Dockers in same VLAN hitting firewall rules

[BrttClne22]

I was trying to decide whether this was more of a Ubiquiti, Unraid or Docker question, but I figured you all would have a more well-rounded knowledge of the situation in it's entirety.  So here goes:

 

The Issue

My sonarr (192.168.10.3) and radarr (192.168.10.4) dockers cannot communicate with my rtorrent (192.168.10.6) docker, but they can talk to sabnzbd (192.168.10.7). All stated dockers are assigned IP addresses via br0.10 with a gateway/mask of 192.168.10.1/24. I can see the traffic is being dropped by my firewall rules (see below), but my understanding is the packets should not hit the firewall because they're in the same VLAN/subnet (?).

 

Related Network Equipment

• Unifi Cloud Key
• Unifi USG
• Unifi 16 port Switch w/ 1GB LAG to Unraid Server

 

Problem Dockers

• linuxserver/sonarr:preview (br0.10, 192.168.10.3)
• linuxserver/radarr:latest (br0.10, 192.168.10.4)
• binhex-rtorrentvpn:latest (br0.10, 192.168.10.6)

 

I can connect to this one fine from sonarr/radarr on the other hand:

• binhex-sabnzbdvpn:latest (br0.10, 192.168.10.7)

 

Network

INTERFACE  GATEWAY/MASK

br0.10          192.168.10.1/24

 

Relevant Firewall Rules (LAN IN)

RULE  DESCRIPTION                           ACTION           PROTOCOLS        SOURCE                       DESTINATION

2000  Allow Established/Related        Accept            All Protocols

2001   Drop Invalid                             Drop               All Protocols                                                                     

           (Pretty specific rules unrelated to dockers here. All are action=Allow)

2009  Disable Intervlan Routing         Drop               All Protocols         Groups: RFC1918          Groups: RFC1918

 

According to Firewall Logging (why would these hit the firewall to begin with?)

• The packets from sonarr/radarr to rtorrent are dropped at rule 2001 when it is enabled.
• The packets are dropped at rule 2009 when 2001 is disabled.
• The connection is successful when both 2001 and 2009 are turned off.

 

Example Firewall Logs (I believe the connection is initiated from sonarr/radarr so I believe this is the response being dropped?)

• With '2001 - Drop Invalid' enabled 
  [LAN_IN-2001-D]IN=eth1.10 OUT=eth1.10 MAC=78:8a:20:40:bd:e8:02:42:c0:a8:0a:06:08:00:45:00:00:3c SRC=192.168.10.6 DST=192.168.10.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=9443 DPT=51068 WINDOW=43440 RES=0x00 ACK SYN URGP=0
• With '2009 - Disable Intervlan Routing' enabled (2001 disabled)
  [LAN_IN-2009-D]IN=eth1.10 OUT=eth1.10 MAC=78:8a:20:40:bd:e8:02:42:c0:a8:0a:06:08:00:45:00:00:3c SRC=192.168.10.6 DST=192.168.10.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=9443 DPT=52090 WINDOW=43440 RES=0x00 ACK SYN URGP=0
• Not in logs, but connection is successful in sonarr/radarr when both rules are disabled.

 

Any thoughts, ideas are much appreciated!

[Branado]

I know it's a long shot but have you found the fix for this? I have the suite of "arr" apps trying to set it up on a custom macvlan network and the traffic is being blocked by my firewall. Why is the traffic going through my firewall if they're all on the same macvlan???

[BrttClne22]

TBH, I can't remember the complete context of this. What I do know:

 

1. My -arrs are now using the network of my VPN container so their traffic is routed through the same VPN tunnel.

2. I added this really odd feeling firewall rule and disabled "Drop Invalid":

 

Preface: I'm far from a network guru, hobbyist at best.

 

Looking back on it... The VPN containers probably use a internal private network. Whenever the application inside the docker container communicates to your LAN it's technically communicating from the network inside of the container and needs to be routed, thus hitting the firewall. The router has no idea about that network inside the container so it gets marked as invalid?

 

I'd still love to know the definitive answer if anyone has one.