Get Docker Container to Use Specific Ethernet Interface

[eehobbyist]

I'm a bit of a noob at Unraid and Docker, but starting to get the idea.

 

I'm segmenting my lan into several vlan's.  I have my more secure lan at 192.168.1.0/24 using vlan=1.  I have my iot lan at 192.168.2.0/24 using vlan=2.  I'm using a ubiquiti dream machine pro.

 

The PC I'm using for Unraid has one 1gbit interface, and I have installed a card with two 10gbit interfaces.  I want to use the 10gbit for the secure lan, and the 1gbit for the iot lan.  I configured br0 to be the two 10gbit interfaces on eth0 and eth1 and have them set at vlan1.  I configured the eth2 which is 1gbit.  The network settings from my unraid network settings page are in the attached pdf.

 

I then created a couple custom networks by entering at the terminal:

docker network create nnnnnnnlan  (The n's are placeholders for the name I use for my internal network.)

docker network create nnnnnnniot

I then found this on how to assign the network to a specific ethernet port:

docker network inspect nnnnnnnlan | grep "IPAM.Config" | awk '{print $2}' | tr -d '"' | xargs -I {} sudo ip addr add {} dev eth0

docker network inspect nnnnnnniot | grep "IPAM.Config" | awk '{print $2}' | tr -d '"' | xargs -I {} sudo ip addr add {} dev eth2

 

When I do a docker network inspect, I can see the networks.  I tried setting plex to use the iot network by altering the container for plex to use the custom: nnnnnnniot network.  Then restarted the plex container.  When I do so, I'm unable to access plex through the user interface in Unraid, by choosing WebUI.  When I look under client devices in my UDM Pro router, I don't see an IP address assigned for the eth2 interface.  So, I'm guessing I've done something wrong.

 

If I just edit the Plex container to use br0, I'm able to access from the WebUI, and then note the IP address it is getting assigned.  I can then access plex from other machines on the network at that IP.  So, it seems the plex container is working ok.

 

Right now I have not yet added rules to block access between vlan's on my ubiquiti network.  I'm in the process of getting items on the right vlan and working, then I'll put in place rules on the UDM Pro router.

 

How is the best way to achieve choosing which Docker containers get put on each vlan, and still allow for access from the WebUI for Unraid as well?

 

Thanks!

screencap NetworkSettings.pdf

[rosswaters]

To make it easy on myself I always just force the tag on the switch port I am connecting to. That way anything connected to said port will only see the vlan ID I assigned and won't do stupid stuff.  I have had issues with unRAID and vLANs in the past. I truly hate the way vLANs work inside of unRAID. I'd be great if you just had a basic router from a box store and wanted to secure stuff that your server runs but the second you are using business grade equipment that is where I have to say no to unRAID in handling it. 

 

I personally am currently trying to figure out why NICs that are configured for Dockers only, out of nowhere just started use what ever NIC they decide to use even though I set them manually. Not sure if it is the Docker its self or the installed images, it can make you go nuts at times.

From what I can tell your NIC on the 10G is not getting anything for the DHCP server on vLAN 2. IPv4 assignment is set to "none" meaning it didn't pick up an address.  I understand trying to segment your network out but you might find it a headache. My server in question was running great for 2 years with reboots and power downs and just 3 days ago decided to start using random NIC ports making my life a hell for the moment. I haven reboot or upgrade in 90 days either, it just started doing weird stuff.

 

Do you have a valid DHCP server set for vLAN 2? If you plug a different computer like Windows, Apple or Linux with the adapter configured for vLAN 2 does it get a valid IP Address from DHCP on vLAN2?