Exposing the docker network to the local network



This is problem I'm trying to solve for some time now. I've tried as many resources as I could try, but nothing has yet worked for me. :/

Here's what I'm trying to tackle:
I want to be able to deploy Docker containers and access them from a machine that resides in the same local network. That means that the IP addresses that Docker handouts to the containers have to be reachable from a client computer on the same LAN as the computer that host Docker.

Ideally, people would just have to add a route that points to the Docker host as a gateway for the Docker network, like:

client@lan$ sudo route add -net <docker-network>/<mask> gw <docker-host>

And boom, they can access the containers just by typing their IP. This route can also be set up from the router, of course.

I've seen that network bridges help doing this, but I could not get one to work this way.

How do you get all of this to work ?


Posted 2017-05-11T18:03:30.650

Reputation: 23

That route you show above should not reside on the clients, but in your LAN router's routing table instead. If it is not in your LAN router, traffic to this net block will go to the default route (possibly the internet). – diametralpitch – 2017-05-11T19:32:30.797

@diametralpitch I've read your link, the second answer is closer to what I'm looking for (bridging), but I can't get it to work. Does the containers linked to the bridge need to have an IP address on the same network as the LAN or not? My goal is that, without any intervention that goes further than the network setup, the containers that gets created are given a unique IP address that people on my private network can access. – iiPLD – 2017-05-12T10:03:33.827



If all you want to do is make sure applications in Docker containers are reachable by other hosts on the network, it would be easiest to set the Docker network mode to host:

docker run --net=host image/toRun:1.0

This will expose the ports in the image on the host's IP address (make sure to avoid port collisions)


Posted 2017-05-11T18:03:30.650

Reputation: 11 805

Thanks for your reply, but this is not the solution I seek for, because of port collisions. To give more details, I want to create a kind of "cloud" for my school, where students can create containers like they would buy a VPS or something alike. Therefore, I need that every containers that gets created are automatically a unique IP on a private network (the school) in order for them to do whatever they would like with the "servers" they create without minding about NAT or stuff like this. – iiPLD – 2017-05-12T10:07:40.363


Adding a route on the clients to reach your containers through the host should work as long as you enable IPv4 forwarding on your Docker host using:

sysctl -w net.ipv4.ip_forward=1

Be aware of the security implications, though, because without the proper firewall this will route traffic from any interface to any interface.


Posted 2017-05-11T18:03:30.650

Reputation: 121

Docker automatically set this up when the daemon starts. Maybe walk me through how you set up the interfaces et configure Docker in order to get the behavior I'm desperately seeking for, it would be of great help. – iiPLD – 2017-05-14T22:32:14.553


This works if you configure the DOCKER-USER chain to ACCEPT traffic from "not the bridge adapter" to "the bridge adapter", optionally limited to a protocol and port like tcp port 80 (-p tcp --dport 80). This chain is called from the FORWARD chain in the filter table and it governs packets that are not destined to the (Docker) host, but routed through it.

Then the LAN router needs to be configured with a static route for the Docker network to be routed through the Docker host acting as a gateway. The router could do three things with this information:

  • Send ICMP REDIRECT packets for traffic destined to a container.

  • Hand out a static route in DHCP leases (option 121)

  • Route packets through the Docker host, but this leads to route assymetry: client → router → host → container, whereas responses will go container → host → client.

Neither of these seems like a really attractive option to me.


Posted 2017-05-11T18:03:30.650

Reputation: 101