Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

FWG: Trouble with accessing VLANs from primary LAN (Docker Containers)

Follow
Avatar
kisonay
  • Edited

New to FWG (only had it a few days) and initial setup was easy. I have a single lan with all of my devices (same setup as I had before the FWG.)

Now that everything is all setup, I'm looking to start segmentation and am facing some challenges.

I have a NAS that is currently part of the LAN. I have intentions of setting it as it's own LAN (it is directly connected to FWG) but wanted to work with a VLAN first...

What I want to do is isolate a single docker container hosted on the NAS that I intend on exposing to the WAN (while allowing the Primary LAN access.)

I created a VLAN on the FWG Port the NAS is connected to. I created a Docker Network VLAN tied to this new FWG VLAN (id, subnet, gateway, ip range, etc. the network definition correctly appends the vlan id to the network interface.)

config:
        - subnet: "192.168.2.0/16"
          ip_range: "192.168.2.1/24"
          gateway: "192.168.2.1" 

I then apply the network via the compose file and deploy. The contain starts up and shows up in the VLAN with an appropriate IP, etc. The container has access to the internet (based on the stats from Firewalla App.)

Everything is as expected but then...

If I try to access the container from the LAN by IP or Local Domain the request times out. I look in the app and do not see any Blocked Flows identified.

If I ping the ip/local domain it times out:

% ping 192.168.2.100   
PING 192.168.2.100 (192.168.2.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

If I trace route, I see that the request makes it to the FWG and times out:

% traceroute 192.168.2.100
traceroute to 192.168.2.100 (192.168.2.100), 64 hops max, 52 byte packets
 1  firewalla (192.168.50.1)  12.809 ms  3.550 ms  3.423 ms
 2  * * *

Now, if I were to setup a Docker Network to join the Primary LAN the container connects and I can access it without issue. This leads me to believe it must something I am miss-configuring.

What am I missing, could it be the subnet I'm messing up in the docker network config?

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Firewalla

    On the docker network, did you add proper route? or map docker ports to the hosts ports? example here https://help.firewalla.com/hc/en-us/articles/360053441074

    (see the IP route part)

    0
    Comment actions Permalink
  • Avatar
    kisonay
    • Edited

    To clarify, I’m not trying to run docker on the FWG, it’s external to it. From FW perspective, it should be just like any other device, no? The network driver I’m using is vlan. 

    0
    Comment actions Permalink
  • Avatar
    kisonay

    I figured it out (thanks to the direction you nudged me.)

    The root problem was I was binding the docker network to the untagged interface.

    I had to create a new interface, tag it with the appropriate vlan id and then bind my Docker Network to that interface. Everything seems to be working as expected now.

    1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post