Hello Community!

I am more or less new to docker. I used lxc before, but recently I switch to docker with some applications.

Prerequisite: I run Docker on a fresh new Debian 11 VM, only Docker CE (20.10.18) and only with the requirements which are listed in the offical docker manual and you could expect it, for the installation I go step by step with the manual too (+ Swarm mode activation, but for now I have no nodes connected).

Environment: My network is diveded in several zones (diffrent in subnet and vLAN ID) i. a. one for configuration and one as a DMZ. All managed by an OPNsense.

Problem: Currently the ‘Docker VM’ is fully embedded in the DMZ. While I become more and more familliar with Docker and more and more services running productivly on the Docker VM, I dislike that I become depressive and sad, because I realized that my nice and clean network concept becomes corrupted.

What I want to do / where I need help: I want to bring the Docker VM in the config zone. Containers that are used for configuration (Portainer) and monitoring should be accessable only through this zone. Selected services (for example a nginx) should be accessable only through the DMZ.

How can I realized this? And is there a way to manged this firewall friendly, aka. is there a way to create a own network device with own MAC address (firewall is configured mac based working)? Or is there a totaly diffrent solution?

Thanks for your ideas! Regards, Fabian