I have a single home server with a single NIC. I intend to run numerous services – some will be internet exposed, some will not.
For the sake of simplicity, let’s say I have a:
- a host called
server
with oneeth0
-
dmz
container that’ll accept traffic from the internet (using a port forward on my router) -
trust
container that’ll just accept traffic from other devices on my home network
The way I see it, I have two options:
- have both containers running on two different bridged networks (so the two containers can’t talk to each other) and use port-mapping/publish to route traffic from my host to the docker container and:
- open
:1234
and:6789
ofeth0
ofserver
- my router port forwards
WAN
:443
(from internet) toserver
:1234
and docker forwards:1234
to:2345
of thedmz
container - docker forwards
:6789
to:7890
of thetrust
container
- open
- use
macvlan
:- create a 802.1Q trunk on
eth0
ofserver
then - create
macvlan
networks with IP ranges that match my router such that containers created in these networks have IPs from those VLANs that my router can see:-
eth0.10
fornetwork_dmz
-
eth0.20
fornetwork_trust
-
- open ports on the individual VLANs:
-
:1234
oneth0.10
-
:6789
oneth0.20
-
- port forward
WAN
:443
to the IP ofdmz
that is ineth0.10
VLAN
- create a 802.1Q trunk on
I am having a hard time determining if it is worth it to go through all the effort to use macvlan
?