Trouble understanding network routing using macvlan

General Discussions General
1

I’ve setup OpenVPN on 10.8.0.0 on a RP3 at 192.168.2.10. At the same time, I have dockers running on the same device with several container, basically I have 2 macvlan:

  • macvlan20 at 192.168.20.0 (eth0.20)
  • macvlan10 at 192.168.10.0 (eth0.10)

The problem is, I can’t reach neither of macvlans from the OpenVPN client. At first I thought it was because OpenVPN is running on the same device, it should have the same behaviour as trying to access the macvlan container from the host machine, which is not possible by default.

So I tried using a macvlan interface to connect the host to macvlan20

ip link add mac0 link eth0 type macvlan mode bridge
ip addr add 192.168.20.50/32 dev mac0
ip link set mac0 up
ip route add 192.168.20.10/24 dev mac0  (one of the containers is here)

After this, I was able to ping the container at 192.168.20.10, but still can’t access to it (no curl access), neither from the host nor from the OpenVPN client. So, to be honest I have no idea what’s going on here, is it an OpenVPN config problem or a macvlan access problem or maybe is an iptables thing.

My physical network setup is:

  • Unifi Security Gateway:
    • -LAN1:
      • -Managed Switch
        • -devices
    • -LAN2: Here is the RP3

LAN1 has vlan30
LAN2 has vlan20 and vlan10

The weird thing is I can access vlan30 from the OpenVPN client, so I dont think is a OpenVPN configuration thing.

$ iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-34828e803471 -o br-34828e803471 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 ! -s 172.16.0.0/16 -o br-34828e803471 -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d 172.16.0.0/16 -i br-34828e803471 -j DROP
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -j RETURN

Docker version 18.09.0, build 4d60db4