• 0 Posts
  • 15 Comments
Joined 1 year ago
cake
Cake day: October 5th, 2023

help-circle


  • Mine is a bit exotic I guess. I use Terraform to manage my home lab. I tried all of the docker update solutions out there and they’d always make my Terraform out of sync. So I built my own solution that interacts with an orchestrator, a backend and a front-end.

    I use Terraform to create flows for each service. Then the flows interact with the backend to manage the actual updates. The frontend is there to let me see the latest change log of each project before I update.

    For my next project I want to set up an oil tank monitor for our heating. Then I can use Prometheus and Grafana to monitor usage. From there I can start making predictions and so on





  • Why did you use 192.168.2.200/29 for your route? This is the last part I dont quite understand. How does it play into the settings you chose above?

    I made a typo here and it should be --ip-range 192.168.2.200/29

    As I mentioned above you are creating a virtual LAN and as such you need to carve out your own subnet.

    My setup is ip range 192.168.87.96/30 which is ip range 192.168.87.96 to 192.168.87.99 . I chose 192.168.87.99 as my auxillary and my Nginx was automatically given IP 192.168.87.96 . Now my question is how do I go about knowing what to use for route?

    What do you mean what to use for route? Given what you said your command should look like:

    docker network create -d macvlan \
    -o parent=eth0 \
    --subnet=192.168.87.0/24 \
    --gateway=192.168.87.1 \ #this is your router's address
    --ip-range 192.168.87.96/30 \
    --aux-address="host=192.168.87.99" \
    dockervlan
    

    So that command is saying: I have an entire LAN that lives on the subnet 192.168.87.0/24. My router (i.e. gateway) has the IP address 192.168.87.1. I have a virtual network (macvlan) that has its own subnet that has the range 192.168.87.96/30.

    So now you need to create the virtual subnet (macvlan) using the command

    sudo ip route add 192.168.87.96/30 dev macvlan0
    

    If you use any other subnet it wouldn’t make any sense. How else would you get the same address space you described in the ip-range option?



  • I think I am about 99% of the way there. Seems like I got it mostly figured out, but I do have a couple questions for you. And thanks again for your time, you have no idea how much I appreciate you and your assistance in this.

    1. After completing the steps, I can access my NAS as usual, the Nginx proxy manager is accessible via it’s macvlan IP, but I can also connect to the NAS and all it’s services including the Nginx container from the auxillary host IP. What’s the deal with that?

    Yes, the auxiliary host IP is basically a new virtual IP that sits on your LAN. So basically when you connect your synology to your home network, it gets assigned an IP (with its own MAC address included). With the MACVLAN network, you’ve basically created a new virtual network on your NAS with its on device (MAC) address. It is in essence a virtual copy of your NAS host that your router sees it as a new device on your network.

    1. Once all is said and done. Should my Nginx be connected to both the default bridge network and the new macvlan or just the macvlan? It’s always connected to the default bridge when installing any new container, but when I add the container to the new macvlan, am I supposed to disconnect it from the default bridge at the same time?

    This is up to you how you want your network architecture to look like, but when you spin up a new container that you want available accessible by your ngnix, you have to:

    1. Specify your docker’s macvlan network as your container’s network (and remove it from the default bridge) OR

    2. Connect your ngnix container to your application’s docker network (basically isolate all containers in their own network)

    Up to you. Personally I do #2.

    1. Your fourth command for adding routing. How do I know what to use? My IP range for example is 192.168.87.96/30 with an auxiliary IP of 192.168.87.99. How do I decide the routing CIDR notation? I tried to look at yours and wasn’t sure how you decided on yours. I just went with 192.168.87.96/30 which is the same as my IP range, but I’m not exactly sure what that is doing or not doing and if I should’ve chosen a different Ip for that. My CIDR notation for IP range is just 4 IPs, as you can probably tell by now. I notice this one is very important and if not configured properly can make or break the connection. At first, I selected 192.168.87.98, but that didn’t work. When I chose by IP range for routing, it worked. I blindly did this, so I have no idea why one is working over the other and how to decide this part.

    I presume you’re talking about this one ? sudo ip addr add 192.168.2.201/32 dev macvlan0 I guess I didn’t explain properly but that is your auxiliary host’s IP. If you look at command 2 you’ll see --aux-address="host=192.168.2.201". Basically the CIDR notation /32 is the same as the subnet mask 255.255.255.255, only one IP address can be served in macvlan0.

    1. Your final command, which you say is optional for communication between the macvlan and the NAS. I’m not sure if I need to be using this? My entire reason for doing all this is to use NPM for accessing my FQDN on my LAN with SSL certs only on my LAN and nothing exposed to outside internet. I just want all the DNS rewrites from Adguard Home to point to the Nginx macvlan IP so that Nginx can proxy it to the correct NAS service and also SSL it at the same time. Adguard home cannot use port numbers in the DNS rewrites and only can use IP, which is why I am doing all this in the first place. I had to give Nginx its own IP, or Adguard home DNS rewrites couldn’t communicate with it.

    Yea its optional. For my purposes it was nice to have because I have gitea and wanted to use GIT on the Synology locally. You don’t have to.

    Overall, I am able to execute all you’ve described with just these concerns I’ve listed above. Again, thanks a ton, brother. I learned a lot in this experience.

    Yea it’s not straightforward and I spent a ton of time researching it. Glad to help.




  • So basically all you did was create a docker network with no macvlan on your synology. The docker network you created will simply look for a macvlan and communicate with it. There needs to be an actual macvlan there to communicate with. You really should read through my responses again.

