How do I turn on IP Forwarding in BalenaOS?

I am trying to enable IP Forwarding in Balena but can’t seem to be able to,

I had hoped to do sysctl net.ipv4.ip_forward=1 from inside a container but not even running in the host will make it work,

The idea is to forward all IP Traffic to the network. Is there any magic way to do this in BalenaOS?

Doing from a container would be preferred (As it would be easier to not have to redo once you do a BalenaOS upgrade) but doing it with a configuration in the host would alos be acceptable

Hi @alethenorio,

Can you tell us a little more about what you’re trying to accomplish? For example, tunneling is possible with balenaOS, but I’m not certain that’s what you need. Of course, exposing ports in specific containers (services) in a docker-compose.yml or Dockerfile can route all container traffic to the host network. Also, there are ways to customize an image before flashing it, but we’d need a little more information in order to provide specific help.


The idea is to have the balena device join a separate subnet and have the balena device act as gateway for all external communication with devices behind that subnet by forwarding all traffic for that subnet to the underlying network regardless of port

@alethenorio, do you mean for the balenaOS device to operate as an internet gateway, performing NAT? As if to work like a WiFi router, but not necessarily with a WiFi interface (it could be two ethernet interfaces, a cellular modem or any other network type). If it was an ordinary Linux box, this answer might apply: In that answer, they use iptables to setup NAT forwarding, so the Linux box (or balenaOS) would “replace the source address on packets going out to the internet.” But before digging any further in this direction, please confirm that you actually mean to setup a NAT internet gateway.

Also possibly relevant:

Not sure this would be considered a NAT gateway.

We setup so that we can communicate with the device securely via a tunnel (much like Balena does with their VPN) so the balena device has its own ip but it also has a second ip so that it belongs to a separate subnet, for example and behind it there is some other device belonging to the same subnmet, for example

So from my machine I want to be able to address directly but it needs to go through the balena device. Meaning I want to be able to do something like curl from my machine without performing any translation

On a normal linux host I can just do sysctl net.ipv4.ip_forward=1 and it will forward packets incoming from the tunnel to the underlying network without the need for IPTables and such.

Is there no simple way to achieve this with balenaOS?

To enables IP forwarding, I think you can do echo 1 > /proc/sys/net/ipv4/ip_forward from inside application container so just add this to your start script and let us know how it goes

Here are some relevant topics on the forums so please have a look:

@nghiant2710 Is /proc/sys/net/ipv4/ip_forward mapped to the equivalent in the host?

Yes but unprivileged containers mount /proc read-only, actually you might need your container in privileged mode in order to set it.

Isn’t that what running sysctl net.ipv4.ip_forward=1 from the balenaOS host does? Because I tried that and it did not seem to work (Though I’ll try again and verify my network setup so I didn’t miss anything)


IP forwarding is enabled by default due to the way balenaEngine handles port mapping. It’s basically a NAT network into the docker bridge controlled by iptables. These rules are handled by balenaEngine as would be the case with Docker.

I am not sure I follow your use-case exactly, but regardless you can run a container in the host network with privileged enabled and you can manipulate the IPTables rules. Whilst IP forwarding is enabled, the rules have to allow the traffic in the first instance, so I would start there and see why the traffic is blocked.