November 27, 20241 yr Hello all. I have been wrestling with this issue for a while now and can't seem to figure out where I am going wrong. I am trying to isolate some docker containers using VLANs. I have my VLAN set up in my settings and the containers that I want to isolate all have IP addresses on that VLAN. The issue that I am having is that I can access all of my containers (not just the ones on the VLAN) from my phone that is connected to my VLAN by going to 192.168.10.2:XXXX. I find it strange that I can access all my Docker containers through my Unraid instance's VLAN IP Address. I thought the whole point of enabling VLANs in Unraid was to keep the containers separate? Any help would be appreciated. Thanks.
November 28, 20241 yr Community Expert you don't this should be handled on the physical hardware... via vlan trunking and vlan bridging... Normaly at least. you make a seperte docker network. asing docker to that netwrok. the docker netwok parent interface is the interface.Vlan and this data is then handled layer3/2 on your network... SO, It sounds like you’ve made good progress setting up VLANs, but there's an issue with how the VLAN traffic is routed or isolated. Let’s break this down and troubleshoot: Key Points to Check: Docker Networking in Unraid: By default, Docker containers use the Unraid host’s networking unless explicitly configured otherwise. When you assign a container to a VLAN, ensure it is not inadvertently falling back to the Unraid host network (bridge or host mode). Containers should use a dedicated macvlan network with the VLAN explicitly configured. Unraid Network Settings: Verify the VLAN configuration in Unraid’s network settings (Settings > Network Settings). Check the following: The VLAN interface is correctly set up with the intended subnet (e.g., br0.10 for VLAN ID 10 with IP range 192.168.10.x). Ensure the "Enable Bridging" and "Enable VLANs" options are configured correctly. Routing and Access Control: If your phone can access all Docker containers through 192.168.10.2:XXXX, it suggests that Unraid is acting as a gateway between VLANs and allowing traffic to its Docker bridge network. This could be due to: Lack of firewall rules between VLANs. Incorrect routing setup on your Unraid server or upstream router/switch. Docker Macvlan Misconfiguration: When creating a macvlan network, ensure: The parent interface points to the VLAN interface (e.g., br0.10). Containers are explicitly assigned to the macvlan network. This prevents them from using Unraid’s default network and leaking into the host namespace. Firewall Rules: Unraid does not natively enforce VLAN isolation; you need to configure your router or a firewall to restrict traffic between VLANs. Set rules to block traffic from the VLAN (192.168.10.x) to the Unraid main IP or other VLANs. Some steps to check and self resolve: Validate Docker Configuration: Check each container's network settings. Assign containers to a macvlan network specific to the VLAN (br0.10). *i prefer macvlan... see docker docs: https://docs.docker.com/reference/cli/docker/network/create/ https://docs.docker.com/engine/network/ Example of creating a macvlan network via command line docker network create \ --driver=macvlan \ --subnet=192.168.10.0/24 \ --gateway=192.168.10.1 \ -o parent=br0.10 vlan10_net Then, assign containers to vlan10_net. Check VLAN Isolation: Test if VLAN isolation is working as expected: From a device in the VLAN, try pinging the main Unraid IP (192.168.x.x) and other VLANs. If you can access Unraid or other VLANs, enforce isolation via your router/firewall. Router/Firewall Rules: Block inter-VLAN communication unless explicitly allowed. Example rules: Deny traffic from VLAN 192.168.10.0/24 to 192.168.1.0/24 (or Unraid’s management IP). Allow only specific traffic (e.g., DNS or HTTP/HTTPS) if needed. Testing and Monitoring: After making changes, test from devices on the VLAN and confirm they can only access intended containers. Use tools like tcpdump or wireshark to inspect traffic flows if issues persist. Possible Issues with VLAN in Unraid: Unraid Networking Bug: There have been reports of macvlan misconfigurations causing unexpected behavior. Updating to the latest Unraid version might help if you're not already on it. Docker Bridge Overlap: Ensure that Docker’s bridge network (172.x.x.x) does not overlap with your VLAN subnet, as this can cause unexpected routing behavior. From my test... Final Notes: By default, Unraid doesn't automatically enforce VLAN isolation. VLANs primarily work as a tagging mechanism, and it's up to your network configuration (router, switch, and Unraid) to ensure proper isolation. If you still face issues, feel free to share more specifics about your setup, like your VLAN and network configurations!
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.