Docker Desktop on macOS, Container Cannot Reach LAN Devices

Docker Desktop
,
1

Goal

I want containers running under Docker Desktop on macOS to reach other devices on my LAN (e.g., 192.168.123.163).
From the host macOS machine, all LAN devices are reachable.
I want the same reachability from inside containers.

Experiments Performed

1. Connectivity Tests from Container

Target Result Notes
google.com :white_check_mark: ping works General internet access OK
host.docker.internal (192.168.65.254) :white_check_mark: ping + ssh works Expected
LAN gateway (192.168.123.1) :white_check_mark: ping + ssh work Router reachable
Host LAN IP (192.168.123.133) :white_check_mark: ping + ssh works Host reachable
Other LAN device (192.168.123.163) :cross_mark: ping/ssh fail The problematic case

Docker inspect (NetoworkSettings)

Container using the default bridge network.

"NetworkSettings": {
		"Bridge": "",
		"SandboxID": "...",
		"SandboxKey": "/var/run/docker/netns/dfbc81fd2559",
		"Ports": {},
		"HairpinMode": false,
		"LinkLocalIPv6Address": "",
		"LinkLocalIPv6PrefixLen": 0,
		"SecondaryIPAddresses": null,
		"SecondaryIPv6Addresses": null,
		"EndpointID": "",
		"Gateway": "",
		"GlobalIPv6Address": "",
		"GlobalIPv6PrefixLen": 0,
		"IPAddress": "",
		"IPPrefixLen": 0,
		"IPv6Gateway": "",
		"MacAddress": "",
		"Networks": {
			"bridge": {
				"IPAMConfig": null,
				"Links": null,
				"Aliases": null,
				"MacAddress": "72:90:a8:41:3e:a2",
				"DriverOpts": null,
				"GwPriority": 0,
				"NetworkID": "...",
				"EndpointID": "...",
				"Gateway": "172.17.0.1",
				"IPAddress": "172.17.0.4",
				"IPPrefixLen": 16,
				"IPv6Gateway": "",
				"GlobalIPv6Address": "",
				"GlobalIPv6PrefixLen": 0,
				"DNSNames": null
			}
		}
	}

2. macOS Packet Capture

  • When targeting the router (192.168.123.1), ICMP packets appear on macOS en0.
  • When targeting another LAN device (192.168.123.163), no packets appear at all in Wireshark/tcpdump on macOS.

This confirms that packets from the container never reach macOS for LAN destinations.

3. macOS Firewall and Routing Checks

  • macOS firewall (pf) is disabled.
  • net.inet.ip.forwarding = 0 (macOS not acting as router — expected).
  • macOS routing table contains correct routes and host can reach all LAN devices normally.

4. Container’s Routing Table

default via 172.17.0.1 dev eth0

Normal Docker bridge/NAT setup.

Observed Behavior

  • Only the router (192.168.123.1) and host machine are reachable from the container.
  • No packets destined for other LAN devices ever leave the Docker VM (they do not appear on macOS network interfaces).
  • This suggests the traffic is being dropped inside Docker Desktop’s internal networking layer before leaving the VM.
2

Solved:

image
image1359×1354 107 KB

2 Likes