forgot to mention, the maclvan setup worked just fine with me. I accidently asked you to test the ping to the 192.168.1.1 but instead should have been to 192.168.1.2. Try the following:
watch is a nice tool to monitor if something changes, so monitoring a CHAIN could help to understand which rule matches during doing ping for example.
in theory to override this generic deny rule -A DOCKER-USER -i eth1 -o docker0 -j REJECT --reject-with icmp-port-unreachable inserting before an ACCEPT rule would suffice ... if this reject rule is what blocking the traffic.
but honestly speaking fw4 is pretty new, docker network can be complicated by its own so maybe should go to other direction ... another idea is to just switch off docker iptables support which may interfere with nfttables(?) by setting options iptables 0 in /etc/config/docker