I have a server with one physical network interface that is running Docker.
This interface is configured as a 802.1Q trunk. To avoid asymetric routing I configured routing tables for each subnet.
Thats my interfaces /etc/network/interfaces :
auto enp3s0 iface enp3s0 inet dhcp post-up ip route add 192.168.1.0/24 dev enp3s0 table 1 post-up ip route add default via 192.168.1.1 table 1 post-up ip rule add from 192.168.1.0/24 table 1 priority 101 post-up ip route flush cache pre-down ip rule del from 192.168.1.0/24 table 1 priority 101 pre-down ip route flush table 1 pre-down ip route flush cache auto enp3s0.2 iface enp3s0.2 inet dhcp hwaddress ether 00:11:22:33:44:55 post-up ip route add 192.168.2.0/24 dev enp3s0.2 table 2 post-up ip route add default via 192.168.2.1 table 2 post-up ip rule add from 192.168.2.0/24 table 2 priority 102 post-up ip route flush cache pre-down ip rule del from 192.168.2.0/24 table 2 priority 102 pre-down ip route flush table 2 pre-down ip route flush cache auto enp3s0.4 iface enp3s0.4 inet dhcp hwaddress ether 00:11:22:33:44:56 post-up ip route add 192.168.4.0/24 dev enp3s0.4 table 4 post-up ip route add default via 192.168.4.1 table 4 post-up ip rule add from 192.168.4.0/24 table 4 priority 104 post-up ip route flush cache pre-down ip rule del from 192.168.4.0/24 table 4 priority 104 pre-down ip route flush table 4 pre-down ip route flush cache ...
This setup works fine, if I start container with the --net=host parameter. The containers are accessible from each subnet/vlan.
I would like to have more control about the ports and the accessibility (not every docker should be reachable in every subnet).
If I use the parameter -p (e.g. -p 3777:3777) the dockers are not reachable anymore.
This guide https://hicu.be/docker-networking-macvlan-vlan-configuration
adress a simliar problem, but I do not want to extend my vlans to docker and assign an IP on each docker instance. This is to much.
My server has an IP in every subnet/vlan,
192.168.1.199 (native vlan / mgmt)
I would like to start dockers with the -p paramenter and will choose on wich interface it is accessible.
e.g. docker run --p 192.168.4.199:9000:9000 --name portainer …
and it should only accessible through 192.168.4.199:9000
Maybe my ip route / ip rule settings are not well configured or/and I need a docker bridge for each subnet…but that’s the point where I can not get any further. Up to now, if I choose the --p parameter and the docker is connected to the default docker bridge…the docker is not accessible at all.
Do you have any idea?