Can I disable MAC randomization introduced in v28?

ptr727 · February 24, 2025, 3:42pm

I use compose on debian to run my stacks, and several containers use static IP’s.
I updated to v28, and now every time I pull/up my containers my firewall quarantines the networks because of MAC randomization, i.e. MAC address changed, new device detected on network, placed in quarantine group.

Is there a way to revert to the previous behavior where the v4 MAC was the bridge network?
Or do I now need to specify IP and MAC for every static IP network config?

E.g. just IP set, now randomizes MAC

    networks:
      public_network:
        ipv4_address: ${FOO_IP}
      local_network:

E.g. IP and MAC set

    networks:
      public_network:
        ipv4_address: ${FOO_IP}
        mac_address: ${FOO_MAC}
      local_network:

Change notice: Engine v28 | Docker Docs
“Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses.”
IPv6 only: use random MAC addresses by robmry · Pull Request #48808 · moby/moby · GitHub

rimelek · March 1, 2025, 7:00pm

I haven’t started to use v28 yet, but I doubt that you could revert the behavior, because it would have been mentioned in the release notes probably.

Containers on bridge network have dynamic IP addresses in most cases, so I assume it was in the focus. Scaling up is not possible either when using sttaic IPs. On the other hand, static IP is probably more common when using MacVLAN, since then you couldn’t use port mappings to make a service available on a specific port, even internally on a loopback interface.

If these are not possible to you for any reason, I think setting the Mac address looks like a good idea.

Can you tell us more about the firewall that quarantines the networks? Which firewall. Since the bridges are local, I assume it is a local firewall on the machine. I’m just curious, because I haven’t heard about quarantined networks yet so I wonder if this new Engine behavior can be considered a kind of bug without an option for persistent MAC or not.

ptr727 · March 1, 2025, 8:54pm

I create a bridge network to a physical NIC, and then a docker network on that bridge network, and then use macvlan with static IP’s on that network. In the past these static IP’s used to share the bridge MAC and MAC was unchanged.

I have now switched my config to always specifying static IP and MAC (LAA) together, and the pair now stays constant during service up and down, and my problem is solved.

Firewall is Firewalla, but that is not really important, any firewall that tracks devices by MAC and assigns them to specific rules will have the same issue with random MAC’s, e.g. very common with iOS on WiFi. In my config all unknown devices gets added to a group called “quarantine”, and that group gets internet access only, no local routing access.

rimelek · March 2, 2025, 9:06pm

It could have been important, that is why I asked, but you answered it in an unexpected way. You didn’t mention in your first post that you were using MacVLAN and none of your quoted code referred to MacVLAN either so I incorrectly assumed you were using the default docker bridge network despite the fact that the new behavior affected MacVLAN as well. MacVLAN indeed explains everything.

Topic		Replies	Views
Connecting an IPv6 macvlan network is removing port forwarding of bridge network General	0	668	April 27, 2020
Questions about macvlan/ipvlan(l2) security General	0	541	January 9, 2023
How to change the docker0 bridge by default General	12	3537	February 2, 2022
MACVLAN duplicate entries in the router General	6	2831	October 6, 2022
Docker Compose multiple networks Compose	3	28938	September 8, 2022

Can I disable MAC randomization introduced in v28?

Related topics