Firewalla runs on a full Linux distribution with full shell access. If you know a bit of Linux you can easily expand the Firewalla with regular Linux packages and tools.
One of the major problems of having an open system is ... over time, the system may get polluted with software which can cause issues. To solve this problem, we have included native docker container support for Firewalla Gold, Purple, and Blue Plus. Docker containers will provide a sandbox to run your own applications while maintaining system integrity.
What is a Docker Container?
- Docker is a tool that allows developers, sys-admins, etc. to easily deploy their applications in a sandbox (called containers) to run on the host operating system i.e. Linux. The key benefit of Docker is that it allows users to package an application with all of its dependencies into a standardized unit for software development. Unlike virtual machines, containers do not have a high overhead and hence enable more efficient usage of the underlying system and resources. (https://docker-curriculum.com/)
What are the advantages of Docker?
- Isolation: you can fully contain one application inside a docker container without messing with the running operating system.
- Better Performance: containers can perform much better than virtual machines.
- Portable: many known services already have docker support, so you can easily deploy them on firewalla.
A few reminders before you start
Containers will help you to bring network-based functions... closer to the network. However, keep the following caveats in mind. Firewalla's primary job is to secure your network. Overtaxing Firewalla may degrade your network performance use some caution. Try things out and see if you suddenly see performance issues.
- WARNING: the Firewalla is NOT a general-purpose computer. Please be careful with what you install. Containers cost CPU and memory... and if not properly configured, may also cause security problems.
- Watch out for ports being opened by services, make sure they are never mapped to the WAN interface (unless you know what you are doing).
- Watch out for disk space... Your Firewalla may not run correctly if you create too many docker images and do not manage them correctly. Be sure to use the docker prune command each time you update a container.
- The default user in firewalla has sudo access. So anything you run has root access.
- Firewalla is not responsible for the security of any containers or packages you install.
Docker container Examples
To help you get started, we have created a few examples based on feedback from our customers. Firewalla Gold and Purple series boxes should not have issues running these examples on a production network. Please note, these are examples only, we do not endorse these brands nor do they endorse us in any way.
Homebridge via Docker
Homebridge is a server you can run on your home network that can connect many devices that aren't certified to work with Apple Homekit. It is a bridge between HomeKit and these devices which allows you to use Siri to control them.
Using docker is the best way to install HomeKit as it leaves whatever computer isolated from the OS itself and is easy to backup and update independently.
For full details, see Install HomeBridge on Firewalla
Unifi-Controller via Docker
UniFi Controller is a small server that manages all aspects of UniFi equipment such as APs (Access Points) and switches. It allows you to create VLANs, WVLANs, update your UniFi boxes, and much more. You can run the Controller in a docker container right on Firewalla Gold.
For full details, see How to run UniFi Controller on the Firewalla Gold
Pi-hole via Docker
The Pi-hole® uses DNS blocks to protect your devices from unwanted content, without installing any client-side software. Firewalla already has similar capabilities in features such as Ad Block, but some customers have experimented with Pi-hole. You may not want to use both Pi-hole and Ad Block on the same devices as it will make it harder to determine what is causing false positives when they occur and block content you actually want to get to.
How to install Pi-Hole on Gold/Purple (Beta)
Final Note
Certain modules may require special access permissions from the docker network module, and this may require special processing in the Firewalla code to open the ingress or egress firewalls. This feature was delivered in 1.971.
Known Issue
On ubuntu 22.04 and later, when docker starts up, it may load a kernel module br_netfilter which conflicts with ubuntu 22.04 if you are using Smart Queue. Dockers managed by Firewalla will automatically handle this, but if you create docker instance, you may need to run:
sudo rmmod br_netfilter
after starting docker service or the firewalla routing function may break.
This is due to a Linux Kernel bug which we plan to fix in our 1.976 release.
Related Articles
- https://help.firewalla.com/hc/en-us/articles/360060535553-Guide-How-to-reset-your-docker-service-Beta-
- https://help.firewalla.com/hc/en-us/articles/360007345553-Fun-Things-To-Do-with-Firewalla
- Users generated tutorials https://help.firewalla.com/hc/en-us/community/topics/360001948014-Expanding-Firewalla-Docker-Third-Party-Apps-Scripts-
All product names, logos, and brands are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. The use of these names, logos, and brands does not imply endorsement.
Comments
21 comments
Questions:
Alex, you should be able to keep docker running after reboot by running
sudo systemctl enable dockerThis isn't working for me.
