Docker bridge network breaks local internet

General
, ,
1

On a fresh install of ubuntu-server v24.04 and docker-ce v27.4.1, if I run any docker container with bridge network it breaks the whole local internet after 2-3s. I’ve checked my docker0 bridge network is unmamanged. Everything seems fine to me, if I ping google.com from docker it shows 66% packet loss.

docker run -it --rm busybox ping -c3 google.com
PING google.com (216.58.196.110): 56 data bytes
64 bytes from 216.58.196.110: seq=0 ttl=53 time=55.065 ms

--- google.com ping statistics ---
3 packets transmitted, 1 packets received, 66% packet loss
round-trip min/avg/max = 55.065/55.065/55.065 ms

networkctl output:

IDX LINK    TYPE     OPERATIONAL SETUP     
  1 lo      loopback carrier     unmanaged
  2 enp37s0 ether    routable    configured
  3 docker0 bridge   no-carrier  unmanaged

ip route:

default via 10.12.0.1 dev enp37s0 proto dhcp src 10.12.0.10 metric 100 
1.1.1.1 via 10.12.0.1 dev enp37s0 proto dhcp src 10.12.0.10 metric 100 
10.12.0.0/24 dev enp37s0 proto kernel scope link src 10.12.0.10 metric 100 
10.12.0.1 dev enp37s0 proto dhcp scope link src 10.12.0.10 metric 100 
10.12.0.10 dev enp37s0 proto dhcp scope host src 10.12.0.10 metric 100 
172.16.0.0/24 dev docker0 proto kernel scope link src 172.16.0.1 linkdown

iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere
2

Is that within a VM or a real server? Your own or a corporate network? Using DHCP?

3

@bluepuma77 ~ Real server, my own network(home network), yeah using dhcp.

4

This is not the default Docker bridge network. That would be 172.17.0.0/16. Did you have any reason to change the default?

Try traceroute or tracepath to see how far the traffic can go .

5

@rimelek I was trying to change the bip and adding dns in the /etc/docker/daemon.json. Still it was not working.

Here’s the traceroute to google.com:

traceroute to google.com (216.58.196.110), 30 hops max, 46 byte packets
 1  172.31.0.1 (172.31.0.1)  0.015 ms  0.008 ms  0.003 ms
 2  10.12.0.1 (10.12.0.1)  0.413 ms  0.396 ms  0.381 ms
 3  172.25.42.1 (172.25.42.1)  3.607 ms  1.143 ms  0.853 ms
 4  10.0.32.209 (10.0.32.209)  7.219 ms  7.430 ms  7.050 ms
 5  10.0.100.5 (10.0.100.5)  7.346 ms  7.621 ms  7.628 ms
 6  202.4.100.253 (202.4.100.253)  7.512 ms  7.429 ms  7.442 ms
 7  GI0-2-2-aggr01.as58656.net (103.12.177.1)  7.198 ms  7.523 ms  6.904 ms
 8  103.12.176.29 (103.12.176.29)  7.753 ms  8.062 ms  8.503 ms
 9  10.13.13.5 (10.13.13.5)  8.211 ms  8.355 ms  7.877 ms
10  103.26.244.23.summitgw.net (103.26.244.23)  8.504 ms  8.209 ms  9.222 ms
11  142.250.173.40 (142.250.173.40)  38.672 ms  42.909 ms  *
12  142.251.54.79 (142.251.54.79)  63.571 ms  *  142.251.230.177 (142.251.230.177)  80.580 ms
13  142.250.208.152 (142.250.208.152)  112.602 ms  172.253.75.14 (172.253.75.14)  87.839 ms  142.251.50.58 (142.251.50.58)  99.866 ms
14  142.250.224.156 (142.250.224.156)  79.086 ms  80.282 ms  192.178.83.214 (192.178.83.214)  41.464 ms
15  maa03s19-in-f110.1e100.net (216.58.196.110)  40.363 ms  142.251.255.55 (142.251.255.55)  36.963 ms  del11s05-in-f14.1e100.net (216.58.196.110)  41.032 ms
6

So you messed with the central Docker config file and now you wonder why it’s not working anymore? :wink:

7

@bluepuma77 not true. With the default config it was not working as well. So I made some changes to see if it works. Anyway changing bip and dns should not break my local internet. :pensive:

8

It could actually break your local internet if your default bridge network collides with something in your LAN network. It could be a DNS server as well. Then you would still have internet, but DNS resolutions would not work. In your case, since you say 66 percent of the packages was lost, I don’t think DNS server could be the reason, but something else in your LAN could be. I had similar issues only when I used WSL2 and installed Docker in a WSL2 distribution, but after rebooting Windows, WSL2 got a new random IP in a new subnet which was colliding with the previously created Docker networks so traffic tried to go through the gateway and it went to the docker network gateway instead (if I remember correctly).

Since your routing table does not show similar IP addresses and subnets, I don’t think that is the case either.

It looks like it managed to reach the google server this time. You should try multiple times until you get timeout or error.

If the internet were broken only from a container not from the host, I would say it could be MTU issue as well

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.