container ip address, not reachable
I don't have a vlan in my current setup. Everything is under 192.168.10.x with 192.168.10.1 being the firewalla.
I have stood up docker container portainer with macvlan static IP 192.168.10.196 and static mac address. I am able to see the website on my chrome browser on my laptop, also I am seeing portainer is showing up on the firewalla app as a device. However I am not able to reach it from my firewalla command line using curl with port. I did some investigation and found out the entry is incomplete in arp.
> arp -a | grep 196
? (192.168.10.196) at <incomplete> on br0
to troubleshoot the problem, i added the arp entry manually.
> arp -s 192.168.10.196 02:42:ac:00:01:06 -i br0
> arp -a | grep 196
? (192.168.10.196) at 02:42:ac:00:01:06 [ether] PERM on br0
I think what I did above solved 1 of the problems. I am not sure what else to look at. Any ideas guys?
-
I did the above commands on my firewalla. Firewalla is the node that i host the macvlan and the portainer container. Eventually I want to switch out portainer to ntfy. Started with portainer because this something I most familiar with.
So here is my setup:
- 192.168.10.1 is the firewalla, hosting docker macvlan
- portainer container is running on firewalla with IP 192.168.10.196. I also assigned the container a mac address, so it will show up as a device on firewalla. In the future, I will enable some control/restrictions to 192.168.10.196 because virtually it's just 1 of the devices on the LAN and it got its own IP address.
docker command to create macvlan:
docker network create -d macvlan \
--subnet=192.168.10.0/24 \
--gateway=192.168.10.1 \
-o parent=br0 \
macvlanmacvlan is created:
docker network ls
NETWORK ID NAME DRIVER SCOPE
cce0f6f0aaa5 bridge bridge local
b488484d4b22 host host local
a926f7417b1a macvlan macvlan local
25dd16dacf68 none null localdocker-compose.yaml
version: "3.8"
services:
portainer:
image: portainer/portainer-ce:alpine
container_name: portainer
hostname: portainer
mac_address: 02:42:ac:00:01:06
restart: unless-stopped
environment:
- TZ=America/Chicago
healthcheck:
test: "wget --no-verbose --tries=3 --spider http://localhost:9000/api/system/status || exit 1"
interval: 30s
timeout: 10s
retries: 3
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /mnt/sdcard/docker/portainer_data:/data
networks:
macvlan:
ipv4_address: 192.168.10.196
deploy:
resources:
limits:
cpus: 0.5
memory: 50m
networks:
macvlan:
external: true
Now the problem is I am not able to hit the container ip from my firewalla(192.168.10.1) box. I can't even ping the IP. Are there any settings that's blocking traffic from firewalla to the container?My laptop is 192.168.10.34 and I could ping and hit the container just fine.
-
This is a common issue with macvlan setups and stems from how the Linux kernel handles traffic originating from the same interface as the macvlan interface. Macvlan creates virtual network interfaces that are directly attached to a physical interface. Each macvlan interface gets its own MAC address and IP address, making it appear as a separate physical device on the network. By default, the Linux kernel prevents traffic from being routed back out the same physical interface it came in on. This is a security measure to prevent loops and other network issues. When you try to ping the macvlan-connected Docker container from the host, the kernel sees the traffic originating from the same physical interface as the macvlan interface. It then blocks the response from the container, preventing the ping from succeeding. Devices on the same subnet don't have this restriction because they're sending and receiving traffic through different physical interfaces on their respective machines.
Please sign in to leave a comment.
Comments
3 comments