Docker Host with multiple VLANs

kieselbert · January 24, 2019, 3:51pm

Background Information

I have a server with one physical network interface that is running Docker.
This interface is configured as a 802.1Q trunk. To avoid asymetric routing I configured routing tables for each subnet.
Thats my interfaces /etc/network/interfaces :

auto enp3s0
iface enp3s0 inet dhcp
    post-up ip route add 192.168.1.0/24 dev enp3s0 table 1
    post-up ip route add default via 192.168.1.1 table 1
    post-up ip rule add from 192.168.1.0/24 table 1 priority 101
    post-up ip route flush cache
    pre-down ip rule del from 192.168.1.0/24 table 1 priority 101
    pre-down ip route flush table 1
    pre-down ip route flush cache

auto enp3s0.2
iface enp3s0.2 inet dhcp
        hwaddress ether 00:11:22:33:44:55
        post-up ip route add 192.168.2.0/24 dev enp3s0.2 table 2
        post-up ip route add default via 192.168.2.1 table 2
        post-up ip rule add from 192.168.2.0/24 table 2 priority 102
        post-up ip route flush cache
        pre-down ip rule del from 192.168.2.0/24 table 2 priority 102
        pre-down ip route flush table 2
        pre-down ip route flush cache

auto enp3s0.4
iface enp3s0.4 inet dhcp
        hwaddress ether 00:11:22:33:44:56
        post-up ip route add 192.168.4.0/24 dev enp3s0.4 table 4
        post-up ip route add default via 192.168.4.1 table 4
        post-up ip rule add from 192.168.4.0/24 table 4 priority 104
        post-up ip route flush cache
        pre-down ip rule del from 192.168.4.0/24 table 4 priority 104
        pre-down ip route flush table 4
        pre-down ip route flush cache
...

This setup works fine, if I start container with the --net=host parameter. The containers are accessible from each subnet/vlan.

The Problem

I would like to have more control about the ports and the accessibility (not every docker should be reachable in every subnet).
If I use the parameter -p (e.g. -p 3777:3777) the dockers are not reachable anymore.

This guide https://hicu.be/docker-networking-macvlan-vlan-configuration
adress a simliar problem, but I do not want to extend my vlans to docker and assign an IP on each docker instance. This is to much.

Desired solution

My server has an IP in every subnet/vlan,
192.168.1.199 (native vlan / mgmt)
192.168.2.199 (vlan2)
192.168.4.199 (vlan4)

I would like to start dockers with the -p paramenter and will choose on wich interface it is accessible.
e.g. docker run --p 192.168.4.199:9000:9000 --name portainer …
and it should only accessible through 192.168.4.199:9000

Maybe my ip route / ip rule settings are not well configured or/and I need a docker bridge for each subnet…but that’s the point where I can not get any further. Up to now, if I choose the --p parameter and the docker is connected to the default docker bridge…the docker is not accessible at all.

Do you have any idea?

Greets,
Mark