![]() Docker is a frontend that manages the creation and destruction of these namespaces. ![]() The Linux kernel has a concept of namespaces for processors, memory, network et.al. Next up let’s take a short dive in to some Docker networking specifics. 1.00-2.00 sec 15.3 MBytes 128 Mbits/sec 0 488 KBytesĬongratulations, you now have two IPs on a single machine. Then let’s create a macvlan on vmbr0 using the ip command:Ĭonnecting to host 192.168.0.42, port 5201 In my case it was vmbr0 (technically a bridge interface due to some Proxmox shenanigans), yours could be named eth0 or enp3s0 or something like that. Start by determining which interface you are connected to the network with. These commands should work on most recent distros and I’ve successfully done it on Debian 10, Ubuntu 20.04 and OpenSUSE Tumbleweed 2022.01. I am doing this on the Proxmox distribution which is based on Debian. This fictitious network interface gets a different MAC address and you have to set up some iptables rules for it. To get an extra IP on your NIC you need to create a macvlan (there are other solutions, this one seemed simple). You of course still only receive one packet at a time, so all your virtual MAC addresses share the same bandwidth. If you write a different sender MAC in an ethernet packet and send it out, the switch notices this and returns packets destined for that MAC to your network card. Since you can have more than one MAC on one physical port, you can likewise also have multiple MACs on one network interface. When you send out a packet through a switch, the brainbox in the switch notes your MAC address and the physical port you are connected to. The sender’s MAC address is just 6 bytes written into an ethernet packet. Have you ever thought about how a switch knows where to route traffic? While it may seem like magic at first, it’s unfortunately not magic at all. Let’s get started! Step 1: Multiple MAC/IP addresses on one ethernet port Next we need to force the containers through the new bridge and lastly we need to make sure we can choose which bridge the containers connect through. First we need to create a network interface with a different IP running on the same ethernet port. The solution I cobbled together does not require any firewall changes but does require some additional container network configuration. Since the services were already in containers it was an easy move, but what about the firewall NAT rules? How do I assign one IP in the router to a set of containers and another IP to another, distinct set of containers? This could be achieved by adding a VLAN tag to the container network, but that would require a rewrite of all my firewall rules AND introduce yet another VLAN in my already complicated network. This does not scale well when you have small children, so I decided to pull the services out of the VM and run them in containers on the hypervisor instead. Having two VMs running is fine and dandy but they do need to be updated and kept in check. ![]() I now had two virtual machines kinda separated by concern running my backups, note-taking apps etc. I replaced the complexity that is iptables with a simple-but-not-really VPN setup in pfSense. I then separated the services destined for the LAN and web to a separate VM and kept all the VPNed stuff in it’s own virtual machine. DOCKER FOR MAC DOCKER SUBNET SERIESSome of the services were for my consumption (LAN only), some were accessible over the web and some were bridged to other peoples LANs using OpenVPN and a series of iptables rules.Ī year or two later I built a big hypervisor box that ran my old server in a VM. The server slowly evolved into a small homelab running quite a lot self-hosted stuff. Around the same time I built a small server based on an old Intel Atom running Debian. Once upon a time I bought a used pfSense box and the amount of time I spent doing network administration went from close to zero to “VLAN all the things!”. For that you will probably need to use VLANs.ĭisclamer: You should conduct your own research before using this as a means of securely isolating containers on a production network. Due to how WIFI authentication works this solution cannot be used over WIFI. Note: The solution I come up with relies on something called a macvlan bridge. We will be taking a look at Linux network bridges, iptables and Docker networks. ![]() DOCKER FOR MAC DOCKER SUBNET HOW TOThis will be a tutorial on how to direct traffic from a Docker (podman will probably work too with some modifications) container through a virtual network card on the same host, but using a separate MAC/IP address than the hosts default. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |