Community discussions

MikroTik App
 
gfunkdave
newbie
Topic Author
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

Using NAT for a docker container

Thu May 25, 2023 10:04 pm

I followed these instructions to run Pihole in a container on my rb5009. Pihole works fine. I created the VETH interface for it at 192.168.5.10 and can access its web ui from my LAN, which is 192.168.4.0/24.

What I'd really like is for it to appear on my LAN segment. I couldn't get it to work by simply setting the VETH interface to 192.168.4.2. So I was thinking of setting up a pair of DNAT and SNAT rules to make it appear like it's at 192.168.4.2 but I can't get them to work.

I've tried a few versions of rules 2 and 3 - anyone see something I'm doing wrong?
[david@RoutyMcRouterson] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

 1    chain=srcnat action=src-nat to-addresses=192.168.4.2 
      src-address=192.168.5.10 out-interface=vlan-lan log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.5.10 
      dst-address=192.168.4.2 in-interface=docker log=no log-prefix="" 
I have also tried it without the out-interface and in-interface.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Using NAT for a docker container

Thu May 25, 2023 10:10 pm

You can add the VETH to you LAN bridge (or VLAN) in /interface/bridge/ports, and in /interface/veth use the 192.168.4.2 LAN IP and Mikrotik LAN address as gateway. No NAT required.
 
gfunkdave
newbie
Topic Author
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

Re: Using NAT for a docker container

Thu May 25, 2023 10:46 pm

You can add the VETH to you LAN bridge (or VLAN) in /interface/bridge/ports, and in /interface/veth use the 192.168.4.2 LAN IP and Mikrotik LAN address as gateway. No NAT required.
Oh I feel so dumb. I forgot to add it in /interface/bridge/ports. But I still can't access the Pihole. Pinging 192.168.4.2 just gives "destination host unreachable". I have restarted the container a few times. I have also added veth1 to the correct VLAN (VID 4).

Here's the result of /interface export (though I deleted the Wireguard peers):
# may/25/2023 14:37:08 by RouterOS 7.9.1
# software id = U9U9-RERG
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=48:A9:8A:D0:92:E3 auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface veth
add address=192.168.4.2/24 gateway=192.168.4.1 name=veth1
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface vrrp
add comment="ipv6 for LAN" interface=ether1 name=vrrp1 v3-protocol=ipv6
add comment="ipv6 for guest" interface=ether1 name=vrrp2 v3-protocol=ipv6 \
    vrid=2
/interface vlan
add interface=bridge1 name=vlan-guest vlan-id=10
add interface=bridge1 name=vlan-lan vlan-id=4
/interface ethernet switch
set 0 cpu-flow-control=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=guest
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether3 pvid=4
add bridge=bridge1 comment=defconf interface=ether4 pvid=4
add bridge=bridge1 comment=defconf interface=ether5 pvid=4
add bridge=bridge1 comment=defconf interface=ether6 pvid=4
add bridge=bridge1 comment=defconf interface=ether7 pvid=4
add bridge=bridge1 comment=defconf interface=ether8 pvid=4
add bridge=bridge1 comment=defconf interface=sfp-sfpplus1 pvid=4
add bridge=bridge1 interface=veth1 pvid=4
/interface bridge vlan
add bridge=bridge1 tagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1,bridge1 vlan-ids=\
    10
add bridge=bridge1 tagged=bridge1 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1,veth1 vlan-ids=4
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wireguard1 list=LAN
add interface=vlan-lan list=LAN
add interface=vlan-guest list=guest
add interface=vrrp1 list=WAN
add interface=vrrp2 list=WAN
Thanks for any ideas
 
gfunkdave
newbie
Topic Author
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

Re: Using NAT for a docker container

Fri May 26, 2023 4:49 pm

Update: I just had to delete the container and re-create it, and now it works.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Using NAT for a docker container

Fri May 26, 2023 5:57 pm

Update: I just had to delete the container and re-create it, and now it works.
Good news!

I was going to say that the VETH's ip address/gateway sometimes gets "sticky" e.g. you change the VETH ip address, but the container still uses the old one. So recreating the container would fix that.

Who is online

Users browsing this forum: mstanciu, MTNick and 46 guests