Macvlan can't connect to other hosts in the subnet

reddy157 · October 17, 2024, 9:27am

Firstly, hello to everyone, as it’s my first post here
It’s actually a cross-post from the OpenMediaVault forum, but I think it’s better suited here.

I have an OMV7 on Debian running nicely in my private 192.168.1.x network (with Proxmox kernel for ZFS support if that matters) , connected directly to the Asus WiFi router with an Ethernet cable. I also have a separate wireless network 192.168.107.x configured for my IoT devices - I use one guest net on the router set up with YazFi for that purpose. I want to set up Home Assistant in a container in OMV, but I want to expose it to the IoT network. I have a simple diagram attached to the thread in the OMV forum, I’d attach it here, too, if I only knew how

I bought a TP-Link Archer T3U Plus wifi card and after connecting it to the server I set up an interface in OMV called wlxa86e84472f22 (same as in the system). I tried assigning the IP from 192.168.107.x subnet (and I could easily ping other devices in that subnet), I also tried with both IPv4 and IPv6 disabled:

7: wlxa86e84472f22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a8:6e:84:47:2f:22 brd ff:ff:ff:ff:ff:ff

Then I created a macvlan in range 192.168.107.200/29 (on the router I limited the DHCP to addresses up to 192.168.107.196):

[
  {
    "Name": "macvlan_107",
    "Id": "fafe4d76ba86269a2d4ed7b80c3b8622a263a2c0010134a37fe0a667d5d1e1e5",
    "Created": "2024-10-12T22:32:12.550467542+02:00",
    "Scope": "local",
    "Driver": "macvlan",
    "EnableIPv6": false,
    "IPAM": {
      "Driver": "default",
      "Options": {},
      "Config": [
        {
          "Subnet": "192.168.107.0/24",
          "IPRange": "192.168.107.200/29",
          "Gateway": "192.168.107.1"
        }
      ]
    },
    "Internal": false,
    "Attachable": false,
    "Ingress": false,
    "ConfigFrom": {
      "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {
      "107fbd365b68484a6cf7b27fd7dea40de6a45f8f52a2f9fa3ed5ef6e118a7225": {
        "Name": "homeassistant",
        "EndpointID": "b878ca12061d1532a7de461da197f4f299832891bd8062175ca8437e199f76eb",
        "MacAddress": "02:42:c0:a8:6b:c9",
        "IPv4Address": "192.168.107.201/24",
        "IPv6Address": ""
      }
    },
    "Options": {
      "parent": "wlxa86e84472f22"
    },
    "Labels": {}
  }
]

Finally, I modified the compose file to use that macvlan_107 net and gave it static IP 192.168.107.201 from that range I defined for the macvlan_107:

---
# https://hub.docker.com/r/linuxserver/homeassistant
services:
  homeassistant:
    image: lscr.io/linuxserver/homeassistant:latest
    container_name: homeassistant
    hostname: homeassistant
    environment:
      - PUID=${HOMEASSISTANT_PUID}
      - PGID=${HOMEASSISTANT_PGID}
      - TZ=${TIME_ZONE_VALUE}
    volumes:
      - ${PATH_TO_APPDATA}/homeassistant:/config
    ports:
      - 8123:8123 #optional
    restart: unless-stopped
    networks:
      macvlan_107:
        ipv4_address: 192.168.107.201

networks:
  macvlan_107:
    name: macvlan_107
    external: true

Unfortunately, it can’t ping anything, not even the router/gateway on 192.168.107.1:

$ sudo docker exec -it 107fbd365b68 ip route show
default via 192.168.107.1 dev eth0
192.168.107.0/24 dev eth0 scope link  src 192.168.107.201

$ sudo docker exec -it 107fbd365b68 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
15: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:c0:a8:6b:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.107.201/24 brd 192.168.107.255 scope global eth0
       valid_lft forever preferred_lft forever

$ sudo docker exec -it 107fbd365b68 ping 192.168.107.1
PING 192.168.107.1 (192.168.107.1) 56(84) bytes of data.
From 192.168.107.201 icmp_seq=1 Destination Host Unreachable
From 192.168.107.201 icmp_seq=2 Destination Host Unreachable
From 192.168.107.201 icmp_seq=3 Destination Host Unreachable
From 192.168.107.201 icmp_seq=5 Destination Host Unreachable
From 192.168.107.201 icmp_seq=6 Destination Host Unreachable
^C
--- 192.168.107.1 ping statistics ---
8 packets transmitted, 0 received, +5 errors, 100% packet loss, time 7200ms
pipe 4

I checked up the subnet config itself, connecting any random device to than net works perfectly fine, I can ping both the gateway as well as any other devices in that subnet, so it’s just the macvlan which doesn’t work.
I did check if the WiFi card is in the promiscuous mode, I even tried forcing it, which ended up with promisc 2 when checked with sudo ip -d link.
I also tried using different CIDR for the macvlan_107, namely 192.168.107.232/29 and container IP set to 192.168.107.232, also no luck.

What am I doing wrong? What and how to check?

Thanks in advance!

reddy157 · October 18, 2024, 1:19pm

I tried asking ChatGPT for potential issues, providing it with the network inspect output, and one of the suggestions was:

5. Potential Issues with Parent Interface (wlxa86e84472f22)
The network is using the physical network interface wlxa86e84472f22 as the parent. This appears to be a wireless interface, and macvlan networks often have issues with wireless interfaces due to how they handle MAC addresses.
Wireless interfaces may reject packets from containers because they come with different MAC addresses than the host, which may cause network connectivity problems.
Fix: It's generally recommended to use a wired interface (e.g., eth0) as the parent interface for macvlan networks. If possible, switch to a wired network interface.

Has anybody experienced it before? Is it the TP-Link Archer T3U Plus wifi card which is a problem? Can it be somehow forced to work in that setup?
I really would like to use it as-is now, switching to the ethernet would be a real hassle for me - firstly, I’d need to buy a USB-eth interface, then to force one port on the router to use that subnet, and I don’t actually have any free ports even, so I’d probably need a switch, too

reddy157 · October 19, 2024, 4:52pm

FYI. ChatGPT was right. I gave up with macvlan and simply switched to ipvlan. All works fine now.

Topic		Replies	Views
Not networking in macvlan network General	0	1132	May 10, 2020
Accessing containers inside VM from other hosts on network (macvlan driver) General	1	2914	July 31, 2018
Fun fact - ubuntu running under hyper-v doesn't like macvlan General	2	925	October 26, 2022
Docker Compose - MacVlan can reach internet but bridge cannot General	3	50	November 8, 2024
Unable to Access Docker Host from MacVLAN General	4	4947	June 17, 2021

Macvlan can't connect to other hosts in the subnet

Related topics