BrttClne22 Posted February 12, 2020 Share Posted February 12, 2020 I was trying to decide whether this was more of a Ubiquiti, Unraid or Docker question, but I figured you all would have a more well-rounded knowledge of the situation in it's entirety. So here goes: The Issue My sonarr (192.168.10.3) and radarr (192.168.10.4) dockers cannot communicate with my rtorrent (192.168.10.6) docker, but they can talk to sabnzbd (192.168.10.7). All stated dockers are assigned IP addresses via br0.10 with a gateway/mask of 192.168.10.1/24. I can see the traffic is being dropped by my firewall rules (see below), but my understanding is the packets should not hit the firewall because they're in the same VLAN/subnet (?). Related Network Equipment Unifi Cloud Key Unifi USG Unifi 16 port Switch w/ 1GB LAG to Unraid Server Problem Dockers linuxserver/sonarr:preview (br0.10, 192.168.10.3) linuxserver/radarr:latest (br0.10, 192.168.10.4) binhex-rtorrentvpn:latest (br0.10, 192.168.10.6) I can connect to this one fine from sonarr/radarr on the other hand: binhex-sabnzbdvpn:latest (br0.10, 192.168.10.7) Network INTERFACE GATEWAY/MASK br0.10 192.168.10.1/24 Relevant Firewall Rules (LAN IN) RULE DESCRIPTION ACTION PROTOCOLS SOURCE DESTINATION 2000 Allow Established/Related Accept All Protocols 2001 Drop Invalid Drop All Protocols (Pretty specific rules unrelated to dockers here. All are action=Allow) 2009 Disable Intervlan Routing Drop All Protocols Groups: RFC1918 Groups: RFC1918 According to Firewall Logging (why would these hit the firewall to begin with?) The packets from sonarr/radarr to rtorrent are dropped at rule 2001 when it is enabled. The packets are dropped at rule 2009 when 2001 is disabled. The connection is successful when both 2001 and 2009 are turned off. Example Firewall Logs (I believe the connection is initiated from sonarr/radarr so I believe this is the response being dropped?) With '2001 - Drop Invalid' enabled [LAN_IN-2001-D]IN=eth1.10 OUT=eth1.10 MAC=78:8a:20:40:bd:e8:02:42:c0:a8:0a:06:08:00:45:00:00:3c SRC=192.168.10.6 DST=192.168.10.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=9443 DPT=51068 WINDOW=43440 RES=0x00 ACK SYN URGP=0 With '2009 - Disable Intervlan Routing' enabled (2001 disabled) [LAN_IN-2009-D]IN=eth1.10 OUT=eth1.10 MAC=78:8a:20:40:bd:e8:02:42:c0:a8:0a:06:08:00:45:00:00:3c SRC=192.168.10.6 DST=192.168.10.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=9443 DPT=52090 WINDOW=43440 RES=0x00 ACK SYN URGP=0 Not in logs, but connection is successful in sonarr/radarr when both rules are disabled. Any thoughts, ideas are much appreciated! Quote Link to comment
Branado Posted December 31, 2022 Share Posted December 31, 2022 I know it's a long shot but have you found the fix for this? I have the suite of "arr" apps trying to set it up on a custom macvlan network and the traffic is being blocked by my firewall. Why is the traffic going through my firewall if they're all on the same macvlan??? Quote Link to comment
BrttClne22 Posted December 31, 2022 Author Share Posted December 31, 2022 TBH, I can't remember the complete context of this. What I do know: 1. My -arrs are now using the network of my VPN container so their traffic is routed through the same VPN tunnel. 2. I added this really odd feeling firewall rule and disabled "Drop Invalid": Preface: I'm far from a network guru, hobbyist at best. Looking back on it... The VPN containers probably use a internal private network. Whenever the application inside the docker container communicates to your LAN it's technically communicating from the network inside of the container and needs to be routed, thus hitting the firewall. The router has no idea about that network inside the container so it gets marked as invalid? I'd still love to know the definitive answer if anyone has one. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.