Docker can not communicate outside it's own IP range

Zeze21

By Zeze21
in Docker Engine

Go to solution Solved by Zeze21,

Recommended Posts

Zeze21 Apprentice

Zeze21

Posted
Posted

Docker seems to not be able to communicate outside the docker network after several problems i had initially when upgrading from 6.11.5 to 6.12.3.

 

I have a bit of a special setup:

 

I have a fritzbox 7590 as router with dhcp disabled. it's Ipv4 is 10.10.10.1 with the subnetmask 255.255.0.0

I have a raspberry pi with adguard home running - it acts as my dns server and has dhcp enabled. Its Ipv4 adress is 10.10.10.2 and gives out ip adresses from 10.10.100.1 to 10.10.100.255

My smart home devices have all set ip adresses in th range of 10.10.11.1 to 10.10.11.255

Home assistant runs as VM and has the ipv4 10.10.11.1

My unraid server has 10.10.10.10

I have a windows 11 VM with 10.10.10.11

 

I have several docker containers (nextcloud, guacamole, home assistance and others) which run all as bridge and are accessible from their respective subdomains.

While nextcloud, bitwarden and others work fine, Guacamole works semi (I can load up guacamole as service but can not connect to my VM) and home assistant just gives me a 502.

 

To my understanding the common thing here is that the docker containers seem to be unable connecting outside the dockernetwork itself. (at least that's how i would be able to explain why guacamole loads up fine but i can not connect to a vm and home assistant does not work)

 

This is my docker config:

image.png.984f54bc52d782440f6f5fac605c5b29.pngimage.png.3c34bc6d95e058dd5a52667dac158cee.png

In Swag:

nextcloud.subdomain.config:

  

## Version 2023/06/24
# make sure that your nextcloud container is named nextcloud
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['swag'],
#  'overwrite.cli.url' => 'https://nextcloud.example.com/',
#  'overwritehost' => 'nextcloud.example.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.example.com',
#  ),

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 10.10.10.10;
        set $upstream_port 1443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        # Hide proxy response headers from Nextcloud that conflict with ssl.conf
        # Uncomment the Optional additional headers in SWAG's ssl.conf to pass Nextcloud's security scan
        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;

        # Disable proxy buffering
        proxy_buffering off;
    }
}

 

guacamole.subdomain.config:

  

## Version 2023/05/31
# make sure that your guacamole container is named guacamole
# make sure that your dns has a cname set for guacamole

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name remote.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 10.10.10.10;
        set $upstream_port 8088;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_buffering off;
    }
}

 

homeassistant.subdomain.config 

## Version 2023/05/31
# make sure that your homeassistant container is named homeassistant
# make sure that your dns has a cname set for homeassistant

# As of homeassistant 2021.7.0, it is now required to define the network range your proxy resides in, this is done in Homeassitants configuration.yaml
# https://www.home-assistant.io/integrations/http/#trusted_proxies
# Example below uses the default dockernetwork ranges, you may need to update this if you dont use defaults.
#
# http:
#   use_x_forwarded_for: true
#   trusted_proxies:
#     - 172.16.0.0/12

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name home.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 10.10.11.1;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 10.10.11.1;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

 

The swag logs give absolutely no error: 

[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗ 
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝ 

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    99
User GID:    100
───────────────────────────────────────

using keys found in /config/keys
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=mydomain.com
SUBDOMAINS=cloud,heim,home,media,remote,robot,vaultwarden,vpn
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Sub-domains processed are: cloud.mydomain.com,heim.mydomain.com,home.mydomain.com,media.mydomain.com,remote.mydomain.com,robot.mydomain.com,vaultwarden.mydomain.com,vpn.mydomain.com
No e-mail address entered or address invalid
http validation is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Server ready

So to my understanding swag should be configured correctly but the docker network seems to have a slight "hickup".

Just to clearify the log is with the correct domain not mydomain.com.

Also the VMs work fine when connecting to them within my own network or via vpn (windows can be loaded up via rdp) Home assitant can be accessed via 10.10.11.1:8123

 

Can someone please help me out? Thank you all so much!

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing