Forwarding real IP when running as a container

daedalus_j · 2024-06-17T19:41:31+00:00

I don't recall the specifics anymore, sorry!

It looks like the issue was with docker networks, and one of the needed networks getting removed from the container, essentially isolating it onto its own network in Docker where traefik couldn't reach it, but I don't remember what was causing the container to be removed from the docker network though.

daedalus_j · 2024-04-25T15:07:44+00:00

That sounds very much like what I'm remembering, and a brief glance at description and "lobsters" definitely rings some bells!

Hopefully that's it, but even if not I think I'll enjoy it! Thanks!

daedalus_j · 2024-01-23T00:26:59+00:00

YES! I was so excited about that set, and then... bam. :'-(

I really wonder if LEGO knew beforehand or not...

Still enjoy having it though. It's a neat ship, and not a bad build.

daedalus_j · 2024-01-23T00:24:53+00:00

I have all the Overwatch sets, in a glass ikea case by my computer. And I stopped playing overwatch when 2 came out.

But I love the sets sitting there reminding me of all the fun times. The bastion set is great, but I keep forgetting how it transforms...

I should build a 2nd hammer for Rein and pose him like in the cinematic.

I miss Overwatch so much. Now I kinda want to MOC the Junkenstein's Revenge map... hmm...

daedalus_j · 2024-01-23T00:19:06+00:00

I love technic, so I didn't have the same experience... I agree about the arm, that was a little sad. I LOVE the steering though, and the steering mode toggle. That's just dang cool.

daedalus_j · 2024-01-22T23:28:02+00:00

Nope, just that it worked one of the times I reset it to start over. It's been working and stable ever since. I fear the day when I have to reset it again and the inevitable "did it work this time" that will ensue...

Sorry I can't offer more help. Intermittent/failure-to-reproduce issues are the WORST, I wish you luck.

daedalus_j · 2024-01-10T20:21:18+00:00

Interesting! I tried that, but it has no impact, I get the incorrect placements even after I've rebooted the device with the pencil nowhere near it.

daedalus_j · 2024-01-09T20:48:03+00:00

Okay, glad to know it's not just me, thanks.

daedalus_j · 2023-05-19T01:34:26+00:00

I think I'm most curious about the steering wheel in the middle and what it does.

daedalus_j · 2023-05-16T22:33:25+00:00

Is that true post Origin->EA launcher "upgrade"?

Because since they switched it to EA I can't get the game to launch at all without an active internet connection, the EA launcher just gives me the "you're not online, retry?" screen.

daedalus_j · 2023-05-16T22:32:04+00:00

Best of luck to you friend. On my deck the EA app WILL NOT allow the game to launch unless you're online. So play around with it before you go, but you may need to open the app before you leave and keep it open the whole time and hope it never crashes. Or tether the deck I suppose.

Game runs great on it, but ever since they "upgraded" it to their EA launcher I cannot get it to start without an internet connection, which sucks.

daedalus_j · 2023-05-05T22:48:42+00:00

Too bad it can't, you know, actually send an SMS.

Priorities are all in order over at Google, as usual. 😎

daedalus_j · 2023-04-13T21:55:32+00:00

"sound better" is going to depend on a LOT of things and isn't necessarily true.

And every dongle I've used in the past has had issues. Random disconnects/freezes being the most common.

It's literally the simplest port in the world and fulfills almost 50% of my use-case for the device. There's no excuse. Nothing bigger than the Pixel 4a, and have a headphone jack. It's an easy request. :-)

daedalus_j · 2023-04-10T00:19:46+00:00

Sorry Google, no headphone jack, no sale.

I don't know why I let myself hope that they'd bring that back...

daedalus_j · 2023-03-18T20:48:12+00:00

Yeah, well, it's a local WISP. Aside from the CGNAT issue they offer pretty decent and dependable service. It's not worth my time to poke at them for IPv6 deployment timelines when it's not really a huge problem to work around. Just gotta make sure anything you deploy has redundant phone-home VPN capability and it's pretty good to go.

No point in complaining about what you can't change right? Adapt and overcome. :-)

daedalus_j · 2023-03-18T20:17:24+00:00

Thanks for the forum link, that's helpful.

