Host cannot ping container IP

Hi! :slight_smile:

-From the HOST I can access the container using https://localhost:9501 which is pointed to port 10000 on my container (webmin).
-The host can also access my container webmin with this IP https://172.17.0.4:10000/

-But I cannot access it via the container IP 192.168.3.7:10000

I was able to do this before, but by changing a subnet I must have forgotten a parameter somewhere when rebuilding the networks.

A few notes:

  • I cannot ping 192.168.3.7 from the host either
  • My host IP is 192.168.3.50
  • Seems my container is BOTH connected in my macvlan0 (192.168.3.7) AND my bridge (172.17.0.4). Is this normal?

How can I fix this? Thanks!

Hi

How do you start this container?
when you access it via 172.17.0.4:10000, you access it directly on its internal ip, which will work.

but the -p parameter in your run command ( or ports: in compose ) is a map from the hosts network to that internal network:port.

therefor you should not be able to reach :10000 from the outside, but instead :9501
if you want to use port 10000, you should then also add: -p 10000:10000 to your run command.

But im not sure that you can map to the same port twice, but give it a go :slight_smile:

It could be. Wasn’t it intentional? I don’t know how could this happen accidentally. Can you tell more about your environment? Is it Linux, Windows or Mac?

I experienced some issue with docker networks in the past. When I run many containers without restarting the daemon, after some time Docker run out of IP addresses in the default range (172.16.0.0/20) because it did not reuse the already deleted networks subnets. In that case Docker continues to use IP addresses from 192.168.0.0/16 . It shouldn’t be a problem since Docker can see the already present networks so it can choose an available IP range. But What if the network created by Docker was there before the network on the host appeared?

Once I installed Docker in WSL2 on Windows 10 and I noticed the WSL 2 machine got the IP address from the same range as Docker. For example WSL 2 got 172.17.0.0/24 so when Docker start to created new networks it started from 172.18.0.0/24. Then I rebooted my host and the WSL 2, which knew nothing about the network inside itself, got the IP range 172.18.0.0/24. Then I didn’t have internet in WSL until reboot. So the previously created Docker network could ruin the host’s network. I had to create a large subnet on my Windows 10 host to cover all the IP addresses in 172.16.0.0/20 so WSL 2 could not use any subnet from this range. This way I am good until I have so many containers Docker starts to create networks from 192.168.0.0/16.

The above story is one that can be related to your issue. Also when I last tried macvlan, it didn’t work, but the issue was probably me, not Docker.

It was my first thought as well, but the topic and the question is about “Host cannot ping container IP” :slight_smile:

Does the following help you help me?
As for the run command, can you point where I can find this? As my docker and container kind of run automatically on reboot and I am not sure where this Run command might be running.


The network creation
root@server50:~# docker network create --driver=macvlan --subnet=192.168.3.0/24 --gateway=192.168.3.1 -o parent=eno1 macvlan0

docker network ls
NETWORK ID NAME DRIVER SCOPE
f8f6cc099607 bridge bridge local
59c3791aaef6 host host local
0b9b0e833502 macvlan0 macvlan local

The connections
root@server50:~# docker network connect --ip=192.168.3.7 macvlan0 rsnapshot
root@server50:~# docker network connect --ip=192.168.3.5 macvlan0 portainer
root@server50:~# docker network connect --ip=192.168.3.6 macvlan0 samba

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e2ea0a70ab3 rsnapshot:latest “bash” 10 months ago Up 17 hours 0.0.0.0:9501->10000/tcp, :::9501->10000/tcp rsnapshot
70c7c5429afd portainer/portainer-ce “/portainer” 10 months ago Up 17 hours 0.0.0.0:8000->8000/tcp, :::8000->8000/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp portainer
11a60c38d98c mysambaimage:mytag “bash” 3 years ago Up 14 hours 0.0.0.0:49154->139/tcp, :::49154->139/tcp, 0.0.0.0:49153->445/tcp, :::49153->445/tcp, 0.0.0.0:9500->10000/tcp, :::9500->10000/tcp samba