Homebridge is running just fine, but can't be added to my homekit. Anyone notice that the WAN address is shown in homebridge when it is running on Firewalla?
Alex, make sure you point at your firewalla. For me, initially the URL given was wrong. Instead of my gateway, which is Firewalla at 192.168.0.1 it gave me my WAN IP. Switch to your Firewalla IP and specify port "8080" and you should see homebridge on Firewalla. for me that is, "http://192.168.0.1:8080/login"
By the way, some great tutorials about homebridge/docker. It would be great to have a link to that in the tutorial.
O.K. here is how to get homebridge working on firewalla Gold. After completing the steps above, you must do this:
0. Confirm the homebridge container is running using the terminal as above or, open the UI
1.You need to add
"mdns": { "interface": "LAN-IP-of-Gold" }to your homebridge config.json file. Check this for more details https://github.com/homebridge/homebridge/issues/1957 For example,{"mdns": {
"interface": "192.168.0.1"
},
"bridge": {
"name": "Homebridge Firewalla",
"username": "1B:20:2J:1A:1C:4B",
"port": 52175,
"pin": "093-48-135"
},
Note, the username does not have to be the MAC address of your firewalla.
2. Change the user name, PIN, and hostname in the homebridge config.json.
3. Delete “persist” and “accessories“ dirs in homebridge directory.
4. Restart the docker container.
5. Open the homebridge UI in a browser,
5. Add the homebridge accessory to Home by scanning the QR Code.
Note firewalla will show an IPV6 address in the UI even if you have disabled ipv6. Also, it will report your WAN IP as the ipv4 address which isn’t standard for homebridge. Neither of these seems to impact things working though.
Added a tutorial on the homebridge github side.
Thanks much! Works great now.
thanks. wanted a place to run the Unifi controller since i got rid of the UDM
@Matt Chesler that command doesn't seem to have any effect. Tried it on my pi-hole docker setup on FWG. I still have to manually start up the pi-hole docker. Everything else inside the pi-hole configuration persists though, which is good.
@Hans, the persist code will be in 1.971 for the Gold; we will update the document once it is ready. (as the time of this message, should be very soon)
How a change my docker ip? I will configure pihole in there now to free my raspberry o/
Hi team,
Have you or anyone had a chance to try setting up https://nginxproxymanager.com/ under the Firewalla Docker environment? I should receive my Gold next week, but it would be great to be able to have my reverse proxy running on the Gold rather than requiring another device.
Thanks,
Shane.
I HIGHLY recommend installing Portainer to your Docker stack.
It makes management of all your containers incredibly simple. I followed this guide:
https://homenetworkguy.com/how-to/install-pihole-on-raspberry-pi-with-docker-and-portainer/
More info on portainer in Guide: How to install Pi-Hole on Gold (beta). Seek the 2nd page of comments for my Q&A and findings,
HERE:
https://help.firewalla.com/hc/en-us/articles/360051625034-Guide-How-to-install-Pi-Hole-on-Gold-Beta-?page=2#comments
Quick update: Portainer Install commands. This is assuming your firewalla is named firewalla.lan on the network which is default.
SSH to Firewalla (mac terminal):
ssh pi@firewalla.lan
Portainer docker setup location:
cd /home/pi/.firewalla/run/docker
Install:
sudo systemctl start docker
sudo docker volume create portainer_data
sudo docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data --restart always portainer/portainer
sudo docker ps
If correctly installed, portainer will show as a docker container from the docker ps command.
You should then be able to access portainer on the network at:
http://firewalla.lan:9000
If you see this, you can set up your portainer admin password and start using portainer to add your containers (homebridge/pihole/etc):
Good luck and have fun!
@brian for some reason i can’t make this work. Portainer installs and is running but doesn’t load when I go to the IP:9000 address of my Gold.
I'm not very good at docker debugging hence my desire to use portainer :-)
Simple suggestion first, you went to http instead of https right?
Next up, check the container log. When installed it's named randomly mine was trusty_trigger:
docker container ls
docker container logs trusty_trigger
That might give you a hint as to what's the matter.
How effecient are the containers on a Purple?
@Steve ... https://stackoverflow.com/questions/21889053/what-is-the-runtime-performance-cost-of-a-docker-container
@steve you may want to use an SD card for storage as Purple can run out of space with just a few containers.
@steve I moved my docker root to an SD card on my FWP.
https://help.firewalla.com/hc/en-us/community/posts/4491452568851-Moving-docker-to-SD-card-on-Firewalla-Purple
Please sign in to leave a comment.