Bridged docker container can only connect to LAN, not WAN

  bridge, debian, docker, nginx-reverse-proxy

I have a debian docker host that runs these docker containers:

  • swag: reverse proxy for jellyfin, and manages https certs. Connected to a user-defined bridge.
  • jellyfin: accessed behind reverse proxy via a subdomain. Connected to the same user-defined bridge as swag.

Timeline:

  1. Aug ~15 to 31: Can’t access jellyfin from WAN. Can access jellyfin from LAN via https and my subdomain as if nothing was wrong.
  2. Aug 31: stopped, rm’d and recreated swag & jellyfin containers using the same settings they were created with. Then I couldn’t access jellyfin at all from LAN via https and my subdomain.
  3. Reinstalled Debian from scratch (used bullseye instead of buster), no change from #2. I deleted the swag storage folder so none of its files are inherited from the debian buster system.

Right now from inside the swag container I can ping jellyfin, my pfsense router (outside the docker host, 192.168.1.1), but not a WAN address like 8.8.8.8. If I try to ping a WAN domain like google.com the dns resolves correctly I get 100% loss. I ran packet capture on pfsense and when I ping 192.168.1.1 the ICMP packets reach pfsense, but if I ping 8.8.8.8 pfsense doesn’t see any packets, suggesting the packets don’t make it out of the container or out of the docker host. Other containers using macvlans have been working fine throughout this, and can ping 8.8.8.8.

Docker bridge creation command:

docker network create revproxynet

Swag creation command:

/usr/bin/docker run -d 
    --name=swag 
    --restart unless-stopped 
    -h swag 
    -e TZ=America/Toronto 
    --cpus 1 
    -e PUID=1000 
    -e PGID=1000 
    --network=revproxynet 
    -v /z/fast/docker/swag/config:/config:rw 
    --cap-add=NET_ADMIN 
    -e SUBDOMAINS=omitted,for,stack,post 
    -e URL=duckdns.org 
    -e ONLY_SUBDOMAINS=true 
    -e VALIDATION=http 
    -p 443:443 
    -p 80:80 
    -e STAGING=false 
    linuxserver/swag

I tried a couple suggestions I found online but they didn’t seem to help:

sysctl net.ipv4.conf.all.forwarding=1
iptables -P FORWARD ACCEPT

Docker was installed as per the Install using the repository method. I use namespace remapping as described here, but tried creating the swag container with --userns=host to disable namespace remapping and it didn’t seem to change anything.

What am I doing wrong?

Thank you for your time.

Source: Docker Questions

LEAVE A COMMENT