accessing the containers from other computers on the network

[vmiyoshi]

This works perfectly for reaching containers (or kubernetes pods) on the computer running docker or kubernetes cluster (running in docker), however I'm unable to access on other computers on the same network.
If I spin up a kubernetes instance using docker-desktops built in kubnernetes, I have no problems accessing the pods from other computers on the same network.

[gregnr]

Hey @vmiyoshi, docker-mac-net-connect works by creating entries in the macOS host's routing table to send L3 packets through the local WireGuard tunnel. Containers wouldn't be accessible to the rest of the LAN unless you set up special IP forwarding rules on your router & macOS host.

When you say Kubernetes pods are accessible to the rest of the LAN, do you mean by their individual IPs (L3), or just through your macOS IP with a port-forward or LoadBalancer service?

[vmiyoshi]

Greg;
Thank you for your response. This is something I'm starting to understand, I don't think my ISP provided router allows for forwarding (I combed over it's configuration all day yesterday). To answer your question - I can access the containers on the localhost with this setup regardless if I'm just spinning them up in docker or if I'm deploying them using something like a "KinD/Kubernetes cluster setup" which will also makes use of Docker.

or just through your macOS IP with a port-forward or LoadBalancer service? = "Yes, this is pretty much what I'm talking about"

However again I could only get to the app's running with in the pod/containers on that local computer, and not from other machines on my local network. BUT if I'm using the built in Kubernetes in Docker-Deskop, Rancher-Desktop, or even Colima this works. Meaning I can access the app from services like LoadBalancer, or NodePort. I don't know what "magic" they are using but it works, and I can't seem to duplicate it...lol What I noticed last night was when I deployed a simple nginx app/LoadBalancer svc, and did a "get svc -A -o wide," in the built in Kubernetes (Docker-Desktop). For one I didn't have to deploy a separate LoadBalancer solution like I would if I was using KinD. What I found is it worked "out-of-the-box" and instead of it being "external IP = X.X.X.X," it was "localhost" and I didn't see new routes in MacOS's routing table, and I could access the app from my iPad by just putting the IP address of the Mac (running the docker-desktop/kubernetes cluster) in the browser so again Magic...lol. Again thank you for response, I'm stuck trying to make this work as I intend it (Docker-desktop/KinD multi-node kubernetes), I may have to buy a new router...lol. You have a good weekend!

[gregnr]

Yeah many stock routers don't let you modify the routing tables - you might have better luck finding a router that you can install OpenWRT on or buy one with it pre-installed (eg. GL.iNet).

However it sounds like you might not actually care about connecting to containers by individual IP (what this tool does) and instead are okay with just connecting to your mac's IP and binding a port from your macOS host to a port on the container. If this is correct, there's nothing more you need to do. This is built into Docker:

docker run -d -p 8080:80 nginx

This is the default way to connect to containers from your host (or from other machines on the LAN, since the port is bound to your macOS host, then forwarded to the container). This is similar to what Docker Desktop Kubernetes would be doing. No routes would need to be created in your routing table.

[lrnd1]

I am trying to achieve a similar thing, but got stuck. Running pihole in docker via Orbstack. My issue was that pihole could not see the querying devices address on my network because of NAT.

Created the network and fixed the ip of the container in the docker-compose:

    networks:
      pihole-net:
        ipv4_address: 192.168.2.2

networks:
  pihole-net:
    name: pihole-net
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.2.0/24
          gateway: 192.168.2.1

Installed docker-mac-net-connect, and pihole is now reachable by the host machine.

❯ dig @192.168.2.2 example.com
; <<>> DiG 9.10.6 <<>> @192.168.2.2 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39352
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            193     IN      A       96.7.128.198
example.com.            193     IN      A       23.192.228.80
example.com.            193     IN      A       23.192.228.84
example.com.            193     IN      A       23.215.0.136
example.com.            193     IN      A       23.215.0.138
example.com.            193     IN      A       96.7.128.175

;; Query time: 472 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Sat Mar 08 18:22:05 EET 2025
;; MSG SIZE  rcvd: 147

I'm using an Asus router, which lets me create a static route, so I added:
Network: 192.168.2.0 Netmask: 255.255.255.0 Gateway: 192.168.1.6

After adding the route, things got really weird.
I have configured a device for testing, by forcing the DNS address to 192.168.2.2
In the pihole logs, I can see my device (with the correct address) doing some queries, but sites I try to access from my device will not load, nor their entries appear in the query log.
I noticed that my qbittorrent running on the test device can make queries, but Safari and terminal cannot.
Both ping and dig gives me some weird results.

❯ ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
Request timeout for icmp_seq 0
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.6)
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 93b1   0 0000  3f  01 62eb 192.168.1.186  192.168.2.2

❯ dig @192.168.2.2 example.com
;; reply from unexpected source: 192.168.1.6#55452, expected 192.168.2.2#53
;; reply from unexpected source: 192.168.1.6#55452, expected 192.168.2.2#53
;; reply from unexpected source: 192.168.1.6#55452, expected 192.168.2.2#53

; <<>> DiG 9.10.6 <<>> @192.168.2.2 example.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I have no clue what is going on and how to fix this.