Cannot access container with vlan ip

curtisl98 · October 3, 2024, 3:45pm

I am on an ubuntu server host and am trying to run an nginx server. I want to connect to it at 192.168.2.3:80 from a different device.

However, I am unable to connect to it at 192.168.2.3 or ping. To test I have tried:

Removing the vlan network - I can access it using the hosts ip address
Removing the default network - Same as if i have both networks, I am unable to access the website at all

Below is my docker compose configuration.

services:
  nginx:
    image: nginx
    networks:
      default:
      vlan:
         ipv4_address: "192.168.2.3"
    container_name: nginx
    cap_add:
      - NET_ADMIN
    ports:
       - 80:80
networks:
  default:
     driver: bridge
  vlan:
    driver: macvlan
    driver_opts:
      parent: enp0s8
    ipam:
     config:
        - subnet: "192.168.0.0/17"
          gateway: "192.168.5.202"

What steps can I take to ensure my configuration is correct?

meyay · October 3, 2024, 4:06pm

Kernel security restrictions generally prevent macvlan parent and child interfaces to communicate with each other - this restriction does not come from docker, it just inherits it.

Try accessing the container ip (=macvlan child ip) from a different host than your docker host.

Note: The nginx container should not require NET_ADMIN. With kernels don’t require NET_ADMIN capabilities anymore to bind ports below 1024.

curtisl98 · October 3, 2024, 4:19pm

Thanks for your response. Using a second device, the results remain the same. I have also attempted to ping the container ip from the second device, but every request times out.

ping 192.168.2.3

Pinging 192.168.2.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.3:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

meyay · October 3, 2024, 4:43pm

I never tried macvlan with a subnet other than /24.
And I always configured ip_range: x.x.x.x/y with a smaller cidr netmask than the subnet itself.

In my experience, as long as the router is within the specified subnet, the container should be reachable and should be able to reach other devices in the lan. [Update]: on a second thought the router is irrelevant if your client is in the same subnet. Macvlan acts pretty much like a network switch.[/update]

You might want to check if setting the parent interface to promiscuous mode, and/or disabling checksum offloading has an effect.

Personally, I stopped using macvlan years ago, as the hustle dealing with it was not worth the benefits.

Topic		Replies	Views
How do I access container from different host on same network when using macvlan driver General docker	0	1946	November 4, 2018
Cannot access container via external IP but can access via host IP with port General	1	4653	October 6, 2020
Question about docker-compose and macvlan General	0	423	January 15, 2021
MACVlan Networks - unable to connect to HOST from Container General docker	4	19292	December 22, 2018
Container with internal IP for Nginx and external IP for LAN access? General	3	4403	February 5, 2023

Cannot access container with vlan ip

Related topics