Doku: allgemeines OPNsense-Docker-Routing-How-To in shared.
VM-101-Instanz verweist auf shared; Duplikate reduziert. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
root
@@ -12,6 +12,7 @@ Passwörter in den Repo-Dateien sind durch `REDACTED` ersetzt. Live-Werte nur au
|
||||
|
||||
| Gast | Routing / OPNsense |
|
||||
|------|-------------------|
|
||||
| *(allgemein)* | [../shared/opnsense-docker-subnet-routing.md](../shared/opnsense-docker-subnet-routing.md) |
|
||||
| [vm101-ubuntu](vm101-ubuntu/) | [docbr0-opnsense-routing.md](vm101-ubuntu/docbr0-opnsense-routing.md) |
|
||||
|
||||
**Sync vom Gast (Beispiel VM 101):**
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
Externes Docker-Netz für Container mit **festen IPs** (`10.2.2.0/24`).
|
||||
|
||||
**Erreichbarkeit aus LAN/VLANs:** [docbr0-opnsense-routing.md](docbr0-opnsense-routing.md)
|
||||
**Erreichbarkeit aus LAN/VLANs:** [docbr0-opnsense-routing.md](docbr0-opnsense-routing.md) (Instanz) · [How-To](../../shared/opnsense-docker-subnet-routing.md) (allgemein)
|
||||
|
||||
| Stack / Service | Container | IP (docbr0) |
|
||||
|-----------------|-----------|-------------|
|
||||
|
||||
@@ -1,126 +1,64 @@
|
||||
# docbr0 (10.2.2.0/24) — Routing & OPNsense
|
||||
|
||||
**Zweck:** Container mit festen IPs auf VM 101 aus dem lokalen Netz (LAN/VLANs) erreichbar machen.
|
||||
**Stand:** 2026-06-28
|
||||
**Betrifft:** OPNsense · VM 101 `ubuntu` (192.168.10.10) · Docker-Netz `docbr0`
|
||||
**Instanz:** VM 101 `ubuntu` auf pve1
|
||||
**Allgemeine Anleitung:** [../../shared/opnsense-docker-subnet-routing.md](../../shared/opnsense-docker-subnet-routing.md)
|
||||
|
||||
---
|
||||
|
||||
## Kurzfassung
|
||||
## Werte für diese Instanz
|
||||
|
||||
| Was | Wo |
|
||||
|-----|-----|
|
||||
| Docker-Netz | `10.2.2.0/24` (`docbr0`, extern) |
|
||||
| Gateway für Container | **10.2.2.1** = VM 101 (Docker-Bridge auf dem Host) |
|
||||
| VM Management-IP | **192.168.10.10** (VLAN 10 / 192.168.10.0/24) |
|
||||
| OPNsense | Statische Route **10.2.2.0/24 → 192.168.10.10** + Firewall Pass |
|
||||
| Variable | Wert |
|
||||
|----------|------|
|
||||
| `DOCKER_SUBNET` | `10.2.2.0/24` |
|
||||
| `DOCKER_HOST` | `192.168.10.10` |
|
||||
| Docker-Netzname | `docbr0` (extern) |
|
||||
| Bridge-Gateway (Host) | `10.2.2.1` |
|
||||
| OPNsense Gateway-Name | `VM101_DOCKER` |
|
||||
| Firewall-Alias | `DOCKER_DOCBR0` |
|
||||
|
||||
`10.2.2.1` ist **kein OPNsense-Interface** — nur die Bridge auf der VM.
|
||||
`10.2.2.1` ist **kein OPNsense-Interface** — nur die Docker-Bridge auf VM 101.
|
||||
|
||||
---
|
||||
|
||||
## Topologie
|
||||
|
||||
```
|
||||
Client (z.B. 192.168.10.50 oder 192.168.40.x)
|
||||
│
|
||||
Client (192.168.10.x / andere VLANs)
|
||||
▼
|
||||
OPNsense (192.168.10.1)
|
||||
│ Route: 10.2.2.0/24 via 192.168.10.10
|
||||
│ Firewall: Pass (Quell-VLAN → 10.2.2.0/24)
|
||||
│ Route: 10.2.2.0/24 → 192.168.10.10
|
||||
▼
|
||||
VM 101 (192.168.10.10 eth0 + 10.2.2.1 docbr0)
|
||||
│ ip_forward=1, FORWARD ACCEPT
|
||||
VM 101 (192.168.10.10 + 10.2.2.1 docbr0)
|
||||
▼
|
||||
Docker-Container (10.2.2.x)
|
||||
Container (10.2.2.x)
|
||||
├── 10.2.2.254 NPM
|
||||
├── 10.2.2.253 Nextcloud
|
||||
├── 10.2.2.22 Gitea (git2)
|
||||
└── … siehe [README.md](README.md)
|
||||
```
|
||||
|
||||
**Rückweg:** Container → Gateway 10.2.2.1 → VM → eth0 → OPNsense → Client.
|
||||
Kein NAT nötig (intern → intern).
