Using NAT for a docker container

I followed these instructions to run Pihole in a container on my rb5009. Pihole works fine. I created the VETH interface for it at 192.168.5.10 and can access its web ui from my LAN, which is 192.168.4.0/24.

What I’d really like is for it to appear on my LAN segment. I couldn’t get it to work by simply setting the VETH interface to 192.168.4.2. So I was thinking of setting up a pair of DNAT and SNAT rules to make it appear like it’s at 192.168.4.2 but I can’t get them to work.

I’ve tried a few versions of rules 2 and 3 - anyone see something I’m doing wrong?

[david@RoutyMcRouterson] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    chain=srcnat action=src-nat to-addresses=192.168.4.2 
      src-address=192.168.5.10 out-interface=vlan-lan log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.5.10 
      dst-address=192.168.4.2 in-interface=docker log=no log-prefix=""

I have also tried it without the out-interface and in-interface.

You can add the VETH to you LAN bridge (or VLAN) in /interface/bridge/ports, and in /interface/veth use the 192.168.4.2 LAN IP and Mikrotik LAN address as gateway. No NAT required.

Oh I feel so dumb. I forgot to add it in /interface/bridge/ports. But I still can’t access the Pihole. Pinging 192.168.4.2 just gives “destination host unreachable”. I have restarted the container a few times. I have also added veth1 to the correct VLAN (VID 4).

Here’s the result of /interface export (though I deleted the Wireguard peers):

# may/25/2023 14:37:08 by RouterOS 7.9.1
# software id = U9U9-RERG
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=48:A9:8A:D0:92:E3 auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface veth
add address=192.168.4.2/24 gateway=192.168.4.1 name=veth1
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface vrrp
add comment="ipv6 for LAN" interface=ether1 name=vrrp1 v3-protocol=ipv6
add comment="ipv6 for guest" interface=ether1 name=vrrp2 v3-protocol=ipv6 \
    vrid=2
/interface vlan
add interface=bridge1 name=vlan-guest vlan-id=10
add interface=bridge1 name=vlan-lan vlan-id=4
/interface ethernet switch
set 0 cpu-flow-control=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether3 pvid=4
add bridge=bridge1 comment=defconf interface=ether4 pvid=4
add bridge=bridge1 comment=defconf interface=ether5 pvid=4
add bridge=bridge1 comment=defconf interface=ether6 pvid=4
add bridge=bridge1 comment=defconf interface=ether7 pvid=4
add bridge=bridge1 comment=defconf interface=ether8 pvid=4
add bridge=bridge1 comment=defconf interface=sfp-sfpplus1 pvid=4
add bridge=bridge1 interface=veth1 pvid=4
/interface bridge vlan
add bridge=bridge1 tagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1,bridge1 vlan-ids=\
    10
add bridge=bridge1 tagged=bridge1 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1,veth1 vlan-ids=4
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wireguard1 list=LAN
add interface=vlan-lan list=LAN
add interface=vlan-guest list=guest
add interface=vrrp1 list=WAN
add interface=vrrp2 list=WAN

Thanks for any ideas

Update: I just had to delete the container and re-create it, and now it works.

Good news!

I was going to say that the VETH’s ip address/gateway sometimes gets “sticky” e.g. you change the VETH ip address, but the container still uses the old one. So recreating the container would fix that.