Portainer rsnapshot networks:


docker network inspect macvlan0
[
{
“Name”: “macvlan0”,
“Id”: “2641642a222ea0fcc4ced842e79a94d750331812612baa0abba380ea7eae5fbc”,
“Created”: “2021-10-27T10:02:58.156449826-04:00”,
“Scope”: “local”,
“Driver”: “macvlan”,
“EnableIPv6”: false,
“IPAM”: {
“Driver”: “default”,
“Options”: {},
“Config”: [
{
“Subnet”: “192.168.3.0/24”,
“Gateway”: “192.168.3.1”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {
“11a60c38d98c65c17eab17e5e83f3ad0360ce74bcd55797f6e0081e2869d9d1e”: {
“Name”: “samba”,
“EndpointID”: “1c7e0a5be6cc732d8dc6dc01cd1a158a627482af22b763836d64ff397807734d”,
“MacAddress”: “02:42:c0:a8:03:06”,
“IPv4Address”: “192.168.3.6/24”,
“IPv6Address”: “”
},
“6e2ea0a70ab36900c5ee8574a6996a98f56a319c3edaa464d37dd3a11f1b2cc7”: {
“Name”: “rsnapshot”,
“EndpointID”: “acb61aaccd5be26367c133ad8e38201d7fb3154cff3263a50de328c7ee20076f”,
“MacAddress”: “02:42:c0:a8:03:07”,
“IPv4Address”: “192.168.3.7/24”,
“IPv6Address”: “”
},
“70c7c5429afd30cec1e8fee52e4575737c880b9d55398467d4739e4341fb274c”: {
“Name”: “portainer”,
“EndpointID”: “c862e83603fdfcdf79c1413f9b5851e38e65cc35dbef0b96110b06a246ddff7b”,
“MacAddress”: “02:42:c0:a8:03:05”,
“IPv4Address”: “192.168.3.5/24”,
“IPv6Address”: “”
}
},
“Options”: {
“parent”: “eno1”
},
“Labels”: {}
}


docker network inspect bridge
[
{
“Name”: “bridge”,
“Id”: “e04646cd1514612aa615e7ec5452f04664f020978f5d651fa00d2e6c0e1902b3”,
“Created”: “2021-10-27T10:19:46.982122419-04:00”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: false,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [
{
“Subnet”: “172.17.0.0/16”,
“Gateway”: “172.17.0.1”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {
“11a60c38d98c65c17eab17e5e83f3ad0360ce74bcd55797f6e0081e2869d9d1e”: {
“Name”: “samba”,
“EndpointID”: “3340dc6f412e05165c77a78ec5d06cabba3dcb963dafb8d0b34eac5f90393e01”,
“MacAddress”: “02:42:ac:11:00:03”,
“IPv4Address”: “172.17.0.3/16”,
“IPv6Address”: “”
},
“6e2ea0a70ab36900c5ee8574a6996a98f56a319c3edaa464d37dd3a11f1b2cc7”: {
“Name”: “rsnapshot”,
“EndpointID”: “78818c3d80c2a62abd24e0633e1d3e24096245c10a9457cde8517a8b221c33f7”,
“MacAddress”: “02:42:ac:11:00:04”,
“IPv4Address”: “172.17.0.4/16”,
“IPv6Address”: “”
},
“70c7c5429afd30cec1e8fee52e4575737c880b9d55398467d4739e4341fb274c”: {
“Name”: “portainer”,
“EndpointID”: “41bc624ff9ef56e8d5c1ed130efd8ec75db831aea0830fe0eb2ded768ebefe66”,
“MacAddress”: “02:42:ac:11:00:02”,
“IPv4Address”: “172.17.0.2/16”,
“IPv6Address”: “”
}
},
“Options”: {
“com.docker.network.bridge.default_bridge”: “true”,
“com.docker.network.bridge.enable_icc”: “true”,
“com.docker.network.bridge.enable_ip_masquerade”: “true”,
“com.docker.network.bridge.host_binding_ipv4”: “0.0.0.0”,
“com.docker.network.bridge.name”: “docker0”,
“com.docker.network.driver.mtu”: “1500”
},
“Labels”: {}
}
]

So your problem is that the macvlan host is not able to ping macvlan child interfaces attached to your containers?

Well that’s to be expected, as the kernel has security messures in place that prevent macvlan host to macvlan client interface communication. Docker has no stakes regading the restriction.

Older versions of the docker documentation (arround 17.03) used to point out this circumstance, but it was removed from the docs since
 which, in fact could have remained as N.B. note, as it is relevant for the user to understand the cause, but at the same time is not related to Docker at all


The workaround is to add another macvlan child interface to your host and use it to interact with the other macvlan client interfaces. The macvlan child interfaces should be reachable by other devices in you lan as if they are standalone machines. The forum search should find a couple of hits about the workaround.

The docker network connect commands you shared, make clear why your containers are attached to the macvlan0 network and bridge network. If you would’ve started the container using --network= macvlan0 --ip= .... it would only have an interface in the macvlan0 network.

