I have just started experimenting with Docker on my home lab. Being the security tinfoil hat paranoid type that I am, I run two separate networks: internal and DMZ. The two networks do what they say on the tin. They exist as separate VLANs and they join at the main router-firewall, where there are appropriate rules governing traffic between the two and with the public internet. My docker host has a trunk directly to my switch, so I can see both VLANs as interfaces eth0.I and eth0.D.
I would like to have some containers act as “DMZ” containers, in other words they should host services that I will present on my DMZ network. The host itself should instead be in the internal network, and crucially, the containers that are on the DMZ network should have no access whatsoever to the host.
A quick session of googling took me to the macvlan driver, and so far I have set up those containers with it. They run fine and the network isolation is achieved. However, from a design standpoint, this feels wrong. Is there any better solution for my scenario? For example is it possible to set up a bridged network where my host has an IP address on eth0.D, but the host itself is completely inaccessible from that IP?
Thank you all!