wildfire305 Posted May 6 Share Posted May 6 Hi all, I have successfully set up my first domain and I'm running several services outside of my network through swag. There is one item that intrigues me and I need a little help with direction. I have successfully set up a Windows vm with a program that quite a few of my friends want to use. It is a program that doesn't require Internet and is based locally on the windows vm. I have also set up Apache guacamole and can easily connect to that vm. The next step I completed was isolation of the vm and Apache guacamole docker onto their own vlan to prevent access to my local home network. So it looks like this: home network=192.168.1.x separate vlan 222 for vm and Apache guacamole=192.168.222.x How do I connect clients using a subdomain (i.e. vms.domain.org) to Apache guacamole on a separate vlan using my existing Swag setup (set up on proxynet using spaceinvaderones instructions)? I'm missing the step or process or what I even need to do to "build a bridge" between the two containers swag on the one network and Apache guacamole on the other. I have no issue configuring swag for other dockers on the same network, and have passed through many services this way. I have a unifi router if that information helps and that is controlling the vlan. I have a filtering rule to cut the vm off from the Internet. The vlan it is on is already isolated from the main network (needed to prevent any access from the vm to home network). So in summary, I want to route all traffic from vms.domain.org to Apache guacamole serving vms on a separate vlan through an existing swag container that is already servicing the domain requests. Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 you would need to setup a reverse proxy. i would recommend installing ngin proxy manger to help rout and setup access. Then port forward the revers proxy Quote Link to comment
wildfire305 Posted May 6 Author Share Posted May 6 I have that set up already using swag container. But I don't know how to bridge the gap between swag on one docker network to Apache guacamole on a separate vlan Quote Link to comment
wildfire305 Posted May 6 Author Share Posted May 6 in the above example requests to nextcloud.mydomain.org are routed through swag into nextcloud. The swag container has access to nextcloud container. All of my domain routing hits the swag container. How do I get traffic from swag at vms.mydomain.org through apacheguacamole and into the vm (on separate vlan). I currently have apaceguacamole assigned to the other vlan and I was able to access the vm on that vlan from another computer on that vlan. from the console of the swag container I am unable to ping the apacheguacamole container (expected). I assume, but haven't tried to just put the IP address for the guac container in the swag proxy.confs file for apacheguacamole and see if it works. Will that actually work? I think I'm missing a bridge or firewall rule or something to make the connection between these two. Or is the correct answer a second swag container on the vlan answering requests to that subdomain? Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 Both the dockers need to be in the same type of bridge and be able to talk to each other. You would need to create a custom network docker to bridge the gap. I would recommend a macvlan docker netwrok. Also whats your docker advance settings? to use macvlan you will need to disable bridging in the network tab... Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 (edited) swag veth-br interface would need bridged to the Vlan eth... swags proxy net docker would be considered an untagged vlan or to be using vlan 1. swag would need another network interface added to the docker to the vlan... edit docker > advance toggle --net br0.222 ^BUT I don't think that would work... it may break swag.. So you would have to create another advance network bridge and add a extra interface traffic to the docker to connect to the bridge. Not an easy setup and configuration with unraid... 14 hours ago, bmartino1 said: There are quite a few networking commands. to make br0 or a bridge interface.... brctl addbr br0 ip link set dev <tap-iface> master br0 ^replace <tap-ifcae> with interface you want ie eth0..... to show the bridges: bridge link show we have prepackaged tools ifconfig, ip and brctl for networking in unraid... First you would need to make a new bridge. and add the vlan to the other network. Edited May 6 by bmartino1 spelling ... Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 (edited) https://forums.docker.com/t/using-a-single-container-with-multiple-vlans/133521/2 proxy net is using its own vlan network while guacomole is on vlan 222 it is not easy to trunk or bridge netwroing between the 2... you will need to make another interface for swag which can break other things and add a second interface eith to the host to bridge it or to the docker to bridge it ... https://serverfault.com/questions/1136511/isolating-docker-bridge-network-with-vlans not enough info to assist. Vlans can be tricky with unraid as we don't have access to yaml/interfaces to edit and make good changes due to its point click nature. Edited May 6 by bmartino1 Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 (edited) I don't know how to explain and give you further guidance... This is where docker compose would come in handy. and composerize to convert your current working docker into a compose file: https://www.composerize.com/ If you edit the guacamole docker and change something and change it back to apply at bottom, this way you can get your docker run command that runs. Paste that into composerize to get the docker compose file, where you can edit docker network settings... Review https://github.com/moby/moby/blob/98aa1d24a3d7274a8056e57f385945e9829bd612/docs/reference/commandline/network_connect.md I would have you edit guacamole server docker and add an extra parameter to have 2 networks, the default it currently has and to add proxy net. --net proxy net But I don't remember the docker run command for -net to add another interface, as you would also need a ip address. ?it may be auto assigned... use docker inspect commands… and bridge the gap in the guacamole container... https://docs.docker.com/compose/networking/ Good luck and have fun. Edited May 6 by bmartino1 spelling ... Quote Link to comment
wildfire305 Posted May 6 Author Share Posted May 6 1 minute ago, bmartino1 said: I would have you edit guacamole server docker and add an extra parameter to have 2 networks, the default it currently has and to add proxy net. --net proxy net I really appreciate your help. I have a lot to review. I will post my advanced network config when I have a minute. Would a cheating way be to add an additional swag container on the vlan 222 and route requests to it at the router level work? If that method even works, it probably wastes resources and isn't scalable, but on a home server...scale isn't that important. Quote Link to comment
bmartino1 Posted May 6 Share Posted May 6 (edited) In theory yes. as the second swag server is on the vlan. (has to do with ports in use and how from docker to docker). You are correct, adding a second swag docker could fix this, be sure to use different folder as not to break it. as you have already installed it, to add it again you will need to click the at the bottom and select the template in the drop-down box: BE SURE TO CHANGE THE NAME AS TO NOT BREAK THE OTHER CONTAINER! Edited May 6 by bmartino1 Quote Link to comment
wildfire305 Posted May 6 Author Share Posted May 6 Here is the docker networking settings I am currently using. I switched from the old default macvlan to ipvlan as directed a while back. Quote Link to comment
wildfire305 Posted May 6 Author Share Posted May 6 I did try the --net proxynet - it didn't seem to like that. Quote Link to comment
bmartino1 Posted May 7 Share Posted May 7 (edited) I didn't think it would after reviewing docker docs. I don't know an easy solution here. it's more trial and error at this point. I can give you the tools you would use. but networking and vlan complications have always been hard. Both dockers would have to be running and the network connect command would need to be run. but i don't know enough of that command to make you one. and even then I'm not sure if it will work as I'm thinking it does. We would need to have the docker open and run on a muti network. Review https://github.com/moby/moby/blob/98aa1d24a3d7274a8056e57f385945e9829bd612/docs/reference/commandline/network_connect.md If I were to guess the command: Docker network connect --link=???interface??? "proxy net" "guacomledocker name" Usage: docker network connect [OPTIONS] NETWORK CONTAINER Connects a container to a network --alias=[] Add network-scoped alias for the container --help Print usage --ip IPv4 Address --ip6 IPv6 Address --link=[] Add a link to another container Edited May 7 by bmartino1 Quote Link to comment
Solution wildfire305 Posted May 7 Author Solution Share Posted May 7 Okay I did it! I put apache guacamole in the proxynet I configured swag to look at that docker for the service. On the guacamole.subdomain.conf file Then I added this: at the end of the routing table in the settings -> network Now I can access guac at guac.myverysecretdomainname.org. In turn the routing table was the key to allow the guac docker to talk to the VM on the separate vlan 1 Quote Link to comment
wildfire305 Posted May 8 Author Share Posted May 8 (edited) Update: for future generations who may arrive here looking for the same solution. The custom routing table is not maintained or persistent after reboot. I used the userscripts plugin to add this command at start of array. #!/bin/bash ip route add 192.168.222.0/24 dev br0.222 Edited May 8 by wildfire305 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.