0

I'm running a Docker container on a machine on port 8090. Let's say the IP address of that machine is 192.168.0.3. I want to forward 192.168.0.4:80 to 192.168.0.3:8090. The machine is and may only be reachable from within the local network.

What I've tried:

/ip firewall nat export
add action=dst-nat chain=srcnat dst-address=192.168.0.4 dst-port=80 \
    src-address=192.168.0.0/24 to-address=192.168.0.3 to-port=8090 \
    protocol=tcp
add action=masquerade chain=srcnat dst-address=192.168.0.4 dst-port=80 \
    src-address=192.168.0.0/24 protocol=tcp

This doesn't work.

Am I forgetting something? I've got the feeling I'm overlooking something simple but haven't been able to figure out what.

Edit:

The ip address 192.168.0.4 does not resolve to anything in my network. I just want to "assign" and forward it to 192.168.0.3:8090. The reason for this is that I want to setup a local domain name that resolves to the Docker container without having to specify a port.

halfpastfour.am
  • 109
  • 1
  • 6
  • 1
    is `192.168.0.4` pingable? if so, does the firewall know about this ip address on one of its interfaces? if so, is the ARP entry for `192.168.0.4` the MAC address of your firewall or is it per chance flapping? try last question on a system in the same subnet with `arping -I eth0 192.168.0.4` (replace eth0 with the correct interface name if necessary) – Phillip -Zyan K Lee- Stockmann Feb 17 '17 at 10:46
  • apart from that: using port forwarding on `192.168.0.3` looks way easier and more transparent to me. – Phillip -Zyan K Lee- Stockmann Feb 17 '17 at 10:48
  • The address is not pingable. Running the `arping` command will surely result in a timeout as well. I will update my question with some additional information. – halfpastfour.am Feb 17 '17 at 12:42
  • 1
    Traffic on the same layer-3 network is delivered directly by layer-2, not layer-3, so you can't NAT (redirect) at layer-3. ARP will try to find the layer-2 address for the layer-3 address, and the resulting frames are delivered by layer-2. If ARP can't resolve the addressing, then the packet gets dropped because no frame can be built. – Ron Maupin Feb 17 '17 at 15:14

1 Answers1

3

Your computers in the local network try to reach IP addresses within their own subnet directly. Therefore a computer ("Workstation") with the IP address 192.168.0.105 will ignore the default gateway when trying to reach 192.168.0.4 and tries to send tcp packages directly.

This will fail if no other computer is answering Workstations call ("arp request") for the MAC address belonging to 192.168.0.4 - and none will answer, as this IP address is not in use within your local network.

You do have various choices on how to solve it:

  1. add 192.168.0.4 to an interface on your firewall and use your firewall to re-route those packages
  2. add 192.168.0.4 to an interface on your docker-host and redirect traffic on the docker-host itself
  3. add the redirection of traffic on the docker-host and use 192.168.0.3 directly instead of 192.168.0.4

other options may exist.

Phillip -Zyan K Lee- Stockmann
  • 1,358
  • 10
  • 14