Community discussions

MikroTik App
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

A noob VS MT container networking | OCSERV Image

Thu Sep 22, 2022 8:00 am

Hi,

I have been working to build my own ocserv container image for the past few days.
I will post it, but before getting into that, I have to ask a question. I can't find any documentation for it at MT documentation, Or perhaps I misunderstand it as I usually do.

How should one configure the container network in Mikrotik?

Network diagram.
diagram.jpg
What is working?
Image
I tried so many different versions and repositories. This build is not final. But before making more effort, I need to know if this will work.
image.jpg
Container
container.jpg
Radius
ras.jpg
Ocserv
debug.jpg
Connection
client.jpeg

What is not working?
As far as I can tell :
From the client side, I can ping
10.10.16.1,172.17.0.2
I can not ping
172.17.0.1, 1.1.1.1, and 8.8.8.8
The client traceroute doesn't pass the 10.10.16.1 IP address.
torch.jpg
Here are some parts of the config.
interface.rsc
address.rsc
firewall.rsc
container.rsc
route.jpg

Dockerfile
FROM ubuntu:kinetic

ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update
RUN apt-get install -y locales apt-utils
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
    dpkg-reconfigure locales && \
    update-locale LANG=en_US.UTF-8
ENV LANG en_US.UTF-8

RUN apt-get update && apt-get install ocserv libradcli4 iptables nano lz4 xz-utils curl wget -y && apt-get upgrade -y && apt-get clean

WORKDIR /etc/ocserv

COPY ocserv/* /etc/ocserv/
COPY radcli/* /etc/radcli/

COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

EXPOSE 15443 15443/udp
CMD ["ocserv", "-c", "/etc/ocserv/ocserv.conf", "-f" , "-d", "1"]

entrypoint.sh
#!/bin/bash

sysctl -w net.ipv4.ip_forward=1
#iptables-nft -t nat -A POSTROUTING -j MASQUERADE
#iptables-nft -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

exec "$@"
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Thu Sep 22, 2022 8:44 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: A noob VS MT container networking | OCSERV Image  [SOLVED]

Thu Sep 22, 2022 8:25 am

I don't think it's correct to have veth interfaces parts of bridge and to set address directly to those interfaces. Additionally I don't think you actually have to set address from subnet intended to be internal to container on veth of same container (to make this part work, veth should have proxy-arp enabled for the "internal" IP subnet).

I.e.
/interface veth
add address=172.17.0.3/24 gateway=172.17.0.1 name=ocserv
/interface bridge port
add bridge=containers interface=ocserv
# next part is IMO wrong. Address hould not be set on interface which is port member of a bridge
/ip address
add address=10.10.16.1/24 interface=ocserv network=10.10.16.0

I think it should better work like this:
/interface veth
add address=172.17.0.3/24 gateway=172.17.0.1 name=ocserv
/interface bridge port
add bridge=containers interface=ocserv
/ip route
add dst-address=10.10.16.0/24 gateway=172.17.0.3
... the above relies on containers having correct default route set (internally that is) ... which by default probably they don't. Or do they?

I also think that you don't need all those SRC NAT rules for traffic passing containers, in principle containers should manage with their default route set to router's IP address from container network. Excessive SRC NAT may make things work when routing is not done right, but it also hides real remote IP addresses from service running behind such NAT. Which most of times is undesirable effect.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: A noob VS MT container networking | OCSERV Image

Thu Sep 22, 2022 9:15 am

@mkx

I can't tell you how much I appreciate your help. You just made my day. <3

Could you please confirm if I set the ARP proxy correctly?
arp.jpg

tourch-done.jpg
howis.jpg
traceroute.jpg

Again, Thank you.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: A noob VS MT container networking | OCSERV Image

Thu Sep 22, 2022 5:28 pm

Could you please confirm if I set the ARP proxy correctly?

Frankly I've no idea. I'm running into position where I need proxy ARP very seldomly, never involving configuring that on ROS so far. Often enough so that I somehow understand why it's needed :wink:
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: A noob VS MT container networking | OCSERV Image

Thu Sep 22, 2022 9:35 pm

I set the value to proxy-arp as it looks more right to me but I'm not certain.
local-proxy-arp - the router performs proxy ARP on the interface and sends replies to the same interface
proxy-arp - the router performs proxy ARP on the interface and sends replies to other interfaces

Thank you.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: A noob VS MT container networking | OCSERV Image

Thu Sep 22, 2022 9:47 pm

When *proxy-arp fixes something, you're doing something wrong. Personal opinion.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: A noob VS MT container networking | OCSERV Image

Thu Sep 22, 2022 10:04 pm

@Znevna
When proxy-arp fixes something, you're doing something wrong.
I welcome you with open arms if you have a better solution for this.

Thanks.

Who is online

Users browsing this forum: A9691, Bing [Bot], Google [Bot], itvisionpk, mogiretony, tjanas94 and 83 guests