|
||||
---
|
||||
|
||||
## OPNsense (Kurz)
|
||||
|
||||
Siehe [How-To](../../shared/opnsense-docker-subnet-routing.md) für Screenshots-Felder im Detail.
|
||||
|
||||
1. Gateway **VM101_DOCKER** → `192.168.10.10` auf LAN/VLAN10
|
||||
2. Route **10.2.2.0/24** via VM101_DOCKER
|
||||
3. Firewall Pass: Quell-VLAN → `10.2.2.0/24` (pro Interface)
|
||||
4. Apply Changes
|
||||
|
||||
---
|
||||
|
||||
## OPNsense einrichten
|
||||
|
||||
### 1. Gateway (falls noch nicht vorhanden)
|
||||
|
||||
**System → Gateways → Configuration → Single → +**
|
||||
|
||||
| Feld | Wert |
|
||||
|------|------|
|
||||
| Name | `VM101_DOCKER` |
|
||||
| Interface | LAN / VLAN10 (`192.168.10.0/24`) |
|
||||
| IP address | **192.168.10.10** |
|
||||
| Disable Gateway Monitoring | optional an (Host pingt evtl. nicht als GW) |
|
||||
| Description | Docker docbr0 VM 101 |
|
||||
|
||||
### 2. Statische Route
|
||||
|
||||
**System → Routes → Configuration → +**
|
||||
|
||||
| Feld | Wert |
|
||||
|------|------|
|
||||
| Network | **10.2.2.0/24** |
|
||||
| Gateway | **VM101_DOCKER** (192.168.10.10) |
|
||||
| Description | Docker docbr0 VM101 |
|
||||
|
||||
**Apply Changes.**
|
||||
|
||||
### 3. Firewall-Regeln
|
||||
|
||||
**Firewall → Aliases → +** (optional, übersichtlicher)
|
||||
|
||||
| Name | Type | Content |
|
||||
|------|------|---------|
|
||||
| `DOCKER_DOCBR0` | Network | `10.2.2.0/24` |
|
||||
|
||||
**Firewall → Rules →** Interface der **Quelle** (z.B. **LAN** für 192.168.10.0/24):
|
||||
|
||||
| Feld | Wert |
|
||||
|------|------|
|
||||
| Action | Pass |
|
||||
| Interface | LAN (bzw. VLAN10) |
|
||||
| Protocol | any |
|
||||
| Source | LAN net (oder spezifisches VLAN) |
|
||||
| Destination | `DOCKER_DOCBR0` / `10.2.2.0/24` |
|
||||
| Description | Allow → Docker docbr0 VM101 |
|
||||
|
||||
**Weitere VLANs:** dieselbe Logik auf **jedem** Interface, von dem aus Clients kommen (z.B. IoT `192.168.40.0/24`), sonst blockiert Inter-VLAN-Firewall.
|
||||
|
||||
Regel **oben** platzieren (vor generischen Block-Regeln).
