Firewalla runs on a full Linux distribution with full shell access, so ... there is virtually no limitation on what it can do. If you are good with technology, we want you to "hack" the system and make it better! And if you do have a good "hack" please let us know!
One of the major problems of having an open system is ... over time, the system will get polluted with stuff. With the Firewalla Gold, we are introducing Docker Containers.
What is a Docker Container?
- Docker is a tool that allows developers, sys-admins, etc. to easily deploy their applications in a sandbox (called containers) to run on the host operating system i.e. Linux. The key benefit of Docker is that it allows users to package an application with all of its dependencies into a standardized unit for software development. Unlike virtual machines, containers do not have high overhead and hence enable more efficient usage of the underlying system and resources. (https://docker-curriculum.com/)
What are the advantages?
- Isolation: you can fully contain one application inside a docker container without messing with the running operating system.
- Better Performance: containers can perform much better than virtual machines.
- Portable: many known services already have docker support, so you can easily deploy them on firewalla
A few reminders before you start:
Containers will help you to bring network-based functions... closer to the network.
- WARNING: the Gold is NOT a general computer. Please be careful with what you install on the Gold. Containers cost CPU and memory... and if not careful, may cause security problems.
- The Gold has a default ingress (outside to inside) Firewall, please do not turn it off.
- Watch out for ports being opened by services, make sure they are never mapped to the WAN interface (unless you know what you are doing).
- Watch out for disk space... Your Gold may not run correctly if you create too many docker images and not manage them correctly.
- The default user in firewalla has sudo access. So consider anything you are running has root access.
- Firewalla is not responsible for the security of packages you are installing or using.
Docker container examples:
To help you get started, we have created a few examples based on the feedback from our current user base. Please note, these are examples only, we do not endorse or implies these brands endorse us in any way.
Homebridge via Docker
Homebridge adds HomeKit support to your non-HomeKit smart home devices.
https://help.firewalla.com/hc/en-us/articles/360053184374
Pi-hole via Docker
https://help.firewalla.com/hc/en-us/articles/360051625034
Unifi-Controller via Docker
https://help.firewalla.com/hc/en-us/articles/360053441074
Notes
Certain modules may require special access permissions from the docker network module, and this may require special processing in the Firewalla code to open the ingress or egress firewalls. This piece of code is coming to 1.971. This is the reason pi-hole instructions are a bit late.
All product names, logos, and brands are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. The use of these names, logos, and brands does not imply endorsement.
Comments
17 comments
Questions:
Alex, you should be able to keep docker running after reboot by running
sudo systemctl enable dockerThis isn't working for me.
Homebridge is running just fine, but can't be added to my homekit. Anyone notice that the WAN address is shown in homebridge when it is running on Firewalla?
Alex, make sure you point at your firewalla. For me, initially the URL given was wrong. Instead of my gateway, which is Firewalla at 192.168.0.1 it gave me my WAN IP. Switch to your Firewalla IP and specify port "8080" and you should see homebridge on Firewalla. for me that is, "http://192.168.0.1:8080/login"
By the way, some great tutorials about homebridge/docker. It would be great to have a link to that in the tutorial.
O.K. here is how to get homebridge working on firewalla Gold. After completing the steps above, you must do this:
0. Confirm the homebridge container is running using the terminal as above or, open the UI
1.You need to add
"mdns": { "interface": "LAN-IP-of-Gold" }to your homebridge config.json file. Check this for more details https://github.com/homebridge/homebridge/issues/1957 For example,{"mdns": {
"interface": "192.168.0.1"
},
"bridge": {
"name": "Homebridge Firewalla",
"username": "1B:20:2J:1A:1C:4B",
"port": 52175,
"pin": "093-48-135"
},
Note, the username does not have to be the MAC address of your firewalla.
2. Change the user name, PIN, and hostname in the homebridge config.json.
3. Delete “persist” and “accessories“ dirs in homebridge directory.
4. Restart the docker container.
5. Open the homebridge UI in a browser,
5. Add the homebridge accessory to Home by scanning the QR Code.
Note firewalla will show an IPV6 address in the UI even if you have disabled ipv6. Also, it will report your WAN IP as the ipv4 address which isn’t standard for homebridge. Neither of these seems to impact things working though.
Added a tutorial on the homebridge github side.
Thanks much! Works great now.
thanks. wanted a place to run the Unifi controller since i got rid of the UDM
@Matt Chesler that command doesn't seem to have any effect. Tried it on my pi-hole docker setup on FWG. I still have to manually start up the pi-hole docker. Everything else inside the pi-hole configuration persists though, which is good.
@Hans, the persist code will be in 1.971 for the Gold; we will update the document once it is ready. (as the time of this message, should be very soon)
How a change my docker ip? I will configure pihole in there now to free my raspberry o/
Hi team,
Have you or anyone had a chance to try setting up https://nginxproxymanager.com/ under the Firewalla Docker environment? I should receive my Gold next week, but it would be great to be able to have my reverse proxy running on the Gold rather than requiring another device.
Thanks,
Shane.
I HIGHLY recommend installing Portainer to your Docker stack.
It makes management of all your containers incredibly simple. I followed this guide:
https://homenetworkguy.com/how-to/install-pihole-on-raspberry-pi-with-docker-and-portainer/
More info on portainer in Guide: How to install Pi-Hole on Gold (beta). Seek the 2nd page of comments for my Q&A and findings,
HERE:
https://help.firewalla.com/hc/en-us/articles/360051625034-Guide-How-to-install-Pi-Hole-on-Gold-Beta-?page=2#comments
Quick update: Portainer Install commands. This is assuming your firewalla is named firewalla.lan on the network which is default.
SSH to Firewalla (mac terminal):
ssh pi@firewalla.lan
Portainer docker setup location:
cd /home/pi/.firewalla/run/docker
Install:
sudo systemctl start docker
sudo docker volume create portainer_data
sudo docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data --restart always portainer/portainer
sudo docker ps
If correctly installed, portainer will show as a docker container from the docker ps command.
You should then be able to access portainer on the network at:
http://firewalla.lan:9000
If you see this, you can set up your portainer admin password and start using portainer to add your containers (homebridge/pihole/etc):
Good luck and have fun!
@brian for some reason i can’t make this work. Portainer installs and is running but doesn’t load when I go to the IP:9000 address of my Gold.
I'm not very good at docker debugging hence my desire to use portainer :-)
Simple suggestion first, you went to http instead of https right?
Next up, check the container log. When installed it's named randomly mine was trusty_trigger:
docker container ls
docker container logs trusty_trigger
That might give you a hint as to what's the matter.
Please sign in to leave a comment.