Hello all, it took me a bit to figure out how to get netalertx running as a container on my vyos system so I figured I’d share a functional config. I’m running Vyos stream 1.5 Q2 and I have the following networks:
- 10.24.10.0.29 - Management network
- 10.24.20.0/28 - Trusted device network
- 10.24.30.0/29 - Server network
- 10.24.40.0/26 - Untrusted device network
I wanted to monitor these networks for new devices after seeing an odd IP (192.168.something) on my OPNSense system and I saw I could run containers on Vyos so I switched back over, I ran 1.3 a while back so I was somewhat familiar with it already.
I’m 99% sure that device is actually a smart toothbrush that is running it’s own network btw but I need to install an app and agree to all sorts of privacy things to disable the wifi connection I think it’s trying to create.
I had a couple issues getting my containers working, first was just the normal problem of using a different syntax to accomplish the goal when I’m used to just running with compose files but thankfully the documentation on the VyOS site for containers is pretty decent so that wasn’t too bad.
The final issue I had was netalertx hanging on ‘Loading…’ after I went to the site, in the end it turned out to be because the container was internally trying to use the loopback interface to connect to port 20212 which is what it’s using for it’s api. Creating the following rule solved this issue:
set firewall ipv4 input filter rule 999 action 'accept'
set firewall ipv4 input filter rule 999 inbound-interface name 'lo'
set firewall ipv4 input filter rule 999 source address '127.0.0.0/8'
With that out of the way here are the commands I used to set up a netalertx container.
# This is required to scan my vlans
set container name netalertx allow-host-networks
set container name netalertx capability 'net-raw'
# I set the listen address to the gateway of my servers network
set container name netalertx environment LISTEN_ADDR value '10.24.30.1'
# I added my user/group id before I discovered the loopback issue, I'm not sure
# it's necessary but I do like that my user/group own the files anyways
set container name netalertx environment PGID value '100'
set container name netalertx environment PUID value '1003'
# The rest of the environment variables are the port the web service
# is running on as well as my timezone.
set container name netalertx environment PORT value '20211'
set container name netalertx environment TZ value 'America/Los_Angeles'
# Then I set the image the container should use
set container name netalertx image 'jokobsk/netalertx:latest'
# Next the ports and protocols
set container name netalertx port 20211 destination '20211'
set container name netalertx port 20211 protocol 'tcp'
set container name netalertx port 20211 source '20211'
set container name netalertx port 20212 destination '20212'
set container name netalertx port 20212 protocol 'tcp'
set container name netalertx port 20212 source '20212'
# And finally the volumes
set container name netalertx tmpfs app_api destination '/app/api'
set container name netalertx tmpfs app_api size '500'
set container name netalertx volume app_config destination '/app/config'
set container name netalertx volume app_config source '/config/containers/netalertx/config'
set container name netalertx volume app_db destination '/app/db'
set container name netalertx volume app_db source '/config/containers/netalertx/db'
I also added my networks to the app config file, the recommended way was to do this through the gui but I modified the config directly because the gui wasn’t working yet, I also found it a little clearer than the gui.
SCAN_SUBNETS=[
'10.24.10.0/29 --interface=eth2.10',
'10.24.20.0/28 --interface=eth2.20',
'10.24.30.0/29 --interface=eth2.30',
'10.24.40.0/26 --interface=eth2.40'
]
And then I created my firewall configuration, I’m not sure if I needed to do this or if it’s supposed to happen auto-magically with the container config:
# I prefer working with firewall groups so I can more easily change things in one place
# here I create the group that defines the containers network as well as the ports
# the containers are serving.
set firewall group network-group GRP-NET-CONTAINERS network '172.16.0.0/24'
set firewall group port-group GRP-PT-CONTAINERS port '20211'
set firewall group port-group GRP-PT-CONTAINERS port '20212'
# GRP-NET-PROVIDERS contains the other network groups that provide a service
set firewall group network-group GRP-NET-PROVIDERS include 'GRP-NET-CONTAINERS'
# This is my rule that allows the TRUSTED network to reach services on the SERVERS
# network
set firewall ipv4 forward filter rule 200 action 'accept'
set firewall ipv4 forward filter rule 200 description 'ALLOW TRUST-> SERVERS'
set firewall ipv4 forward filter rule 200 destination group network-group 'GRP-NET-PROVIDERS'
set firewall ipv4 forward filter rule 200 destination group port-group 'GRP-PT-SERVICES'
set firewall ipv4 forward filter rule 200 log
set firewall ipv4 forward filter rule 200 protocol 'tcp'
set firewall ipv4 forward filter rule 200 source group network-group 'GRP-NET-TRUSTED'
Hopefully that’s helpful to someone!