    Here are some pointers:

    • Your step 2 needs an auxiliary address for your host. –aux-address=“host=192.168.2.201”

    • Look at my step 3. You have to run those commands to setup the macvlan on your synology. You have to use your auxiliary host address in the series of commands I showed you. When you run them properly you will see the host show up in your router.



  • You shouldn’t have conflicts with the DSM ngnix after setting up a macvlan on a Synology.

    Saying that, there are a few more steps you have to do to get it working. I’ve done it successfully on my Synology. Here is a guide I wrote for traefik in my notes. Also see the references for additional explanations.

    I apologize for the formatting. I am on my phone.

    Introduction

    Long story short, Traefik uses ports 80 and 440. On the Synology NAS (from DSM 7 and upwards), those ports are occupied by the OS. There are two options to solve this issue:

    Reroute all traffic on 80 and 443 on the router to a new port

    Pros: no need for a VLAN (see 2.). Cons: need to expose all services on the Synology via Traefik Create a MAC VLAN + bridge, attach the docker container to it and assign an IP

    Pros: Cleaner approach as the docker container gets assigned a new IP Cons: More complicated

    This guide will discuss option 2.

    Preparation

    IP Reservation

    Before we begin, some ip configuration is necessary. First you must configure any DHCP service on your network such that it will not assign addresses in a given range. This guide assumes you already have your raspberry pi set up as your DHCP service (and turned DHCP off in your router). Go to your pi-hole admin page and go to settings→DHCP.

    Figure: DHCP Settings on the Pi-Hole

    Here an IP range of 192.168.2.50-192.168.2.199 has been reserved by the pi-hole to be assigned. This leaves addresses 192.168.2.2-192.168.2.49 and 192.168.2.200-192.168.2.254 to us to use. I shall use the tail end of the range 192.168.2.200-192.168.2.254.

    MACVLANs

    The following is specifically for those that have a Synology NAS with a single ethernet port. This port should be designated eth0. To be sure, check using the following command:

    ip link show

    Figure 2: List of IP links available

    Note: If you have multiple ethernet ports and have already set up a bond, follow this guide: https://blog.alexis.lc/docker-macvlan-network-synology

    We will link our macvlan to this physical port so that information and be routed from outside the NAS to the docker container.

    Docker and MACVLANs

    Warning! This is the danger zone. If you mess up and/or want to get your network settings back to normal follow these steps. TL;DR: find and press the reset button on the back of your NAS for 4 seconds until you hear a beep, then release.

    Now that we have our address range reserved and we know which device we can link our macvlan to, it is time to create our docker network and a macvlan network!

    Step 1: Create the necessary docker network:

     docker network create -d macvlan \
      -o parent=eth0 \
      --subnet=192.168.2.0/24 \
     	--gateway=192.168.2.1 \
      --ip-range 192.168.2.200/27 \
     	--aux-address="host=192.168.2.201" \
       dockervlan
    

    –aux-address reserves the address from our subnet (this is the new ip my NAS host will be accessed from on the macvlan network)

    –ip-range is the range of IPs that can be assigned by docker

    –gateway the gateway docker will use to communicate with the world (this is my router address)

    –subnet the macvlan’s subnet we will be creating

    -o parent specifies the interface through which we want to comminicate

    Synology NAS MACVLAN

    The next step is to create a MACVLAN that will act as a new host and network and provide new IP addresses to the containers we attach to it.

    First create a MACVLAN and add a fictitious MAC address to it. This is so that if you need to start over, you don’t have multiple virtual nodes popping up in your router

    sudo ip link add link eth0 name macvlan0 address 02:42:C0:A8:02:C9 type macvlan mode bridge

    Then assign the reserved host address (aux-address from above) to the MACVLAN

    sudo ip addr add 192.168.2.201/32 dev macvlan0

    Spin up the MACVLAN

    sudo ip link set macvlan0 up

    Allow routing to the subnet

    sudo ip route add 192.168.2.200/29 dev macvlan0

    Now you should see a new host on your network with ip 192.168.2.201 and MAC address 02:42:C0:A8:02:C9

    Make sure the synology can get packets to the macvlan subnet

    sudo iptables -A INPUT -s 192.168.2.200/29 -j ACCEPT &&
    sudo iptables -A OUTPUT -d 192.168.2.200/29 -j ACCEPT &&
    sudo iptables -A FORWARD -s 192.168.2.200/29 -j ACCEPT &&
    sudo iptables -A FORWARD -d 192.168.2.200/29 -j ACCEPT

    Traefik with a new IP

    To assign Traefik it’s own IP so that the NAS does not interfere with traefik (by taking up ports 80 and 443) add the following to your docker compose:

    service: . . networks: default: #eth0 linked network traefik-net: #traefik’s network proxy: #proxy network mac_address: “02:42:C0:A8:02:C9” . . . #define networks networks: traefik-net: external: true proxy: external: true default: external: name: “dockervlan”

    Note the 3 networks:

    default/dockervlan this docker network is the subnet that exists in the router and is linked to eth0. This manages all external communication

    proxy socket-proxy docker network (never to be exposed)

    traefik-net the network any container will use in order to communicate with traefik

    Sources:

    https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/

    https://community.synology.com/enu/forum/1/post/133969?page=2&sort=oldest

    https://www.reddit.com/r/synology/comments/s5j9d8/howto_vlan_configuration_with_docker/