I have a few containers that are configured with docker compose. One container advertises a port (let’s say 1700) that is a network tunnel. Packets that arrive on port 1700 on the docker host are connected to the tunnel software running in docker. The tunnel software strips off the outer IP and UDP headers and inside there is a nested IP packet. Let’s say the inner IP packet has a src=172.19.2.130. Within the docker container that has implemented the tunnel software, I have this route 172.19.2.128/26 via 10.0.1.1 dev mytun proto static. I have another service in my docker compose file that is a UDP echo server. Within that service, I also have a similar route defined 172.19.2.128/26 via 10.0.1.1 dev eth0 so that if a packet comes (for example) from 172.19.2.130, it will know to send the reply via 10.0.1.1 which is the IP of my tunnel service within the docker network.
So far, this all works fine. The next part is where I’m having problems. I have another service that is not inside of the docker compose environment and isn’t even hosted on the same machine. Lets say this service is at 10.3.40.50. The packets coming out of the tunnel are forwarded to the machine that’s hosting the other service and the other service replies to the 172.19.2.130 IP. The machine hosting the other service has a route that tells it that 172.19.2.128/26 is routed via the IP of the machine that is hosting my docker services. I can see the reply packet come back.
I do not see the packet arrive back at the tunnel service within my docker compose environment. I suspect that the problem is that my Linux machine hosting docker compose doesn’t know what to do with a packet with dst=172.19.2.130.
I tried to add a route to the Linux hosting the docker compose setup sudo ip route add 172.19.2.128/26 dev br-42e61ea59069 to try to tell it to send packets destined to the tunnel subnet into the docker network, but this doesn’t seems to be effective. When I think about it, I don’t know how the bridge device would know which container to route the packets to.
Can anyone suggest anything to try?