Container port/service accessible from all host IP's with docker custom bridge linked to IPv4 alias on...











up vote
1
down vote

favorite












Good day all.



I Have a question regarding Docker on a Synology NAS (Linux).



I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.



I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:



-Map ports 1:1 to a host IP-address like:



docker run-p 192.168.1.3:8443:8443


-Create a docker bridge network and bind this to a specific host IP-address like:



docker network create --driver=bridge --gateway=10.0.0.1 
--subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
-o "com.docker.network.bridge.name"="br_UUC"
-o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge


I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.



Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.



I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.



Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)



I created an alias on the NAS' NIC by executing the following command:



ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC


(I do this before creating the docker bridge)



I know there are other ways to do this using ip address add, but the old way still works.



The neworks show up as:
eth0 and eth0:0 ifconfig
UUC_bridge ifconfig



and the bridge config is:
docker network inspect UUC_bridge



Now to the problems I am facing:



In netstat I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -



Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.



I can now access the UUC interface through 192.168.1.3:8443.
The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.



Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.



Does anybody know what I might be missing here?



The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?



Many thanks in advance!










share|improve this question







New contributor




Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    1
    down vote

    favorite












    Good day all.



    I Have a question regarding Docker on a Synology NAS (Linux).



    I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.



    I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:



    -Map ports 1:1 to a host IP-address like:



    docker run-p 192.168.1.3:8443:8443


    -Create a docker bridge network and bind this to a specific host IP-address like:



    docker network create --driver=bridge --gateway=10.0.0.1 
    --subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
    -o "com.docker.network.bridge.name"="br_UUC"
    -o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge


    I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.



    Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.



    I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.



    Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)



    I created an alias on the NAS' NIC by executing the following command:



    ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC


    (I do this before creating the docker bridge)



    I know there are other ways to do this using ip address add, but the old way still works.



    The neworks show up as:
    eth0 and eth0:0 ifconfig
    UUC_bridge ifconfig



    and the bridge config is:
    docker network inspect UUC_bridge



    Now to the problems I am facing:



    In netstat I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -



    Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.



    I can now access the UUC interface through 192.168.1.3:8443.
    The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.



    Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.



    Does anybody know what I might be missing here?



    The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?



    Many thanks in advance!










    share|improve this question







    New contributor




    Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Good day all.



      I Have a question regarding Docker on a Synology NAS (Linux).



      I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.



      I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:



      -Map ports 1:1 to a host IP-address like:



      docker run-p 192.168.1.3:8443:8443


      -Create a docker bridge network and bind this to a specific host IP-address like:



      docker network create --driver=bridge --gateway=10.0.0.1 
      --subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
      -o "com.docker.network.bridge.name"="br_UUC"
      -o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge


      I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.



      Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.



      I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.



      Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)



      I created an alias on the NAS' NIC by executing the following command:



      ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC


      (I do this before creating the docker bridge)



      I know there are other ways to do this using ip address add, but the old way still works.



      The neworks show up as:
      eth0 and eth0:0 ifconfig
      UUC_bridge ifconfig



      and the bridge config is:
      docker network inspect UUC_bridge



      Now to the problems I am facing:



      In netstat I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -



      Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.



      I can now access the UUC interface through 192.168.1.3:8443.
      The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.



      Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.



      Does anybody know what I might be missing here?



      The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?



      Many thanks in advance!










      share|improve this question







      New contributor




      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Good day all.



      I Have a question regarding Docker on a Synology NAS (Linux).



      I have a Ubiquity Unifi Controller container running on this NAS. (jacobalberti/unifi) This image needs specific ports to be available to the network for communicating to Unifi hardware. The idea is to make this container available through a different IP-address than the one where all the NAS services run behind.



      I am not a network engineer and have limited knowledge of the possibilities and pitfalls regarding networking, but I did some research and found that there are a few possibilities:



      -Map ports 1:1 to a host IP-address like:



      docker run-p 192.168.1.3:8443:8443


      -Create a docker bridge network and bind this to a specific host IP-address like:



      docker network create --driver=bridge --gateway=10.0.0.1 
      --subnet=10.0.0.0/24 --ip-range=10.0.0.2/24
      -o "com.docker.network.bridge.name"="br_UUC"
      -o "com.docker.network.bridge.host_binding_ipv4"="192.168.1.3" UUC_bridge


      I chose to create a bridge network, as this network shows up in the Synology Docker GUI and I can, this way, still manage the container in this GUI.



      Following the creation of the new network, I can link the container to the bridge network UUC_bridge and do a 1:1 port mapping.



      I expect to be able to access the container port 8443 behind IP-address 192.168.1.3, while the NAS host IP-address 192.168.1.2 has port 8443 stil free, or used by antoher service.



      Now I need a way to have the second IP address 192.169.1.3 on the host NIC. As I do not need isolated networking, I think VLAN's are not the solution. I read that they would need a different docker network driver, too. (macvlan)



      I created an alias on the NAS' NIC by executing the following command:



      ifconfig eth0:0 192.168.1.3 up netmask 255.255.252.0 name UUC


      (I do this before creating the docker bridge)



      I know there are other ways to do this using ip address add, but the old way still works.



      The neworks show up as:
      eth0 and eth0:0 ifconfig
      UUC_bridge ifconfig



      and the bridge config is:
      docker network inspect UUC_bridge



      Now to the problems I am facing:



      In netstat I find an entry that looks like: tcp6 0 0 :::8443 :::* LISTEN 0 6783321 -



      Now it seems that, looking at the ifconfig output, the bridge is IPv6. I don't know how the IPv4 <> IPv6 linking works, but I would say it should not be a problem, because I told Docker that it should link the bridge to that one IPv4 address 192.168.1.3.



      I can now access the UUC interface through 192.168.1.3:8443.
      The thing is, that I can also access the same UUC interface through 192.168.1.2:8443. I do not want that, and I do not see why it would do this.



      Maybe the UUC container uses 0.0.0.0 internally to expose 8443 to all (container)host interfaces, but I configured the bridge to just be linked to the 192.168.1.3 IPv4-address.



      Does anybody know what I might be missing here?



      The other problem That I am facing is that all the Synology services seem to use 0.0.0.0 as port binding IP, so all Synology services are available behind 192.168.1.3, too. Is there any way to remove the 192.168.1.3 address from the group of host IP-addresses that the 0.0.0.0 address of the NAS link to?



      Many thanks in advance!







      linux networking ip ipv6 docker






      share|improve this question







      New contributor




      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Nov 16 at 11:01









      Lars Beugelaar

      61




      61




      New contributor




      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Lars Beugelaar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.



























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.










           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375952%2fcontainer-port-service-accessible-from-all-host-ips-with-docker-custom-bridge-l%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.










           

          draft saved


          draft discarded


















          Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.













          Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.












          Lars Beugelaar is a new contributor. Be nice, and check out our Code of Conduct.















           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375952%2fcontainer-port-service-accessible-from-all-host-ips-with-docker-custom-bridge-l%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          AnyDesk - Fatal Program Failure

          How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

          QoS: MAC-Priority for clients behind a repeater