Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Could Firewalla Gold have impacted my Docker containers' internet access from a networked machine?

Follow
Avatar
Sheamus Burns

I recently installed the Firewalla gold and for the most part I love it. 

Immediately after installing it though, I did begin to notice that when developing on a local machine and running docker containers, my containers would (more than occasionally) error out because they were trying to contact the internet, but were not able to access the internet. It doesn't happen reliably, and I don't think there is anything specific I can do to cause the problem. 
It happens for a variety of endpoints it tries to reach, so it doesn't seem specific to a single domain or target ip. 

I'm not quite sure how docker makes internet accessible ports available to the docker container. I think its done with VPNKit but I don't really understand the plumbing of it all. 

I guess I'm tossing this out there to see if anyone else has seen issues on a firewalla network and if you've found a cause or a workaround, or if you have ideas about my configuration/setup that I should look into. 

Thanks!

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Firewalla

    Docker container access to the internet should not be related to Firewalla.  My suggestion is to check rules and disable/enable a few of them.  For example, if you have DoH, you may want to turn it off or change the endpoint to something else.   DoH for example is pretty new, we have seen it having problems. 

    See here for some debugging tips. 

    https://help.firewalla.com/hc/en-us/articles/360050255274

    0
    Comment actions Permalink
  • Avatar
    Sheamus Burns

    Thanks for the quick response and the advice. The only feature turned on for this machine is "Monitoring". I turned it off this am. after experiencing the issue a couple times and I haven't experienced it since. It could be that docker's usage of vpnkit may conflict with whatever process requests move through when monitoring is on.

    I will keep an eye on it, and see if toggling on the monitoring does consistently trigger the issue. If it seems to be consistent, can you think of a way I could replicate this in a sandbox so that I can log a potential issue to investigate? maybe a container that just pings a bunch of public ips to demonstrate it?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    I'd look at this problem from two aspects

    1. DNS.  When problems happen, try to look and see what's the DNS part is returning.  We have seen cases, where if you have ipv6 on, and the ipv6 address returned by DNS was not reachable.  

    2. Connectivity.  try to do a ping to say 1.1.1.1 or 8.8.8.8 and see if they fail. (also above, make sure both your v6 and v4 are connected)

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post