Docker Community Forums

Share and learn in the Docker community.

IPVLAN L3 Network with static route

Before I start with my problem, here is what I want to intend:
Due to some demands I separate my LAN into VLANs [admin, private, public, dmz,…) and my docker host (AsRock N3700 with realtek NIC) is concerned too. On this host is also libvirt, the using a network bridge. More, this host is on trunk port on switch, on front to wan is pfsense/opnsense. The docker host is moving to DMZ.
I did successfully tried macvlan and ipvlan l2 - fire&forgot.
Now HTTP services shall be behind a reverse proxy with fixed IP (also email, …) in DMZ. I setup a small docker compose file for proof of concept:

version: '3'
services:
  vlan20:
    image: alpine
    container_name: container-vlan20
    command: ['tail', '-f', '/dev/null']
    networks:
      vlan20:
        ipv4_address: 192.168.20.201
    environment:
      VLAN: 20
  vlan30:
    image: alpine
    container_name: container-vlan30
    command: ['tail', '-f', '/dev/null']
    networks:
      vlan30:
        ipv4_address: 192.168.30.201
    environment:
      VLAN: 30
  http-echo:
    image: mendhak/http-https-echo
    restart:
      unless-stopped
    ports:
      - "80:80"
      - "8443:443"
    networks:
      vlan20:
        ipv4_address: 192.168.20.11
networks:
  vlan20:
    driver: ipvlan
    driver_opts:
      parent: br0.20
      ipvlan_mode: l3
    ipam:
      config:
        - subnet: 192.168.20.0/24
  vlan30:
    driver: ipvlan
    driver_opts:
      parent: br0.30
      ipvlan_mode: l3
    ipam:
      config:
        - subnet: 192.168.30.0/24

ping on vlan20 works inside the container, but I wasn’t able to add a static route, as the docs stated out.
Here my network settings:

/etc/systemd/network/br0.netdev 
[NetDev]
Name=br0
Kind=bridge
MACAddress=D0:50:99:XX:XX:XX

/etc/systemd/network/br0.network 
[Match]
Name=br0
[Network]
Address=192.168.1.11/24
Gateway=192.168.1.1
DNS=192.168.1.1
DNS=8.8.8.8
DNS=8.8.4.4

/etc/systemd/network/10-lan.network 
[Match]
Name=enp3s0
[Network]
Bridge=br0

I did try, e.g. here on redhat, but failed.

As far I understood, no gateway is required since the settings from parent’s device are used. The route inside the docker container uses container’s eth0 device on default. On IPVLAN l3 the physical device MAC adress is used - which doesn’t seems to be relevant in my use case since I want to use static IP for services in the DMZ. L3 has no broadcast and multicast - this seems to me to be the reason for the static route requirement, isn’t it?

So my idea was to setup on docker host the br0.20 as parent device for the route (which didn’t worked). So, what do I miss here and how to get the e.g. 192.168.20.11 reachable to my clients?

How can externalize the vlan networks, creating the device using systemd?