|
||||
|
||||
**Apply Changes.**
|
||||
|
||||
---
|
||||
|
||||
## Was bewusst nicht auf OPNsense
|
||||
|
||||
| Maßnahme | Grund |
|
||||
|----------|--------|
|
||||
| Interface/VLAN `10.2.2.0/24` auf OPNsense | Netz existiert nur auf VM 101 |
|
||||
| Outbound NAT intern → 10.2.2.x | Routing reicht |
|
||||
| Port-Forward von WAN auf 10.2.2.x | Normaler Weg: DNS → NPM (10.2.2.254) |
|
||||
|
||||
---
|
||||
|
||||
## VM 101 (Docker-Host)
|
||||
|
||||
Bereits vorhanden / relevant:
|
||||
## VM 101 — Host-Checks
|
||||
|
||||
| Check | Erwartung |
|
||||
|-------|-----------|
|
||||
| Bridge | `10.2.2.1/24` auf `docbr0` / `br-0362a13fe302` |
|
||||
| Bridge | `10.2.2.1/24` auf `docbr0` |
|
||||
| `ip_forward` | `1` |
|
||||
| FORWARD | policy ACCEPT |
|
||||
| Docker | `"iptables": false` — Fest-IPs auf docbr0 bleiben stabil |
|
||||
| Container-Internet | manuelles NAT → [../../pve1/scripts/vm101-docker-nat-rules.sh](../../pve1/scripts/vm101-docker-nat-rules.sh) |
|
||||
| Docker | `"iptables": false` |
|
||||
| Container-Internet | [vm101-docker-nat-rules.sh](../../pve1/scripts/vm101-docker-nat-rules.sh) |
|
||||
|
||||
```bash
|
||||
# Auf VM 101
|
||||
ip route | grep 10.2.2
|
||||
ping -c1 10.2.2.253
|
||||
ping -c1 10.2.2.254
|
||||
@@ -129,44 +67,22 @@ sudo docker network inspect docbr0 --format '{{range .IPAM.Config}}{{.Subnet}}{{
|
||||
|
||||
---
|
||||
|
||||
## Tests
|
||||
|
||||
### Vom Client (lokal / VLAN)
|
||||
## Tests (diese Instanz)
|
||||
|
||||
```bash
|
||||
traceroute 10.2.2.253 # erwartet Hop über 192.168.10.10
|
||||
ping 10.2.2.254
|
||||
traceroute 10.2.2.253
|
||||
curl -sI http://10.2.2.253/status.php
|
||||
curl -sI http://10.2.2.254
|
||||
```
|
||||
|
||||
### Von OPNsense (Diagnostics → Ping)
|
||||
|
||||
- Ziel `192.168.10.10` → OK
|
||||
- Ziel `10.2.2.253` → OK (wenn Route + VM-Forward stimmen)
|
||||
|
||||
---
|
||||
|
||||
## Fehlerbilder
|
||||
## Alltag vs. Admin
|
||||
|
||||
| Symptom | Wahrscheinliche Ursache |
|
||||
|---------|-------------------------|
|
||||
| Timeout, kein Hop zu .10 | Statische Route fehlt oder falscher Gateway |
|
||||
| Hop zu .10, dann Timeout | VM: Forwarding / Bridge; Container down |
|
||||
| Ping OK, HTTP nein | Container-Port / Dienst; nicht OPNsense |
|
||||
| Nur aus einem VLAN | Firewall-Regel fehlt auf Quell-Interface |
|
||||
| WAN-Zugriff gewünscht | Separat: DNS + NPM, nicht direkte 10.2.2-Route |
|
||||
|
||||
---
|
||||
|
||||
## Alltag vs. Admin-Zugriff
|
||||
|
||||
| Zugriff | Empfehlung |
|
||||
|---------|------------|
|
||||
| **Benutzer** | Hostname (`cloud.jeanavril.com`) → NPM (10.2.2.254) → Backend |
|
||||
| **Admin / Debug** | Direkt `10.2.2.x` nach Route (Dockge, Container-Logs, Bypass NPM) |
|
||||
|
||||
Split-DNS oder lokaler DNS-Eintrag für interne Namen ist unabhängig von der statischen Route — beides kann parallel existieren.
|
||||
| Zugriff | Weg |
|
||||
|---------|-----|
|
||||
| Benutzer | Hostname → NPM (`10.2.2.254`) → Backend |
|
||||
| Admin | Direkt `10.2.2.x` (Dockge, Logs, Bypass NPM) |
|
||||
|
||||
---
|
||||
|
||||
@@ -174,7 +90,6 @@ Split-DNS oder lokaler DNS-Eintrag für interne Namen ist unabhängig von der st
|
||||
|
||||
| Dokument | Inhalt |
|
||||
|----------|--------|
|
||||
| [README.md](README.md) | Stack-Liste, docbr0-IP-Tabelle |
|
||||
| [../../pve1/06_ubuntu-vm-nextcloud.md](../../pve1/06_ubuntu-vm-nextcloud.md) | Nextcloud, NPM, notify_push |
|
||||
| [../../shared/infrastruktur-netzwerk.md](../../shared/infrastruktur-netzwerk.md) | VLANs, Proxmox-Hosts |
|
||||
| [../../pve1/scripts/vm101-docker-nat-rules.sh](../../pve1/scripts/vm101-docker-nat-rules.sh) | Container-Internet (NAT) |
|
||||
| [README.md](README.md) | Stack-Liste, IP-Tabelle |
|
||||
| [../../pve1/06_ubuntu-vm-nextcloud.md](../../pve1/06_ubuntu-vm-nextcloud.md) | Nextcloud, notify_push |
|
||||
| [../../shared/opnsense-docker-subnet-routing.md](../../shared/opnsense-docker-subnet-routing.md) | Allgemeines How-To |
|
||||
|
||||
Reference in New Issue
Block a user