Docker Community Forums

Share and learn in the Docker community.

Is there any value in using VLANs to segment dmz vs non DMZ containers?

I have a single home server with a single NIC. I intend to run numerous services – some will be internet exposed, some will not.

For the sake of simplicity, let’s say I have a:

  • a host called server with one eth0
  • dmz container that’ll accept traffic from the internet (using a port forward on my router)
  • trust container that’ll just accept traffic from other devices on my home network

The way I see it, I have two options:

  1. have both containers running on two different bridged networks (so the two containers can’t talk to each other) and use port-mapping/publish to route traffic from my host to the docker container and:
    1. open :1234 and :6789 of eth0 of server
    2. my router port forwards WAN:443 (from internet) to server:1234 and docker forwards :1234 to :2345 of the dmz container
    3. docker forwards :6789 to :7890 of the trust container
  2. use macvlan:
    1. create a 802.1Q trunk on eth0 of server then
    2. create macvlan networks with IP ranges that match my router such that containers created in these networks have IPs from those VLANs that my router can see:
      1. eth0.10 for network_dmz
      2. eth0.20 for network_trust
    3. open ports on the individual VLANs:
      1. :1234 on eth0.10
      2. :6789 on eth0.20
    4. port forward WAN:443 to the IP of dmz that is in eth0.10 VLAN

I am having a hard time determining if it is worth it to go through all the effort to use macvlan?

In my homelab, I still have a good old swarm cluster, which runs serveral swarm stacks (one per application stack, each with one or more overlay networks - though overlay networks are only required on multi node clusters). I also run traefik as reverse proxy and leverage subdomain based reverse proxying. Additionaly I have a failover-ip that points to either one of the swarm cluster nodes and is the target ip for the WAN ports I forward to my cluster. Everything reachable from the internet either is integrated with keycloak using oidc or has a keycloak gatekeeper (a simple oidc reverse proxy) in front of the service. Having sso for my lab services is one advantage, the other beeing I delegate the user authentification to keycloak, which is specificly designed for this purpose.

Probably my setup would look different if i’d have a router with VLAN support. Though, I’d be still using different VMs for different zones.

1 Like