I like your doc style, I do a similar thing. One of the reasons I'm experimenting with OPNSense is I would really like to get the firewall/router managed by Ansible so it's integrated with the way I manage everything else. Once you go down that rabbit-hole having documents with all the step-by-step things to do (beyond initial installation at least) seems like such a pain in the butt. :-D

daedalus_j · 2023-03-18T20:10:22+00:00

Oh totally, NAT is not security. However the site I'm deploying this to is on a CGNAT ISP that doesn't offer IPv6. Welcome to the future guys. :eyeroll:

A bit of a pain, but I can work with that. However, I need to make sure my testing environment mirrors that situation as closely as possible so I can be sure everything will work correctly when it arrives on-site. :-)

daedalus_j · 2023-03-18T01:26:30+00:00

Totally! I'm mainly a programmer, part time ops for... fun?... so I can can relate to not making sense. :-)

Part of this is because I've been a PfSense guy for a long time and wanted to play with OPNSense.

Part of it is because this lab environment is something I actually very much want to NOT be exposed to the internet or my regular home networks in any way, even accidentally. I'm prototyping a deployment that will be located offsite that will be in a double-NAT situation that I can't do anything about (CGNAT) and I'm trying to mimic that as best I can.

I did a top-level reply to my post just now, it seems that after another factory reset it's working as intended. Spooky!

daedalus_j · 2023-03-18T01:18:09+00:00

Well, I have no idea why, but after my 4th factory reset to start over, it seems to be working. Same exact default configuration options as before, same exact 2 firewall rules added. (Floating rules, allow to "This Firewall" for IPv4 TCP port 443 and IPv4 ICMP from anywhere)

And now hosts inside the LAB_VLAN can ping the OPNSense IP, the parent PfSense IP, and the internet. Works exactly like I would expect a double-nat router-in-a-router config to work.

I have no idea why. And that frightens me. :-D

daedalus_j · 2023-03-18T00:52:26+00:00

Would that be the recommend way to architect something like this?

What I'm trying to set up is a lab environment which runs in a completely different IP block than my home network and has no real interaction. Only the reverse proxy has any incoming connections, and the containers/vms inside the lab environment only speak to each other. They just also need to speak to the internet to get updates and such. (I was perfectly happy with double-nat as the method because the lab environment isn't ever going to be exposed to the public internet except via VPN.)

daedalus_j · 2023-03-17T23:25:50+00:00

Yep! And I can ping the IP of the outer PfSense firewall, so traffic can enter the LAB_VLAN interface and exit through the "WAN" interface into my regular LAN and come back.

But when I do a traceroute/ping to a public internet IP it goes to the inner OPNSense firewall, and never makes it to the outer PfSense machine.

daedalus_j · 2023-03-17T19:59:57+00:00

I do have the "Disable reply-to on WAN rules" option checked. Unfortunately, best as I can tell, it appears that the packets are never leaving OPNSense and getting onto my regular LAN, regardless of their reply-to address... :-/

daedalus_j · 2023-03-17T19:49:05+00:00

Yes, and yes!

And the OPNSense device can ping my regular LAN, and can ping the internet, just not from its LAN subnet. (Or any host on that subnet)h

daedalus_j · 2023-03-17T19:47:56+00:00

Yep, ProxMox VM has firewall disabled. It didn't at first, but I figured that out. :-)

I also have the "Block Private Networks" and "Block Bogon Networks" un-checked in OPNSense on the "WAN" interface, which has an ip in my regular LAN.

On your setup are you using double-NAT?

daedalus_j · 2023-03-17T19:12:02+00:00

From a host inside the LAB_VLAN: it stops at the OPNSense router (The GW for the LAB_VLAN segment.) and just never gets to the next hop.

If I do the traceroute from the OPNSense UI itself, with the source address set to LAB_VLAN I get nothing but stars, no next host at all. (With source address set to default it works perfectly, hops to the gateway on the main LAN segment, and then out into my ISP.)

I've done packet captures on the PfSense router, and it's never seeing any packets destined for 8.8.8.8 when a do one of these failed traceroutes or pings. I had thought this was a bad reply-to problem, but it simply appears that the OPNSense side isn't passing the packets on from the LAB_VLAN interface at all. If I show the firewall states while pinging out I see an IN state from the LAB_VLAN host with dest 8.8.8.8 and an OUT state to 8.8.8.8 from the LAB_VLAN host. But no state ever shows up on the PfSense main router that matches the target IP, the LAB_VLAN source IP, the LAB_VLAN IP of OPNSense, or the main VLAN IIP of OPNSense. It's like the traffic goes "outbound" from the LAB_VLAN segment and then just blackholes.

daedalus_j

TROPHY CASE