Skip to content
Hetzner Server Instruction

Setup Network for Docker

Now before we create Docker and everything else, we need to make sure that our container has internet. To do this, we need to enable this in our firewall.
That’s why I first create my VLAN in OPNsense and then check whether the server really has access to the internet.

Connecting to OPNsense-WebUI

Open and Login to opnsense.yourdomain.com

Create Interface

  • Go to Interfaces > Other Types > VLAN
  • Add VLAN by clicking the plus-button
  • Enter the following values
  • Hit ‘safe’ and then ‘apply’

Interfacesetting

Device - vlan0.201 ( vlan0.<VLAN_ID> )
Parent - vtnet1
VLAN tag - 201
VLAN priority - Default
Description - 201_docker ( <VLAN_ID>_<NAME_FOR_THE_VLAN> )

Adding the new interface

  • Go to Interfaces > Assignments
  • Select your new VLAN in “Assign a new interface” you just create
  • Provide a description (Use the same description as above - Example: 201_docker)
  • Click the Add-button

Enable of the new interface

  • Go to Interfaces > [Your Interface] (example docker: 201_docker)
  • Enable the Interface
  • Select under Generic configuration the “IPv4 Configuration Type” from “none” to “Static IPv4”
  • Enter the IP address for the Proxmox Gateway under “Static IPv4 configuration” (example docker: 10.2.1.1)
  • Choose your Subnet to 24
  • Hit Safe and Apply changes

Update RFC1918-Rules

  • Go to Firewall > Aliases
  • Edit the RFC1918-rule by clicking the pen
  • Add content __opt6_network (In future all those beginning with __, but the number can be different)
  • Hit Safe and Apply

Add Rule RFC1918 to Interface

We will use RFC1918 to configure firewall rules for internet access.
If you want to give internet access to the tailscale-interface but still restrict access to all other internal IPs
you can do that with the help of a firewall rule that accepts all connections except if they target RFC1918.

  • Go to “Firewall > Rules”
  • Select the VLAN you want to grant internet access
  • Create a new rule if it doesnt already exist by hitting the plus.

We want to allow everything except if the destination is RFC1918.

  • Enable Destination / Invert.
  • Select RFC1918 as a destination
  • Select the Category (optional)
  • Safe and Apply Changes

Disable anti-lockout-rule

  • Go to “Firewall > NAT > Port Forward”
  • Edit the Anti-Lockout Rule
  • Scroll down to “Disable anti-lockout”
  • Enable this option
  • Safe changes

Add Alias for docker

  • Go to Firewall > Aliases
  • Hit the Plus-Symbol
  • Enter the name docker_201
  • Choose type as host(s)
  • Selected content 10.2.1.2
  • Hit Safe and Apply

Testing Internet-Connecting

Make sure that the firewall is enabled.

  • Go to your OPNSense Console
  • Choose Option 8 for open shell
  • Write pfctl -e

Now check the connection between the firewall and the container

  • Go to your OPNSense Console
  • Choose Option 8 for open shell
  • Write ping 10.2.1.2 > Result is send every second like “64 bytes from 10.2.1.2: icmp_seq=1 ttl=64 time=0.343 ms”

  • Go to your Docker CT Console
  • Start the CT via clicking by ‘start’-button in the top of the console
  • Wait a moment until you can log in

If these results are positive, we can now also enter the following in our Docker CT Console

  • Write ping 1.1.1.1 > Result is send every second like “64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=6.15 ms”

If everything is now correct and working, you can now continue with the installation