Help with the macvlan configuration on dnmasq

Docker Engine Compose
1

I would like to configure a silmple working dnsmasq container using a macvlan network interface, in order to give the container a separate ip adress from the host. I am working in openmediavault with the docker-compose plug in.
Here is the network interface i configured:

[
  {
    "Name": "vlan",
    "Id": "6a06e53dde616aa0075631dab00501f9ee6d6e4a4707920617942f53bd664de0",
    "Created": "2025-02-24T12:02:34.77146941+01:00",
    "Scope": "local",
    "Driver": "macvlan",
    "EnableIPv4": true,
    "EnableIPv6": false,
    "IPAM": {
      "Driver": "default",
      "Options": {},
      "Config": [
        {
          "Subnet": "192.168.178.0/24",
          "IPRange": "192.168.178.200/29",
          "Gateway": "192.168.178.1",
          "AuxiliaryAddresses": {
            "nas": "192.168.178.208"
          }
        }
      ]
    },
    "Internal": false,
    "Attachable": false,
    "Ingress": false,
    "ConfigFrom": {
      "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {},
    "Options": {
      "parent": "enp0s3"
    },
    "Labels": {}
  }
]

while the compose file is:

name: dnsmasq-vlan
services:
  dns:
    cap_add:
      - NET_ADMIN
    environment:
      PGID: "100"
      PUID: "1001"
    image: strm/dnsmasq
    networks:
      vlan:
        ipv4_address: 192.168.178.201
    ports:
      - mode: ingress
        target: 53
        published: "53"
        protocol: udp
      - mode: ingress
        target: 53
        published: "53"
        protocol: tcp
    restart: always
    volumes:
      - type: bind
        source: /srv/dev-disk-by-uuid-f5057fec-517b-4050-8826-545e85f6bb4b/appdata/dnsmasq/dnsmasq.conf
        target: /etc/dnsmasq.conf
        bind:
          create_host_path: true
networks:
  vlan:
    name: vlan
    external: true

The container starts with no errors, but i cannot reach the internet from it (e.g. ping google.com). Also, docker doesn’t display any ports used by the container.
I am new to docker, and the reason why I wanted to configure the macvlan interface is because both dnsmasq and open media vault use port 53. For completeness if I start dnsmasq with the default network, but only with port 53 udp, it gives no error and the internet connection is fine, but I am afraid about the conflicts with the host (and also dnsmasq might need port 53 tcp for some reason).
Is there anything I can do to properly configure the macvlan driver?

2

This doesn’t make sense. Macvlan, ipvlan and host mode directly expose container ports on the ip. There is no port publishing involved.

Please keep in mind that every network device in the subnet will be able to reach the macvlan container ip, except the host itself and the other way around. Please google for macvlan-shim to see how people workaround(!) the limitation.

3

You are right, although removing those lines won’t solve the problem :frowning:.

I am aware of this. Apparently the parameter “Auxiliary address” should do the trick. Anyway, this isn’t my priority now, I should still be able to ping google.com from the container.

4

Removing it takes care of this:

Afaik.Those are only removed from the pool of ip addresses the macvlan network’s internal dhcp server hands out. The specified aux-address is not even within the ip_range you configured.

Your macvlan network looks properly configured: you specify the subnet, an ip-range within the subnet to use, and the gateway. Your compose file looks good as well. Your setup looks good to me, except the AuxiliaryAddresses setting, that is without an effect.

As long as the upstream dns for dnsmasq is not running on the omv host itself, it should work.

Did you try disabling any local firewalls on omv, to see whether it makes a difference?

5

The internet or domain name resolution? Have you tried to ping an IP address instead of a domain? Did you have error messages or just a hanging ping command?

6

Thank you all for your replies.

Disabling the firewall makes no difference unfortunately :frowning:

The internet in general. Trying to ping an ip address produces the same outcome, that is a hanging ping command. From my understanding my router should show the ip adress of the docker, but it just shows it as “disconnected”.

7

Please try following command:

docker run -it --rm --net service:dns nicolaka/netshoot nslookup www.google.de

If you get an error message, please use --net container:<container id> of the dns container instead. Please share the output.

1 Like
8

I ran the command with the –net container: option. Here is the output.

Server: 127.0.0.11

Address: 127.0.0.11#53

Non-authoritative answer:

Name: www.google.de

Address: 142.251.36.163

Name: www.google.de

Address: 2a00:1450:4016:80b::2003