Cannot reach containers in bridge mode about synology-docker HOT 4 CLOSED

Docker supports several types of network drivers for running containers. The most common ones are:

• bridge - The default network driver, which allows containers on the same network to communicate with each other by hostname. Docker recommends to setup a user-defined bridge network instead of the default bridge network.
• host - The container uses the host's network directly. This is the easiest way to setup stand-alone containers.
• overlay - Overlay networks connect multiple Docker daemons together and enable swarm services to communicate with each other.
• macvlan- Available on Linux hosts, Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on your network. It also allows to specify a specific IP address on which the container should be available.

Setting up Docker on your Synology with the synology-docker script might result in difficulty connecting with containers in bridge mode. Potential workarounds are:

1. Deploy your service in a Docker stack, for exampledocker-compose config | docker stack deploy -c - <stack-name>. The exposed ports on the services are available from your host by LOCAL_HOST_IP:PORT.
2. Setup a macvlan network and connect your containers to this network. An instruction is available here.

from synology-docker.

Do you know what is the root cause of this behavior ?

from synology-docker.

I suspect it has to do with the iptables configuration. Although the installation script sets up Docker's default routing rules, it appears Synology requires additional rules to get it working properly.

Setting up the macvlan driver in the synology-pihole gave me some clues, as I ran into a similar issue. Adding a static route did the trick for the macvlan configuration: ip route add "$PARAM_PIHOLE_IP/32" dev "$PARAM_VLAN_NAME". However, it requires some additional research to get this right.

from synology-docker.

As pointed out by @siddjellali, adding iptables -P FORWARD ACCEPT should fix the networking issues. This forum post gives some additional pointers. I'll update the script to incorporate them. Below an excerpt of the solution:

8. Enable forwarding of all traffic from docker (i.e. egress traffic) using the command sudo iptables -P FORWARD ACCEPT
9. Add the iptables command to the /var/packages/Docker/scripts/start-stop-status script after the iptables modules are installed. This will restore the default traffic forwarding behavior whenever you restart docker:

# install modules
iptablestool --insmod "${DockerServName}" ${InsertModules}
# add this line
sudo iptables -P FORWARD ACCEPT

from synology-docker.