bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 (edited) 4 minutes ago, Hoopster said: I must have some sort of routing issue. Or firewall issue. Do you allow traffic between subnets (the LAN IN and LAN OUT sections?) Edited October 25, 2019 by bonienl Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 8 minutes ago, bonienl said: Or firewall issue. Do you allow traffic between subnets (the LAN IN and LAN OUT sections?) Looks good to me. LAN IN and LAN OUT are identically configured. Quote Link to comment
bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 This is my networks configuration, yours should look similar - sans IPv6 (ignore the WAN - VLAN only, it serves a special case). Quote Link to comment
bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 1 hour ago, Hoopster said: I have UPnP disabled and am using manual port forwarding. Does it matter either way? No, both methods work. 1 hour ago, Hoopster said: Issue here? You should do a traceroute from the peer device. I expect multiple hops (3) to reach the final destination. Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 4 minutes ago, bonienl said: You should do a traceroute from the peer device Duh! Brain seizure. Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 17 minutes ago, bonienl said: This is my networks configuration, yours should look similar - sans IPv6 (ignore the WAN - VLAN only, it serves a special case). And mine (nothing too unusual): Quote Link to comment
bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 12 minutes ago, Hoopster said: The second hop goes from the server (10.253.0.1) to your router (192.168.1.1). Any firewall rule set in the LAN LOCAL section which may interfere? Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 1 minute ago, bonienl said: Any firewall rule set in the LAN LOCAL section which may interfere? Nope Quote Link to comment
bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 (edited) What does a traceroute look like from server to gateway 192.168.1.1 (so done from the Unraid server)? Can you also post the content of the /config/network.cfg file on your USB stick. Edited October 25, 2019 by bonienl Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 2 minutes ago, bonienl said: What does a traceroute look like from server to gateway 192.168.1.1 (so done from the Unraid server)? Quote Link to comment
bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 I suspect a routing issue on the Unraid server itself, hence I like to see the network configuration file. Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 6 minutes ago, bonienl said: I suspect a routing issue on the Unraid server itself, hence I like to see the network configuration file. # Generated settings: IFNAME[0]="br0" BRNAME[0]="br0" BRSTP[0]="no" BRFD[0]="0" BRNICS[0]="eth0" PROTOCOL[0]="ipv4" USE_DHCP[0]="no" IPADDR[0]="192.168.1.10" NETMASK[0]="255.255.255.0" GATEWAY[0]="192.168.1.1" METRIC[0]="1" DNS_SERVER1="1.1.1.1" DNS_SERVER2="1.0.0.1" USE_DHCP6[0]="yes" DHCP6_KEEPRESOLV="no" VLANID[0,1]="3" DESCRIPTION[0,1]="Dockers" PROTOCOL[0,1]="ipv4" USE_DHCP[0,1]="yes" METRIC[0,1]="2" VLANS[0]="2" IFNAME[1]="br1" BRNAME[1]="br1" BRNICS[1]="eth1" BRSTP[1]="no" BRFD[1]="0" PROTOCOL[1]="ipv4" USE_DHCP[1]="yes" METRIC[1]="3" SYSNICS="2" Actual file attached as well. network.cfg Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 FYI - eth1/br1 is not used by anything at the moment and I have unplugged the cable. Shouldn't matter, it's just a data point. Quote Link to comment
bonienl Posted October 25, 2019 Author Share Posted October 25, 2019 Ok, you have to make changes for the docker part. First the VLAN used for Docker should have no IPv4 (and no IPv6 assignment). Here is my config (you can use IPv4 only) Next, you need to assign the VLAN network (br0.3) to Docker. Define subnet, gateway and DHCP pool accordingly. Here is my config for br0.5 (docker subnet) Start Docker and retest, it should go much better now 😃 1 Quote Link to comment
Hoopster Posted October 25, 2019 Share Posted October 25, 2019 (edited) 33 minutes ago, bonienl said: Next, you need to assign the VLAN network (br0.3) to Docker. Define subnet, gateway and DHCP pool accordingly. Here is my config for br0.5 (docker subnet) Here's what I currently have. It appears I initially made a typo and had 192.168.3.1 as both the subnet and Gateway address. That was a mistake in the subnet entry, it's always the little things. Since that only shows up in Advanced view, I failed to check that when troubleshooting. Thank you, thank you for catching that. 👍 I did not assign a DHCP pool because I wanted to manually assign an IP address to each container. I did also change the Docker VLAN address assignment from 'Automatic' to 'None" IT WORKS NOW!!! Thank you. This traceroute looks a lot better. 😁 I hope all this helps someone else. Edited October 25, 2019 by Hoopster Quote Link to comment
Mantene Posted October 25, 2019 Share Posted October 25, 2019 This is the best thing ever! Wireguard makes my life so much easier! Thank you! Quote Link to comment
