I have 2 VLANs on ETH1 port on Synology DSM 7.2. I use the MACVLAN driver, so my containers look like "seperate computers" on the network. I can reach the container from the network and I can reach the network from the container. I can even reach the container from the host, but I cannot reach the host from inside the container.
#!/bin/bash:
docker network create -d macvlan --subnet=10.1.40.0/24 --gateway=10.1.40.1 --ip-range=10.1.40.160/29 --aux-address 'host=10.1.40.166' -o parent=eth1.10 macvlan10
ip link add macvlan10brdg link eth1.10 type macvlan mode bridge
ip addr add 10.1.40.166/32 dev macvlan10brdg
ip link set dev macvlan10brdg up
ip route add 10.1.40.160/29 dev macvlan10brdg
docker run --net=macvlan10 -it --name macvlaneth10 --ip 10.1.40.165 --privileged --cap-add=ALL --rm alpine /bin/sh
ip a:
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:11:32:cd:8b:34 brd ff:ff:ff:ff:ff:ff
7: eth1.10@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:11:32:cd:8b:34 brd ff:ff:ff:ff:ff:ff
inet 10.1.40.16/24 brd 10.1.40.255 scope global eth1.10
valid_lft forever preferred_lft forever
8: eth1.5@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:11:32:cd:8b:34 brd ff:ff:ff:ff:ff:ff
inet 10.2.40.16/24 brd 10.2.40.255 scope global eth1.5
valid_lft forever preferred_lft forever
14: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1
link/ether 8e:3d:a4:01:5d:42 brd ff:ff:ff:ff:ff:ff
inet 10.1.40.166/32 scope global macvlan10brdg
valid_lft forever preferred_lft forever
inet6 fe80::8c3d:a4ff:fe01:5d42/64 scope link
valid_lft forever preferred_lft forever
ip rule:
0: from all lookup local
2: from all lookup static-table
10: from 10.2.40.16 lookup eth1.5-table
12: from 10.1.40.16 lookup eth1.10-table
32766: from all lookup main
32767: from all lookup default
ip route:
default via 10.1.40.1 dev eth1.10 src 10.1.40.16
10.1.40.0/24 dev eth1.10 proto kernel scope link src 10.1.40.16
10.1.40.160/29 dev macvlan10brdg scope link
10.2.40.0/24 dev eth1.5 proto kernel scope link src 10.2.40.16
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DEFAULT_FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DEFAULT_FORWARD (1 references)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
Chain DOCKER (0 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ****** after "iptables -I DOCKER-USER -j ACCEPT"
RETURN all -- anywhere anywhere
cat /proc/sys/net/ipv4/ip_forward:
1
I even tried BRIDGE driver with a similar result. I can reach the container from the network and the host, I can reach the network from the container. When I try to ping the host from the container, this is what I get on the router.
invalid forward: in:vlan10 out:vlan10, connection-state:invalid src-mac 00:11:32:cd:8b:34, proto ICMP (type 0, code 0), 10.1.40.16->10.1.52.2, len 84
This is how I run the bridged container:
docker network create -d bridge --subnet 10.1.52.0/24 --gateway 10.1.52.1 -o parent=eth1.10 testbrgeth110
docker run --net=testbrgeth110 -it --name bridgeeth110 --privileged --cap-add=ALL --rm alpine /bin/sh
I spent 2 full days reading through the Internet, debugging, etc. I really have no idea what's wrong.
Bridged network on DSM 6.2 with no VLAN in the network worked like a charm.
