Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Really silly question - routing
« previous
next »
Print
Pages: [
1
]
Author
Topic: Really silly question - routing (Read 1771 times)
mightyi
Newbie
Posts: 14
Karma: 0
Really silly question - routing
«
on:
August 24, 2023, 12:03:00 pm »
I think I’m having one of those weeks where nothing works right!
I am playing around with Docker at the moment to see if there is viable reason to put Plex/Emby into isolated containers. Currently experimenting with networking.
I configured a macvlan network and managed to get it almost working (didn’t enable promiscuous mode on firewall) and I’ve been playing with IPVlan v3 networking now. No matter what I do, I can’t get internet traffic routing back to the subnet and it’s driving me nuts - I’m sure it’s something simple but I can’t figure it out…I’m hoping someone can help me feel silly!
I have a route setup on the firewall to push any traffic for the docker subnet to the host Ubuntu vm (vm it set as a gateway). I have also added a lan rule on the firewall to allow all traffic from the docker subnet to the internet from the lan interface. I can see in the logs that traffic is being allowed since I added this rule, and I can ping the firewall and all other devices on the lan from the container in the v3 ipvlan network. But if I ping a web address (Google for example), it resolves the name, I see the traffic being allowed in the fw logs….but no I no response back. From the ubuntu host it works fine.
Am I missing something obvious here?
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Really silly question - routing
«
Reply #1 on:
August 24, 2023, 03:00:30 pm »
Maybe your VM host is set as a gateway, but is your OpnSense aware of additional networks on the LAN interface that the VM host is connected to? You probably have outbound NAT on your OpnSense which translates only your LAN IP range but not anything "behind" it.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
mightyi
Newbie
Posts: 14
Karma: 0
Re: Really silly question - routing
«
Reply #2 on:
August 24, 2023, 03:24:30 pm »
Sir you are a legend! Exactly the thing I’d forgotten! Had to enable hybrid NAT rules, but as soon as I create one for TCP and one for ICMP everything worked.
Knew it would be something stupid I’d forgotten….
Logged
swimboy
Newbie
Posts: 2
Karma: 0
Re: Really silly question - routing
«
Reply #3 on:
January 10, 2024, 03:50:33 pm »
I'm having the exact same problem, except for the fact that I *did* remember to create hybrid NAT rules for the docker IPVLAN networks.
My routing is definitely working, since I can access my docker containers from other devices on my network and vice versa. But the docker containers cannot reach the internet.
Attached is my IPv4 NAT rule. I have an identical one for IPv6, and one set as static for port 500.
What else can I look at?
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Really silly question - routing
«
Reply #4 on:
January 10, 2024, 06:10:36 pm »
Besides the NAT, you also need a rule to allow outgoing traffic. For the LAN interface, there is a default rule that allows the LAN network to go outside, but nothing more. Have you created a firewall rule to allow your docker IPs to "any"? mightyi did this before so all was missing was the NAT rule in that case.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
swimboy
Newbie
Posts: 2
Karma: 0
Re: Really silly question - routing
«
Reply #5 on:
January 10, 2024, 06:58:37 pm »
Nope, I had those rules too. After further investigation, I saw that I had configured my NAT rule on the LAN interface instead of the WAN interface. Fixed that, and everything's working.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Really silly question - routing