[6.9.0-beta25] "Host access to custom networks" option in Docker changes MAC address of Unraid Server

Just to add, I ended up breaking down and building out another VLAN for dockers in the meantime. However, I think this is a bug as the MAC of unraid should not be changing. Way too much of a pain in the butt though, when the check box should have avoided this all together 🙂

Edited August 10, 2020 by cybrnook

When you enable "Host access to custom networks" it will create a shim network interface, e.g. shim-br0.

This shim interface has the same IP address as the main interface (br0), but it is using a different MAC address (because it is a different interface/network).

 

This shim interface is used to make Docker think it is accessing a different system, in other words it makes access possible between docker and the host system.

 

Your pfsense firewall gets confused by this, it sees the same IP address with two different MAC addresses (and two different networks).

I am not using pfsense and don't know how to tell it to understand "this situation". In worst case when pfsense can not cope with this, you need to disable the host access function, which is rarely needed anyway.

 

This is not a bug but an implementation by design.

On 8/8/2020 at 3:05 AM, bonienl said:

In worst case when pfsense can not cope with this, you need to disable the host access function, which is rarely needed anyway.

Thanks for the response @bonienl that helps paint of picture of what's going on.

 

To your line I quoted above. I would say this option is needed for those who want to assign a static IP to your docker containers, but also don't want to have to go through the trouble of setting up a separate VLAN for those docker containers because either it's too hard, or their equipment does not support it.

 

What I found in the past was that when you assign static IP's to your docker containers, Unraid by default blocks those containers from talking to one another. So if you have a setup like mine (and I assume others run something similar for automation) Sonarr and Radarr need to be able to talk to Jackett, they also need to be able to talk to your torrent client to pass information back and forth. Without this option enabled, this won't work. Or, creating a separate network for these dockers, hence the need for a VLAN.

Edited August 10, 2020 by cybrnook

18 hours ago, cybrnook said:

Without this option enabled, this won't work.

Docker containers which are in the "same" network can always communicate with each other.

So either your containers are ALL bridge/host network or are ALL custom network.

 

5 hours ago, bonienl said:

So either your containers are ALL bridge/host network or are ALL custom network.

This may explain it then. Is this a hard requirement that in order to use some docker containers with static IP's, then ALL my docker need to be set to use a static IP? I can't have one using host, a few using bridge, then a handful using custom br0, they would all need to be custom br0?

You can mix as much as you want with different network types.

Changed Status to Closed

I guess I will set this to closed as everything I pointed out so far seems to be either specific to me or expected. Thanks @bonienl for explaining in detail my concerns.

 

Perhaps it was timing, or something else on my side, but without having Host Access enabled, my custom br0 dockers were not able to talk to one another, at least at the time. Which is what led me down this path anyways.

 

regardless, so far using a VLAN has removed the call traces I was seeing, and with the rules in the firewall , everyone can talk to everyone, so I guess that's good enough 🙂

 

Edited August 15, 2020 by cybrnook