Jump to content

Docker containers on same subnet as host

LIGISTX
By LIGISTX
in Networking
 Share
Posted

I run docker containers inside a VM on my “homelab” subnet. I don’t allow traffic from homelab to management (pfsense, UniFi controller, proxmox etc) subnets, but I want one of the containers to be able to ping devices on management for uptime status using uptime kuma. 
 

I am a relative noob with docker, but it looks like I would be looking for either macvlan or ipvlan for this use case?

 

I am somewhat confused about the mechanism behind this. I believe macvlan would give the container its own MAC but share IP of the host, where ipvlan would share MAC but provide an individual IP?

 

Fir firewall filtering, I believe this is all done at layer 3 if I understand correctly. As such, I should use ipvlan so I can punch through only that single IP address. Does this have security implications, such as somehow allowing other containers on that host to break the subnet barrier?

 

I am not great with networking… so trying to get better. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 minutes ago, LIGISTX said:

I run docker containers inside a VM on my “homelab” subnet. I don’t allow traffic from homelab to management (pfsense, UniFi controller, proxmox etc) subnets, but I want one of the containers to be able to ping devices on management for uptime status using uptime kuma. 
 

I am a relative noob with docker, but it looks like I would be looking for either macvlan or ipvlan for this use case?

 

I am somewhat confused about the mechanism behind this. I believe macvlan would give the container its own MAC but share IP of the host, where ipvlan would share MAC but provide an individual IP?

 

Fir firewall filtering, I believe this is all done at layer 3 if I understand correctly. As such, I should use ipvlan so I can punch through only that single IP address. Does this have security implications, such as somehow allowing other containers on that host to break the subnet barrier?

 

I am not great with networking… so trying to get better. 

for macvlan vs ipvlan 

- macvlan assigns unique MAC addresses for each device, along with a unique IP address. 
- ipvlan assigns a unique IP address to each device, but uses the same MAC address as the parent device for all the devices

ipvlan can have some issues with dhcp and ipv6 addresses, since it would try to apply to all devices. 
macvlan can have issues with WIFI, or even affect performance. Some NICs and switches have a limit of MAC addresses per port, so if you are putting a lot of devices through one port, performance can be affected.

I would say that macvlan is best in your case, since I doubt that you are really putting that many devices on one port. Though im not sure about what wireless youre using

as for the firewall filtering, i think what ever VM software youre using should have settings for firewall filtering. not too sure about whether it will punch through.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
12 minutes ago, Shooterdude34 said:

for macvlan vs ipvlan 

- macvlan assigns unique MAC addresses for each device, along with a unique IP address. 
- ipvlan assigns a unique IP address to each device, but uses the same MAC address as the parent device for all the devices

ipvlan can have some issues with dhcp and ipv6 addresses, since it would try to apply to all devices. 
macvlan can have issues with WIFI, or even affect performance. Some NICs and switches have a limit of MAC addresses per port, so if you are putting a lot of devices through one port, performance can be affected.

I would say that macvlan is best in your case, since I doubt that you are really putting that many devices on one port. Though im not sure about what wireless youre using

as for the firewall filtering, i think what ever VM software youre using should have settings for firewall filtering. not too sure about whether it will punch through.

Thanks for the detailed description. 
 

I run proxmox as my hypervisor, Ubuntu server as the docker host, pfsense as my firewall/router and UniFi networking gear.

 

I suppose I can give macvlan a shot and see what happens.

 

I just don’t have a fantastic grasp on networking layers, and where firewalls do their blocking, and what having multiple MAC’s and IP’s on the same port “mean” from a routing perspective. 

Rig: i7 13700k - - Asus Z790-P Wifi - - RTX 4080 - - 4x16GB 6000MHz - - Samsung 990 Pro 2TB NVMe Boot + Main Programs - - Assorted SATA SSD's for Photo Work - - Corsair RM850x - - Sound BlasterX EA-5 - - Corsair XC8 JTC Edition - - Corsair GPU Full Cover GPU Block - - XT45 X-Flow 420 + UT60 280 rads - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad

 

Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx

 

Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 RAID Z1 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s

 

iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×