Hostapd client unable to connect to docker container network

Question

I've setup hostapd on a RP3 so I could connect some IoT devices to it. Inside the RP3 I have several docker containers, one of which is running a MQTT Broker.

The MQTT Broker is running on a bridge network (172.16.1.0), Hostapd is configured under wlan0 on bridge with eth0 for internet access (br0) and dnsmasq is assigning IP in the range 192.168.2.150-192.168.2.250, which is the same IP range the RP3 is running (192.168.2.10).

The problem is I cant connect from a external client to the MQTT Broker, but I can connect to the broker from the RP3, though it says a client with IP range 172.16.1.x is trying to access instead the RP3 IP (192.168.2.10).

I think there is something missing, a routing between the hostapd clients and the docker container bridge network but Im not sure how to accomplish this. Is it in the iptables, in dnsmasq? I don't want to run the MQTT docker on host mode.

Some config settings:

net.ipv4.ip_forward=1 is enabled

$ nano /etc/hostapd/hostapd.conf

interface=wlan0
bridge=br0
...

$ nano /etc/dnsmasq.conf

interface=wlan0
dhcp-range=192.168.2.150,192.168.2.250,255.255.255.0,24h

$ nano /etc/dhcpcd.conf

...
denyinterfaces wlan0 eth0

interface eth0
    static ip_address=192.168.2.10
    static routers=192.168.2.1
#    static domain_name_servers=200.30.192.14

interface wlan0
    static ip_address=192.168.2.149
    static routers=192.168.2.1
    nohook wpa_supplicant

interface br0
    static ip_address=192.168.2.10
    static routers=192.168.2.1

$ ifconfig

    br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.2.10  netmask 255.255.255.0  broadcast 192.168.2.255
    inet6 fe80::93db:ce25:c561:7628  prefixlen 64  scopeid 0x20<link>
    ether b8:27:eb:36:86:95  txqueuelen 1000  (Ethernet)
    RX packets 1363877  bytes 557765234 (531.9 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 1852401  bytes 209982006 (200.2 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    br-34828e803471: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 172.16.1.254  netmask 255.255.0.0  broadcast 172.16.255.255
    inet6 fe80::f2df:bb3a:df64:d8b9  prefixlen 64  scopeid 0x20<link>
    ether 02:42:1f:98:2a:39  txqueuelen 0  (Ethernet)
    RX packets 29239  bytes 1416296 (1.3 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 862702  bytes 111847089 (106.6 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    ether b8:27:eb:36:86:95  txqueuelen 1000  (Ethernet)
    RX packets 256255  bytes 15930835 (15.1 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 710584  bytes 104106492 (99.2 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    ether b8:27:eb:63:d3:c0  txqueuelen 1000  (Ethernet)
    RX packets 2640481  bytes 1215747996 (1.1 GiB)
    RX errors 0  dropped 18255  overruns 0  frame 0
    TX packets 3941056  bytes 472915664 (451.0 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

...

$ iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-34828e803471 -o br-34828e803471 -j ACCEPT
-A FORWARD -o br-b66bbdf9b3a6 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b66bbdf9b3a6 -j DOCKER
-A FORWARD -i br-b66bbdf9b3a6 ! -o br-b66bbdf9b3a6 -j ACCEPT
-A FORWARD -i br-b66bbdf9b3a6 -o br-b66bbdf9b3a6 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.16.0.0/16 -o br-34828e803471 -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.16.0.0/16 -i br-34828e803471 -j DROP
-A DOCKER-ISOLATION-STAGE-1 -i br-b66bbdf9b3a6 ! -o br-b66bbdf9b3a6 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b66bbdf9b3a6 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -j RETURN

score 0 · Answer 1 · answered Aug 16 '19 at 01:35

0

Easy, just change the docker network adapter from internal: true to internal: false. This solved the problem, although I had to connect to the RP3 IP address 192.168.2.10:1883

answered Aug 16 '19 at 01:35

jtomasrl

101
1

Hostapd client unable to connect to docker container network

1 Answers1