Docker in proxmox & outside access

Started by Andy259, January 02, 2025, 03:19:11 PM

Previous topic - Next topic
Community,

New user here well newish, so a bit of background:

For the last couple of years I've been running Plesk(webserver) on a homebased server, I then discovered Proxmox and Docker (I can run docker in Plesk, but I would much rather have a separate server, so I installed Proxmox on another machine, then came the inevitable port clashes etc, so I got a second IP that was a month ago, I got another machine and installed Opnsense, so here I am trying to figure out HOW to get to the docker containers from OUTSIDE my network i.e point services i.e the ARRS to a domain name.

Here's my setup:

ROUTER OPNSENSE (PUBLIC IP's 194.###.###.37 & 194.###.###.38) The first IP Is the first WAN IP and the one that is setup
during opnsense wizard, the second has been added as virtual IP
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

SERVER 1 PLESK - 194.###.###.37 >> 192.168.1.109 (via nat 1:1)

ALL WORKING WELL AND AS IT SHOULD.(just used this as an example as I'm sure 1:1 is setup correctly and this confirms)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is the confusing bit i'll be as clear as possible.

SERVER 2 PROXMOX - 194.###.###.38 >> 192.168.1.112

WORKS CORRECTLY WITH 1:1 NAT AS LONG AS THE BELOW 1:1 NAT DOESN'T EXIST

PROXMOX CONTAINER WITH DOCKER 194.###.###.38 >> 192.168.1.115

So in essence if I delete the Proxmox rules then Portainer is accesible through 194.###.###.38:9000 and also via a url.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Some additional info, I followed a couple of tutorials which I linked below

The first is to install docker, portainer and nginx proxy manager.

https://wiki.opensourceisawesome.co...er-docker-compose-and-more-in-under-5-minutes

This second one basically explains nginx proxy manager (however, this video is on the assumption you are either on a bare metal server with docker installed directly on Ubuntu OR you are using a vps from digital ocean and the like (so I followed the directions for this as it matched my use case more closely(ish) so using this method I CAN get to those services on my public IP (portainer, nginx proxy manager) but ONLY if I disable the portforward for proxmox which is then not accessible via the public ip, I'm missing something simple and im sure i saw a vid on exactly how t do this but can't find it there's plenty on installing docker in a proxmox container or vm but then they dump you and don't tell you how to reach the services from the outside world.

Video about nginx etc which i followed and got me to the point of accessing the docker containers.

https://www.youtube.com/watch?v=cjJVmAI1Do4

Please bear in my mind I am new to proxmox, opnsense and docker so please be fairly specific in replies and if you can tag tutorials that would be great.

Take a look at gluetun it might be what you're looking for.

https://github.com/qdm12/gluetun

January 06, 2025, 12:38:15 PM #2 Last Edit: January 06, 2025, 12:40:05 PM by meyergru
I wonder why you use 1:1 NAT on your OpnSense, because that way, it does not control much. Also, you are obviously limited to just one RFC1918 IPv4 behind it.

If you use normal outbound NAT for a /24 RFC1918 subnet, you can make a management LAN available where both your docker VM and your proxmox server can reside. You can makes them available from outside via port-forwarding or name-based reverse-proxying on your OpnSense (with NGinx, Caddy or HAProxy). The latter is convenient also because you can delegate all TLS termination to your firewall.

You also have the choice of using one or more VLANs to separate the VMs from proxmox and one another. Assuming that proxmox is on your LAN and inaccessible from WAN, you may want that kind of separation in case your VMs get hijacked.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+