Running DNS server in container - source IPs

abali · January 24, 2024, 11:49am

I’m trying to run AdguardHome in a container (assigned to IP 192.168.100.200 in the network assigned to containers which is 192.168.100.0/24) and advertise it as a name server to the DHCP clients. It works fine so far but all requests received by AGH seem to originate from a single IP (192.168.100.1) therefore it cannot differentiate/track the different clients which bothers me of course.

I reckon that this might be because of the rootlessport component of podman (see details here and here) and this might be solved by changing the port handler to slirp4netns.

I couldn’t find however any support in vyos to specify a different port handler (or at least to specify custom options to podman). I manually edited /run/systemd/system/vyos-container-adguard.service to include the --network slirp4netns:port_handler=slirp4netns option however it did not have any effect at all (not even an error message that slirp4netns is not installed (?)). Would anyone have any clue how to do this? As per the stackoverflow comment, it might be necessary to podman create before podman run, however that doesn’t work like that in vyos at all…

roedie · January 24, 2024, 1:30pm

I would say your are just NAT-ing the traffic towards your container network, can this be the case?

abali · January 24, 2024, 1:55pm

No I don’t think so, this is all the NAT configuration I have, should not be relevant as traffic to the container network does not go either to eth0 nor to tailscale0 (there is a pod-containers interface fwiw).

 nat {
     source {
         rule 100 {
             outbound-interface eth0
             source {
                 address 192.168.0.0/16
             }
             translation {
                 address masquerade
             }
         }
         rule 110 {
             outbound-interface tailscale0
             source {
                 address 192.168.0.0/16
             }
             translation {
                 address masquerade
             }
         }
     }
 }

abali · January 24, 2024, 1:57pm

Also see this comment from here:

By default, Podman uses the rootlessport proxy, which replaces the source ip of the connection with an internal ip from the container namespace. You can, however, explicitly request Podman to use slirp4netns as the port handler, which will preserve the source address at the expense of some performance.

roedie · January 24, 2024, 1:58pm

Odd, I don’t have that issue.What is your container config like?

abali · January 24, 2024, 2:00pm

set container network containers prefix '192.168.100.0/24'
set container name adguard image 'docker.io/adguard/adguardhome:latest'
set container name adguard network containers address '192.168.100.200'
set container name adguard volume config destination '/opt/adguardhome/conf'
set container name adguard volume config mode 'rw'
set container name adguard volume config source '/config/containers/adguard/conf'
set container name adguard volume data destination '/opt/adguardhome/work'
set container name adguard volume data mode 'rw'
set container name adguard volume data source '/config/containers/adguard/work'

All requests appear from the gateway 192.168.100.1.

abali · January 24, 2024, 2:02pm

I’m on Vyos 1.3.4 btw.

tjh · January 24, 2024, 8:05pm

Does set containter name adguard allow-host-networks help at all?

abali · January 24, 2024, 8:19pm

I suppose it might but that would be host networking which I don’t want and it would interfere with the DNS forwarding service on the host.

roedie · January 25, 2024, 1:51pm

Hang on… are your clients maybe talking to the DNS forwarder which then forwards it to you adblock container?

abali · January 25, 2024, 2:33pm

Nope, I advertise the DNS server’s direct IP address to DHCP clients, the DNS forwarder is for other purposes.