A noob VS MT container networking | OCSERV Image

RouterOS General
1

Hi,

I have been working to build my own ocserv container image for the past few days.
I will post it, but before getting into that, I have to ask a question. I can’t find any documentation for it at MT documentation, Or perhaps I misunderstand it as I usually do.

How should one configure the container network in Mikrotik?

Network diagram.
diagram.jpg
What is working?
Image
I tried so many different versions and repositories. This build is not final. But before making more effort, I need to know if this will work.
image.jpg
Container
container.jpg
Radius
ras.jpg
Ocserv
debug.jpg
Connection
client.jpeg
What is not working?
As far as I can tell :
From the client side, I can ping
10.10.16.1,172.17.0.2
I can not ping
172.17.0.1, 1.1.1.1, and 8.8.8.8
The client traceroute doesn’t pass the 10.10.16.1 IP address.
torch.jpg
Here are some parts of the config.



route.jpg
Dockerfile

~~~

entrypoint.sh

~~~
2

I don’t think it’s correct to have veth interfaces parts of bridge and to set address directly to those interfaces. Additionally I don’t think you actually have to set address from subnet intended to be internal to container on veth of same container (to make this part work, veth should have proxy-arp enabled for the “internal” IP subnet).

I.e.

/interface veth
add address=172.17.0.3/24 gateway=172.17.0.1 name=ocserv
/interface bridge port
add bridge=containers interface=ocserv
# next part is IMO wrong. Address hould not be set on interface which is port member of a bridge
/ip address
add address=10.10.16.1/24 interface=ocserv network=10.10.16.0

I think it should better work like this:

/interface veth
add address=172.17.0.3/24 gateway=172.17.0.1 name=ocserv
/interface bridge port
add bridge=containers interface=ocserv
/ip route
add dst-address=10.10.16.0/24 gateway=172.17.0.3

… the above relies on containers having correct default route set (internally that is) … which by default probably they don’t. Or do they?

I also think that you don’t need all those SRC NAT rules for traffic passing containers, in principle containers should manage with their default route set to router’s IP address from container network. Excessive SRC NAT may make things work when routing is not done right, but it also hides real remote IP addresses from service running behind such NAT. Which most of times is undesirable effect.

3

@mkx

I can’t tell you how much I appreciate your help. You just made my day. <3

Could you please confirm if I set the ARP proxy correctly?



tourch-done.jpg
howis.jpg
traceroute.jpg
Again, Thank you.

4

Frankly I’ve no idea. I’m running into position where I need proxy ARP very seldomly, never involving configuring that on ROS so far. Often enough so that I somehow understand why it’s needed :wink:

5

I set the value to proxy-arp as it looks more right to me but I’m not certain.

local-proxy-arp - the router performs proxy ARP on the interface and sends replies to the same interface
proxy-arp - the router performs proxy ARP on the interface and sends replies to other interfaces

Thank you.

6

When *proxy-arp fixes something, you’re doing something wrong. Personal opinion.

7

@Znevna

When proxy-arp fixes something, you’re doing something wrong.

I welcome you with open arms if you have a better solution for this.

Thanks.

8

hi
good day
which docker you used for ocserv?
i want to install ocserv on my mikrotik container
i tested several container,but not working
i will be happy if you tell me about it
thanks

9

Hi,
This is a custom-built Docker image that hasn’t been published publicly. That said, I’d be happy to share it just let me know your preferred contact details.

Best regards,

10

hi
thanks for your reply
my email is vahidp@gmail.com
thank you dear