Good day anyone that reads this I thought I would share an issue I ran into made myself, as I am not a docker expert and no amount of googling gave me an answer so here is what happened and resolved.
I installed docker on my omv nas box and created two new networks so I could isolate dockers to there needed groups.
I made a Hanetwork 172.168.100.1/16 for my home assistant and masnetwork 10.50.0.1/16 for other apps.
My issue was I could not connect my home assistant to a wifi network not even with –host or port forwards.
The issue was my wifi network was ip 172.168.50.1/24. the moment I switched my home assistant over to network masnetwork and deleted the 172.168.100.1/16 network from docker I could use it on my phone.
I am curious if someone with more knowledge could explain. I am assuming the docker was trying to talk to its subnet not the external one as they overlapped.
HA couldn’t connect out or you could not connect to HA?
Docker network is completely different and isolated from internal lan network. Do not use common ip ranges for docker and your lan to prevent problems
Also. I suggest macvlan for your HA container. mDNS and discovery works and I feel it is better than using “host”
EDIT
What does this mean?
The host connect to WiFi but containers can only
Connect to existing connection. Macvlan allows container to establish its on connection but not sure how that would work for WiFi connection
Do you own this IP range? (was it specifically assigned to you by another network provider - last I checked it belonged to one of Microsofts data centers in Iowa)
First there are reserved IP ranges for private addresses. That (172.168) is not one of them. It’s ‘similar’ to 192.168.. is that what you had intended?
If you do not own those 172.168 ranges then you may have issues routing IP at some point. But THATS not the issue.
Your first address:
172.168.100.1/16
/16 translates to the first 16 bits of an address MUST match for two nodes to be on the same network. - or the first two octets. 172.168..
In CIDR notation that also means the lowest number (all zeros in the remaining octets that don’t have to match) translates to 172.168.0.0 is the network number and the broadcast IP address is (all ones) 172.168.255.255 after binary to decimal conversion is the broadcast address.
How this works in practical terms: The sender compares its address to the network and the recipient - and if sender is in that same network it is a direct shot. - no routing required and just sends it. (this is important)
When it’s nonlocal, the ‘gateway’ address (a lot of times we pick the first real address on a network - but it doesn’t have to be - also important) indicates that the network connects to another and that is the way to connect to every non local address. This is where your router usually lives…
So you created a second network called 172.168.50.1/24
Its network address is 172.168.50.1 (.1 is an error, should be 0, but lets assume it’s zero.)
So assuming That is fixed its network address is 172.168.50.0 and it’s using a /24 so for an address to be ‘local’ to this network the first 24 digits in decimal should match (the first three octets) 172.168.50.. The broadcast address is 172.168.50.255. ANY device IN THIS network considers any address NOT in 172.168.50. as nonlocal and would send it to the gateway for routing.
Here’s where you have an issue.
Your /16 network would include all addresses in 172.168.. local but your 172.168.50.x ONLY considers addresses in the 50 network local
A client in a Non-.50 172.168.x network (would be able to direct send to the 50 network but considering your routing the 50 network may not be able to answer. Because they’re incorrectly trying to route through a router that subsequently gets very confused. You’re in that network already - (router basically says - what do you need me for drops packets)
And that’s your first problem.
The second is your using a publicly routeable address Ona private network.
Networks reserved for private use include
10.0.0.0/8 (aka class a)
everything in the 10 network.
172.16.0.0/12 (you have to match the first 12 bits - translates to
172.16.0.0 – 172.31.255.255 (note neither 100 nor. 50 are in this range?
192.168.0.0/16
Everything in 192.168.0.0 through 192.168.255.255 and most people generally use a /24 address inside this range to create multiple internal networks… (I suspect what you had intended)
This matters because even when you fix the overlap problem you’re stomping in legitimate eternal addresses and if you ever try to reach one of those services your message will never get out (your router will say no that’s local - and drop the packet.)
So to fix this you’re going to have to rethink your IP address scheme.
Your 10.x network is fine - although huge of you don’t have a reason for ~65535 addresses you’re better off with a smaller subnet.
What did you WANT to happen? That way we can unwind what it SHOULD Be.
Thank you for the replies I had should have known that, it was stated when I assigned my nics in pfsense that address was reserved that clears my mistake up completely I appreciate the information a lot.
The main reason I posted this was I tried googling the error as I understood it and got a lot of people seemingly with the same issue.
I wonder if they had confused the address as I did and so there issue persists.
I will fix my network as I have been using 172.168.1.1/24 not .0 as you say.
As it stands my network is now working great I created a mcvlan for pihole. And I now have all my dockers connected and talking.
If you don’t mind a follow up question I did not use a mcvlan on my NAS for home assistant as I thought for security it would isolate itself from the other containers.
I tried it once and could not get a connection even using the IP address.
I will lay out my network topology so you can get a clearer picture see if anything is a miss.
Note enthusiastic home user not a professional I don’t think that needed saying but bear in mind when you see my network. :0
ISP ROUTER STUCK IN ROUTER MODE NO BRIDGE
192.168.0.1/24 GATEWAY
192.168.0.110/24 DMZ
PFSENSE BOX AT 192.168.0.110 (this attaches to above)
LAN ONE FROM PFSENSE IS 192.168.1.1/24 NOW 192.168.1.0/24
ALSO
WIRELSS FROM PFSENSE 172.168.50.1/24 NOW 172.168.50.0/24
PORTAINER WITH A BRIDGE NETWORK I MADE ON MY NAS 10.0.50.1/16
BRIDGE CONTAINERS ZIGBEE2MQTT
ECLIPSE/MQTT
HOMEASSISTANT
I HAVE A MCVLAN FOR PIHOLE 192.168.1.155/24
If I try and make a mcvlan on this host for home assistant ip 192.168.1.156/24 it was my understanding this would not be able to talk to the ZIGBEE MQTT containers I tried and got nothing when typing in ip of mqtt not using the host name.
Macvlan is isolated for docker so containers cannot connect to this address and and I don’t believe macvlan can connect to containers at host_ip:port
You must create network to connect with docker containers when using macvlan. So you will have HA container on both macvlan for LAN and docker network for container connections. Using docker for containers is best since you may create and use their hostname instead of randomly generated docker ip