Community discussions

MikroTik App
 
User avatar
devinganger
just joined
Topic Author
Posts: 10
Joined: Wed Jun 10, 2020 10:10 pm
Location: Monroe, WA, USA
Contact:

Need help with container networking (7.4beta4)

Tue Jun 28, 2022 1:17 am

Greetings, all.
I have an RB3011 with a fairly simple setup (Internet in on WAN/ether01, bridge containing the rest of the ports for my home network.) So far all is working fine after the upgrade to 7.4beta4.
I purchased an external 1TB USB 3.0 drive, partitioned as GPT, formatted the entire drive as ext4, then attached it to my RB3011 and it is successfully mounted as disk1.
I've successfully installed the containers package and enabled it in device-mode. I followed the steps in the Containers documentation to create the environment variables and mounts, and the container will stop, start, and run.
I'm lost on the networking for this. I tried following the example but without it stating what those addresses were in relation to the rest of the router, I was making guesses and it didn't work.
My router is 172.31.0.1/21. Does anyone have any pointers on how to get the networking configured for this container?

Thanks in advance.
 
DaSnipe
just joined
Posts: 11
Joined: Mon Jan 17, 2022 5:00 am
Location: Montreal, QC, Canada
Contact:

Re: Need help with container networking (7.4beta4)

Thu Jun 30, 2022 3:26 am

Hi,

Basically you need to forward ports to your internal "docker" veth interface. Not an expert but for example I forwarded my pihole to 8080 using this rule on this page (https://help.mikrotik.com/docs/display/ROS/Container)

Forward ports to internal Docker
Ports can be forwarded using dst-nat (where 192.168.88.1 routers IP address):

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=8080 protocol=tcp to-addresses=172.26.0.2 to-ports=80

And I can access it on my network through this:
You do not have the required permissions to view the files attached to this post.
 
User avatar
devinganger
just joined
Topic Author
Posts: 10
Joined: Wed Jun 10, 2020 10:10 pm
Location: Monroe, WA, USA
Contact:

Re: Need help with container networking (7.4beta4)

Sun Jul 03, 2022 12:11 am

Basically you need to forward ports to your internal "docker" veth interface.

Interesting. i didn't end up needing to do that, once I read further and determined that the container needs a veth and realized that the demo config creates a separate subnet for the bridge the veth is joined to so that there is a routable IP subnet. The rest was just normal address routing. I had originally given the veth and bridge IP addresses that were on my network's subnet, which of course meant that my computers didn't realize they needed to forward the packets to the default GW (my RB3011) because they thought everything was local.
 
foureight84
just joined
Posts: 10
Joined: Tue Dec 15, 2020 2:50 am

Re: Need help with container networking (7.4beta4)

Tue Sep 06, 2022 1:32 am

I'm trying to run unbound container as the upstream DNS resolver for PiHole to use locally instead of remote DNS like 1.1.1.1 or 8.8.8.8 (for example). Unbound is using port 53 by default and that conflicts with PiHole. Normally, I would do a port mapping for Unbound, for example 5053:53. I'm not seeing how to do that in the documentation for Containers in ROS. Also, how do you see which IP on VETH is assigned to which container? Would you create/use a different VETH for each container?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Need help with container networking (7.4beta4)

Tue Sep 06, 2022 6:29 am

I'm trying to run unbound container as the upstream DNS resolver for PiHole to use locally instead of remote DNS like 1.1.1.1.
  • I'm not seeing how to do that in the documentation for Containers in ROS
    Because that is not a part of MT. However, You could change it like any other Linux operation system. I don't have any pi-hole container to test it but it should work.
    Set the port option in
    /etc/dnsmasq.conf
    2022-09-06_07-44-50.jpg
  • how do you see which IP on VETH is assigned to which container?
    From the VETH interface number.
  • Would you create/use a different VETH for each container?
    Correct you need to create a new interface for each container.
You do not have the required permissions to view the files attached to this post.
 
foureight84
just joined
Posts: 10
Joined: Tue Dec 15, 2020 2:50 am

Re: Need help with container networking (7.4beta4)

Tue Sep 06, 2022 4:14 pm

I'm trying to run unbound container as the upstream DNS resolver for PiHole to use locally instead of remote DNS like 1.1.1.1.
  • I'm not seeing how to do that in the documentation for Containers in ROS
    Because that is not a part of MT. However, You could change it like any other Linux operation system. I don't have any pi-hole container to test it but it should work.
    Set the port option in
    /etc/dnsmasq.conf
    2022-09-06_07-44-50.jpg
  • how do you see which IP on VETH is assigned to which container?
    From the VETH interface number.
  • Would you create/use a different VETH for each container?
    Correct you need to create a new interface for each container.
Thank you for that clarification. I am currently using the level 1 demo license for Router OS 7 before buying the level 4 license. This is why I wasn't sure if creating another VETH for the secondary container would be one solution for conflicting ports since I am restricted to just one VETH. For now, I've just mounted a custom config for unbound to change its listening port to 5053 instead. I was just curious as there may be other containers that won't have an easy way to change published ports without having to rebuild the image. I haven't been able to get a clear answer until now.

Regarding your comment about looking at the VETH interface number. I'm a bit confused about this. The tutorial uses 172.17.0.2/16 so I assumed that the container would get assigned an IP within that large range (I think this is the wrong assumption on my part). So with multiple containers running under the same VETH interface, in my case, would get assigned sequential IPs in the 172.17.0.2/16 block as they run (e.g. container 0 - 172.17.0.2, container 1 - 172.17.0.3)?
 
roswellian
just joined
Posts: 1
Joined: Mon Mar 13, 2023 1:26 am

Re: Need help with container networking (7.4beta4)

Thu Mar 16, 2023 8:51 am

Basically you need to forward ports to your internal "docker" veth interface.

Interesting. i didn't end up needing to do that, once I read further and determined that the container needs a veth and realized that the demo config creates a separate subnet for the bridge the veth is joined to so that there is a routable IP subnet. The rest was just normal address routing. I had originally given the veth and bridge IP addresses that were on my network's subnet, which of course meant that my computers didn't realize they needed to forward the packets to the default GW (my RB3011) because they thought everything was local.
Would you please explain a little bit in details? I'm using the similar configuration. I added a veth and configure it with my LAN ip and gateway (10.10.10.3/34 and 10.10.10.1), then I added this veth into my bridge that has other LAN ports. After installing the adguard with the veth, the adguard can access internet without no problem. However, I cannot ping from the machine (10.10.10.100) in my LAN to the veth (10.10.10.3), and vice versa. Any advice? Thanks!

Who is online

Users browsing this forum: No registered users and 21 guests