But normally if I open a browser on the host, i should be able to open the Webmin located on the container right?

now https://192.168.3.7:10000 does NOT open the webmin interface when I am on the host.
Although any other computer in my network can reach it.

Isn’t your browser running on the macvlan host?

n.b.: a service on a macvlan client ip must be accessed by its container port, not by “its published port”. There is no port publishing on macvlan interfaces. The macvlan host CAN NOT access the macvlan client ip, without the workound I mentioned earlier.

You mean macvlan0? I guess so. Not sure. I am simply on the Ubuntu GUI with Firefox.
(Sorry if really basics here)

I used the search term “macvlan” in the forum search and had this thread as first hit:

The section “Syntax to create sub interface:” describes how to add a macvlan client interface to your host. It shows an example of the commands needed to workaround the macvlan limitation I was refering to earlier.

Is 192.168.3.0/24 your local lan?!? If so, this is a call for trouble, as you did not define the --ip-range parameter when creating the macvlan, which should be a range within your subnet that is outside a dhcp servers reach. Your whole setup just works reliable so far, because you declare fix ip addresses to your containers.

Good luck!

Yes. 192.168.3.0/24 is my local LAN
The DHCP in my pfsense is set to range from 100-150

You mean that when I create macvlan0 network on docker I need to set a range dedicated to my containers?
My containers are 192.168.3.5, 192.168.3.6 and 192.168.3.7
If so what would --ip-range contain!?

Hey, thanks again for your help. really appreciated!

The missing --ip-range ristriction is merly an observation. It is not the reason for your macvlan host<->container problem. If you should ever decide to have dhcp on your server, your network dhcp AND the docker embedded macvlan dhcp server will fight over who is going to provide the ip-range to the interface.

Thus said, the fix for your original problem should be:

ip link add macvlan-shim link en01 type macvlan mode bridge
ip addr add 192.168.3.x/24 dev macvlan-shim
ip link set macvlan-shim up

Normaly people then add a route for the macvlan ip-range. Since you don’t have the ip-range set, I doubt it makes any senes in your case.

ip route add 192.168.3.x/y dev macvlan-shim

x = first ip of the cidr range
y = bits of the cidr range

You can use a subnet calulator to identify a free(!) ip range in your subnet for the number of ip addresses you need (outside your dhcp range). You might start with a 27 bit mask (allows 32 ips). A 26 bit mask allows twice the amount ip’s, a 28 bit subnet allows halfe the amount of ip’s.

Plese do NOT use this setting for your /24 bit mask!

Though, there is a cavit with the approach: the settings are ephemeral and need to be re-applied after every reboot. You probably want to add it to a script that is called after a boot. Since I don’t use macvlan myself, I can’t help you with that
 I don’t belive in the necessity to use macvlan at all. Never required it during the last 7 years


Maybe I don’t need macvlan0 ! I don’t care about it.
In fact I just want my host (3.50) and my 3 containers (3.5, 3.6 & 3.7) to be in my office network. which is in 192.168.3.0
That simple.

You should have all the relevant details at hand now to create the solution you want.
Though, it’s not going to work without some changes.

I certainly have details, maybe too much in fact! :crazy_face:

Really my setup is supposed to be simple but it is ending up crazy.

I simply need all machines in my network, and the hosts with their containers to ALL see each other in 192.168.3.0/24 LAN. That’s it. And I don’t understand why this is complicated.

I am ready to delete all my networks and start over on a clean slate. I just don’t know where to start to ensure this is pure basic setup without complex fuss.

Thanks

Good day all,
i believe im in the right forum to get solution to my docker container and host system issue.

My issue is similar to the post by Tlav post. i have gone through it but couldn’t get solution to it.

pls can anyone help what to do enable communication between my system (host) ip and my container ip.

i can ping my system ip from my container. but can’t ping container ip from my system Why? what could be wrong, is it window issue
 my colleague using Ubuntu system can ping both way


Because in Windows docker is run in a vm (regardless wether with wsl1 or wsl2) which has a different ip than the host. The docker bridge network is invisible to the windows host. If you connect to the wsl1 vm or wsl2 distribution (which runs in a vm shared by all wsl2 distributions) you will be able to ping the container from there, the same way like your colleague is able to ping the container on his ubuntu host.

Pls can you provide help on how to connect to wsl2 distribution
where do i connect it from because from setting environment the wsl2 is checked.

Sure, no problem, I googled it for you.

Run these commands in a terminal of your choice (cmd, Windows Terminal, Powershell)

  • wsl --list to get the list of distribution
  • wsl --distribution <name of the distribution you want to exec into> to get shell access for the distribution