bonienl Posted October 26, 2019 Author Share Posted October 26, 2019 6 hours ago, Hoopster said: IT WORKS NOW!!! Great to hear. Some further explanation of your issue before. VLAN 3 was set up with DHCP, this means your Unraid server gets an IP address in the same subnet as the Docker containers. It then wants to use VLAN 3 to communicate directly with the containers, because it is the nearest connection. Docker however doesn't allow direct communication between host and containers in the same network. So when traffic leaves the tunnel at the server side, it will get blocked by Docker and can't reach the containers (this gives your 2nd hop unreachable). This is exactly the same issue when people are using br0 as their custom container network!! When no IP address is assigned to VLAN 3, the server doesn't learn a direct connection to the containers, but instead will send traffic to the default gateway (your router). The router in return can forward the traffic to the destined container and communication is established, with the condition that a static route on your router exists for the return path. That is containers back to the tunnel. Another "none visible" issue you have solved here is asymmetric routing. The DHCP assignment of VLAN 3 caused the server to learn a second default gateway via VLAN 3. This means that traffic destined for the Internet could either leave via eth0 or VLAN 3, since both ended up here at the same router and there are no specific firewall rules in place, this didn't cause a connection problem, but it is always better to avoid asymmetric routing. Quote Link to comment
bonienl Posted October 26, 2019 Author Share Posted October 26, 2019 (edited) I've made another update to the WireGuard plugin, everybody is encouraged to update. Again, if your current version is prior to 2019.10.25, follow the instructions given a few posts earlier in this topic. Edited October 26, 2019 by bonienl Quote Link to comment
NewDisplayName Posted October 26, 2019 Share Posted October 26, 2019 (edited) What is the correct route to allow the 10.* to get to the 192.168 (br0) subnet via router, instead of intern of unraid? My idea is, since docker wont allow host to reach br0, why not go the way around from the router? (or does docker still know its host -> br0?, i dont think so) Edited October 26, 2019 by nuhll Quote Link to comment
mraneri Posted October 26, 2019 Share Posted October 26, 2019 So for this to work you would need a router that supports vLANs as well? It doesn't look like the stock ASUS firmware has that functionality. Quote Link to comment
Hoopster Posted October 26, 2019 Share Posted October 26, 2019 (edited) On 10/25/2019 at 11:42 PM, bonienl said: Some further explanation of your issue before. The mistakes I made in setting up the VLAN were made over 18 months ago, but masked until I tried to use WireGuard to access containers with a custom IP on a VLAN. I followed your excellent guide for setting up VLANs as I was trying to solve the call trace issue I was having on br0. The VLAN solved that problem as well. Even though I did not want DHCP on the VLAN and wanted to assign static address, the 'IPv4 address assignment' being left on 'automatic' (instead of 'none') and the mistake in the Subnet address, were not evident all this time because access to those containers still worked locally. It was only over the VPN tunnel (as you explained above) that the errors became apparent. Although it was a mistake in that I ran the traceroute from the server to the container on the VLAN, this did not look right to me and I wondered why my unRAID server was getting an IP address on the VLAN. Now I understand what was going on. Thanks again for all your help on this. Edited October 27, 2019 by Hoopster Quote Link to comment
bonienl Posted October 26, 2019 Author Share Posted October 26, 2019 6 hours ago, mraneri said: So for this to work you would need a router that supports vLANs as well? Not necessarily. An alternative is to add a second ethernet interface to your server. Quote Link to comment
Gragorg Posted October 31, 2019 Share Posted October 31, 2019 Ok so I have setup wireguard and I can connect to unraid using "remote access to lan". I forwarded port 51820 in my router for wireguard. I can not open any of my web gui for any of my dockers which have there own port number. What am I missing? Quote Link to comment
bonienl Posted October 31, 2019 Author Share Posted October 31, 2019 2 hours ago, Gragorg said: any of my dockers which have there own port number. Do you mean "own IP address"? If yes, go through this topic, there are explanations and solutions given. Quote Link to comment
Gragorg Posted October 31, 2019 Share Posted October 31, 2019 6 hours ago, bonienl said: Do you mean "own IP address"? If yes, go through this topic, there are explanations and solutions given. No the LAN side IP is same as my unraid server they just all use different port. For example if my server is 192.168.0.100 the web gui for Sonar is 192.168.0.100:8989. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.