synology-docker: Cannot reach containers attached to user-defined bridge network

Containers attached to the default bridge network work as expected. The following command should spin up portainer correctly.

docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce

However, attaching it to a user-defined bridge network doesn’t work correctly yet. Steps to reproduce:

docker network create my-net
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --network my-net --restart=always -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce

Docker provides extensive documentation about bridge networking. Especially the section Enable forwarding from Docker containers to the outside world seems relevant.

  1. Configure the Linux kernel to allow IP forwarding. sysctl net.ipv4.conf.all.forwarding=1
  2. Change the policy for the iptables FORWARD policy from DROP to ACCEPT. sudo iptables -P FORWARD ACCEPT

Step 2 has been addressed in version v1.2.0 of the script. The first step doesn’t work on Synology DSM yet.

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

Hey @markdumay, not sure if this will help but I wrote a post on the reason behind that gist and what it helps to fix: https://www.pedrolamas.com/2020/11/04/exposing-the-client-ips-to-docker-containers-on-synology-nas/

+4
pedrolamas on Dec 26, 2020

Wow. I wish I had read my mail earlier than trying to trailblaze around. I just spent about the last 4 hours trying to troubleshoot this exact issue, and JUST stumbled upon your script @pedrolamas. I’m pulling up a man iptables now to decipher for myself what the rule is actually doing in the grand scheme. If it doesn’t seem to terrible, I’ll roll with it. So thank you in advance for the script, I only wish I had found it earlier.

UPDATE: Ya I probably need to dive into the iptables rules on my syno, which my brain hurts too much for. But it does seem to be working now. Proper IPs all around on my containers. Thank you SO SO SO MUCH!

+1
1activegeek on Dec 30, 2020

Thanks for the heads up @pedrolamas! I was indeed curious about the reason behind your script. I’m running Pi-Hole on my NAS - eager to find out if your script fixes the missing client IPs. I like the WOMM certification by the way. 😉

+1
markdumay on Dec 26, 2020

For those interested, I ran into this gist by @pedrolamas. I haven’t tested it myself yet, but it seems worth looking into.

+1
markdumay on Dec 26, 2020
Read more comments on GitHub
← linkify-it: linkify.match gets stuck with string containing a lot of emoji
synology-docker: Updated binaries are incompatible with btrfs →