VLAN: No connection if no vlan used

Hi

On my Ubuntu 24 I have the following netplan

network:
  version: 2
  ethernets:
    eno1:
      addresses:
      - "192.168.0.246/24"
      nameservers:
        addresses:
        - 192.168.0.1
      routes:
      - to: "default"
        via: "192.168.0.1"
  vlans:
    eno1.4:
      id: 4
      link: eno1
      addresses:
      - "192.168.4.246/24"
      nameservers:
        addresses:
        - 192.168.4.1
    eno1.9:
      id: 9
      link: eno1
      addresses:
      - "192.168.9.246/24"
      nameservers:
        addresses:
        - 192.168.9.1

This are my docker networks

$ sudo docker network ls
NETWORK ID     NAME             DRIVER    SCOPE
52106e3400d4   VLAN100          macvlan   local ---> eno1
bad4e56d1640   VLAN4          macvlan   local ---> eno1.4
893b6671b731   VLAN9          macvlan   local ---> eno1.9
7a9169bca532   bridge           bridge    local
82d4c58f9b1f   gotify_default   bridge    local
934bd0a4f0e4   host             host      local
eea0531b2fb6   none             null      local

I have three stacks in my Portainer
nginx Proxy Manager:

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    .......
    networks:
      VLAN4:
        ipv4_address: 192.168.4.254

networks:
  VLAN4:
    external: true

Gotify

services:
  gotify:
    image: gotify/server
    .......
    ports:
      - 8080:80

unifi controller

services:
  unifi:
    image: jacobalberty/unifi:latest
    .......
    networks:
      VLAN100:
        ipv4_address: 192.168.0.2

networks:
  VLAN100:
    external: true

My proxy manager can call up pages that are in VLAN4 and 9 with their own IP address. However, if I add my Portainer or Gotify, the page cannot be accessed, as if Docker or Ubuntu prevents access to all services under ens1 with the exception of the VLANs.However, if I add my Portainer or Gotify, the page cannot be accessed, as if Docker or Ubuntu prevents access to all services under eno1 with the exception of the VLANs.

What have I configured incorrectly?
On my physical firewall, access from VLAN4/9 to VLAN100 is allowed and according to the logs, the traffic also goes through.

Due to a Linux Kernel security feature, macvlan parent and child interfaces are not allowed to directly communicate with each other. Containers using macvlan child interfaces inherit the behavior.

Thank you. Is there any way I can get it to work so I don’t have to install the nginx proxy manager on a separate system like a Raspberry?

I am only aware of a workaround: add a macvlan child interface to the parent interface and use it from containers attached to VLAN100, to access the host.

Create the interface/bridge and assign an ip to it:

PARENT_INTERFACE=eno1
CHILD_INTERFACE=vlan100-shim
CHILD_IP=192.168.0.247

ip link add ${CHILD_INTERFACE} link ${PARENT_INTERFACE] type macvlan mode bridge
ip addr add "${CHILD_IP}/32" dev ${CHILD_INTERFACE}
ip link set ${CHILD_INTERFACE} up

Modify the variables as needed. Since those commands are not persistet, they need to be executed after each reboot. (hint: add a chronjob with @reboot trigger)

This allows the containers to reach services on the host using the ip from $CHILD_IP.
The host can reach macvlan containers using the new macvlan child interface directly.

Thank you.
My Portainer is now reachable unter 192.168.0.246 and 192.168.0.247. But my nginx proxy manager in VLAN4 still can’t access 192.168.0.247 for example to access portainer or other containers via a domain no matter if I use 0.246 or 0.247.
In my firewall I see that the traffic is allowed through on both 0.246 and 0.247.

If a container is only attached to VLAN4, then traffic will leave the host through the VLAN interface of the host, hit the router, takes which ever route is configured for the target network, then hits the host ip. Of course the hsot needs to have a valid return route to deliver the response as well.