Before I start with my problem, here is what I want to intend:
Due to some demands I separate my LAN into VLANs [admin, private, public, dmz,…) and my docker host (AsRock N3700 with realtek NIC) is concerned too. On this host is also libvirt, the using a network bridge. More, this host is on trunk port on switch, on front to wan is pfsense/opnsense. The docker host is moving to DMZ.
I did successfully tried macvlan and ipvlan l2 - fire&forgot.
Now HTTP services shall be behind a reverse proxy with fixed IP (also email, …) in DMZ. I setup a small docker compose file for proof of concept:
version: '3' services: vlan20: image: alpine container_name: container-vlan20 command: ['tail', '-f', '/dev/null'] networks: vlan20: ipv4_address: 192.168.20.201 environment: VLAN: 20 vlan30: image: alpine container_name: container-vlan30 command: ['tail', '-f', '/dev/null'] networks: vlan30: ipv4_address: 192.168.30.201 environment: VLAN: 30 http-echo: image: mendhak/http-https-echo restart: unless-stopped ports: - "80:80" - "8443:443" networks: vlan20: ipv4_address: 192.168.20.11 networks: vlan20: driver: ipvlan driver_opts: parent: br0.20 ipvlan_mode: l3 ipam: config: - subnet: 192.168.20.0/24 vlan30: driver: ipvlan driver_opts: parent: br0.30 ipvlan_mode: l3 ipam: config: - subnet: 192.168.30.0/24
ping on vlan20 works inside the container, but I wasn’t able to add a static route, as the docs stated out.
Here my network settings:
/etc/systemd/network/br0.netdev [NetDev] Name=br0 Kind=bridge MACAddress=D0:50:99:XX:XX:XX /etc/systemd/network/br0.network [Match] Name=br0 [Network] Address=192.168.1.11/24 Gateway=192.168.1.1 DNS=192.168.1.1 DNS=126.96.36.199 DNS=188.8.131.52 /etc/systemd/network/10-lan.network [Match] Name=enp3s0 [Network] Bridge=br0
I did try, e.g. here on redhat, but failed.
As far I understood, no gateway is required since the settings from parent’s device are used. The route inside the docker container uses container’s eth0 device on default. On IPVLAN l3 the physical device MAC adress is used - which doesn’t seems to be relevant in my use case since I want to use static IP for services in the DMZ. L3 has no broadcast and multicast - this seems to me to be the reason for the static route requirement, isn’t it?
So my idea was to setup on docker host the br0.20 as parent device for the route (which didn’t worked). So, what do I miss here and how to get the e.g. 192.168.20.11 reachable to my clients?
How can externalize the vlan networks, creating the device using systemd?