Omada Controller Docker

Comments

3 comments

  • Avatar
    Ciordia9

    Was having trouble with the maintainers raspberian docker image so I decided to move it over to Firewalla. Worked easy. Thanks. :)

    0
    Comment actions Permalink
  • Avatar
    Charles W

    mbentley has patched his docker repo for the log4j exploit. Please pull the new files:

     

    cd /home/pi/.firewalla/run/docker/omada-controller
    sudo docker pull mbentley/omada-controller:4.4-arm64
    sudo docker container stop omada-controller
    sudo docker container rm omada-controller
    sudo docker-compose up -d
    sudo docker ps
    sudo docker system prune

     

    1
    Comment actions Permalink
  • Avatar
    Charles W

    Another quick update about security: Running the docker in host mode makes it use the gateway's IP address. This means that you won't be able to block the webui from VLANs since firewalla currently does not allow blocking even specific ports of the gateway's IP address.

    Using bridge mode makes it difficult for the controller to discover and provision new devices since it's on a different subnet.

    Use a macvlan network to allow the controller to have a separate static IP address(outside of the DHCP range) on the same subnet, which can then be blocked with rules. 

    Modify the startup script:

    nano  ~/.firewalla/config/post_main.d/start_omada-controller.sh 

    #!/bin/bash

    sudo mkdir /media/sd_card
    sudo chmod 744 /media/sd_card/
    sudo mount /dev/mmcblk1p1 /media/sd_card/
    #sudo mkswap /media/sd_card/swapfile
    sudo swapon /media/sd_card/swapfile

    sudo systemctl start docker
    #create docker macvlan network with 2 IP addresses
    sudo docker network create -d macvlan --subnet 192.168.1.0/24 --gateway 192.168.1.1 --ip-range 192.168.1.46/31 -o parent=br0 omada_macvlan
    #Set promiscuous mode to allow traffic to multiple MAC addresses on one interface
    sudo ifconfig br0 promisc
    sudo systemctl start docker-compose@omada-controller


    Modify docker-compose to use a static IP address and external network.

    nano  ~/.firewalla/run/docker/omada-controller/docker-compose.yaml 

    version: "3.1"




    services:

      omada-controller:

        container_name: omada-controller

        image: mbentley/omada-controller:4.4-arm64

        environment:

          - TZ=America/Los_Angeles

          - MANAGE_HTTP_PORT=8088

          - MANAGE_HTTPS_PORT=8043

          - PORTAL_HTTP_PORT=8088

          - PORTAL_HTTPS_PORT=8043

          - SHOW_SERVER_LOGS=true

          - SHOW_MONGODB_LOGS=false

          - SSL_CERT_NAME="tls.crt"

          - SSL_KEY_NAME="tls.key"

    #    network_mode: host

        networks:

          default:

            # static IP address for omada controller

            ipv4_address: 192.168.1.46

        volumes:

          - '/media/sd_card/docker/omada-controller/data:/opt/tplink/EAPController/data'

          - '/media/sd_card/docker/omada-controller/work:/opt/tplink/EAPController/work'

          - '/media/sd_card/docker/omada-controller/logs:/opt/tplink/EAPController/logs'

        restart: unless-stopped




    networks:

      default:

        external:

          name: omada_macvlan

     

    Optionally add a DNS entry:

    echo address=/omada/192.168.1.46 > ~/.firewalla/config/dnsmasq_local/omada
    
    # Restart DNS Service
    sudo systemctl restart firerouter_dns
    1
    Comment actions Permalink

Please sign in to leave a comment.