Network isolation in unRAID 6.4


bonienl

Recommended Posts

20 hours ago, adminmat said:

I tried this tonight but lost WebUI access (and all access) to my Plex Container. I've been running Plex just fine.  From my secure LAN (VLAN10) desktop I can't ping Plex (192.168.50.3) or Docker (192.168.50.2) but I can ping the unRAID server (192.168.10.69).

This is by design with macvlan.  Anything on a bridged VLAN (br0.50 in your case) is isolated from the server subnet.  You cannot ping from the .10 subnet (where your unRAID server resides) to an IP address on the .50 VLAN subnet (and vice versa) because of the network isolation of macvlan.  Of course, docker containers on the same VLAN/subnet can ping each other.

 

It is possible to set up static routes to overcome this and it may be discussed/documented somewhere in this or another thread, but I personally have no experience with doing that.

 

I just run Plex in host networking mode on the unRAID IP and appropriate ports.  I run some other docker containers on my docker VLAN (br0.3) that do not need direct access to the unRAID server.

Edited by Hoopster
Link to comment

 

13 hours ago, Hoopster said:

This is by design with macvlan.  Anything on a bridged VLAN (br0.50 in your case) is isolated from the server subnet.  You cannot ping from the .10 subnet (where your unRAID server resides) to an IP address on the .50 VLAN subnet (and vice versa) because of the network isolation of macvlan.  Of course, docker containers on the same VLAN/subnet can ping each other.

 

It is possible to set up static routes to overcome this and it may be discussed/documented somewhere in this or another thread, but I personally have no experience with doing that.

 

I just run Plex in host networking mode on the unRAID IP and appropriate ports.  I run some other docker containers on my docker VLAN (br0.3) that do not need direct access to the unRAID server.

 

So how I understand your post: in order to access the Plex server locally from your PC, both Plex and the PC would have to be in the same Subnet / VLAN. And any IoT device accessing Plex would have to be on the same Subnet / VLAN. 

 

For example. I'd have to put my Roku, PC, phone, laptop (for viewing) and Plex all on the same Subnet / VLAN.

 

I must understand you incorrectly for this seems quite limited and a security issue. 

Link to comment

Update!!! Got it working. I forgot to add the VLAN number to the "vid" field on the Edgerouter's switch0 for the Switch's trunk port. As soon as I added 50 the Plex WebUI lit up. 🤘 Victory! 

 

vid.PNG.6de1c991414be326420ea92ab6a5b37d.PNG

 

I can also confirm that I CAN ping from my PC on VLAN10 to the Plex Container on VLAN50. 

 

Edited by adminmat
Link to comment
8 hours ago, adminmat said:

 

 

So how I understand your post: in order to access the Plex server locally from your PC, both Plex and the PC would have to be in the same Subnet / VLAN. And any IoT device accessing Plex would have to be on the same Subnet / VLAN. 

 

For example. I'd have to put my Roku, PC, phone, laptop (for viewing) and Plex all on the same Subnet / VLAN.

 

I must understand you incorrectly for this seems quite limited and a security issue. 

No, you don't have to have everything on the same subnet.  I don't have everything that accesses Plex/unRaid on the same subnet. I was just addressing your specific issue of not being able to ping or access the Plex GUI between your .50 network and your unRAID (.10) network based on your configuration.  That is normal unless, on the router/switch side you do some additional configuration (as you, apparently, discovered although yours was an easy fix).  My router/switches automatically route all traffic between what they call "corporate" LANs unless firewall rules are created to prevent it.

 

In my case, I do have Plex configured in host mode and in direct communication with unRAID, but, there are other docker containers not on that subnet that can communicate with devices on the unRAID server subnet.  Sorry for the confusion.

 

I did misstate one thing in my first post.  The VLAN/Host separation is a Docker restriction, not a macvlan restriction, although, at the end of the day it is just semantics and there are ways around this with router/switch configuration.

Edited by Hoopster
Link to comment
  • 5 weeks later...

I have another question about vlan config. As I have many docker containers running, and I don't want each containers has different IP address.If I add vlan10 for unraid itself and give its ip 192.168.6.10, is it possible to let container to bind/listen the bridge to 192.168.6.10. If I select the default setting(bridge, not custom:br0.10), will it work?

Edited by Lilarcor
Link to comment
  • 1 month later...

Having trouble getting br0.5 showing up in the Docker 'Network Type' dropdown. I only see br0.

 

Network Settings
Enable VLANs: Yes
VLAN number: 5
Interface description: Docker VLAN
Network protocol: IPV4 Only
IPv4 address assignment: Static
IPv4 address: 192.168.5.0 
IPv4 default gateway: 192.168.5.1

Routing Table
IPv4	default	192.168.1.1 via br0	1	
IPv4	default	192.168.5.1 via br0.5	2	
IPv4	172.17.0.0/16	docker0	1	
IPv4	192.168.1.0/24	br0	1	
IPv4	192.168.5.0/24	br0.5	1	
IPv6	::1	lo	256	
IPv6	fd00:0:0:1::/64	br0	256	
  
Docker Settings
Docker version: 18.09.6
Docker vDisk location: /mnt/cache/docker.img
Default appdata storage location: /mnt/user/appdata/
Docker LOG rotation: Enabled
Preserve user defined networks: No
IPv4 custom network on interface br0:
Subnet: 192.168.1.0/24 Gateway: 192.168.1.1 DHCP pool: 192.168.1.128/26  (64 hosts)
IPv4 custom network on interface br0.5:
Subnet: 192.168.5.0/24 Gateway: 192.168.5.1 DHCP pool: 192.168.5.128/26  (64 hosts)

Docker Network LS
NETWORK ID          NAME                DRIVER              SCOPE
92afbb695547        br0                 macvlan             local
37e5ee6e805d        bridge              bridge              local
ea7a550c1b45        host                host                local
bd960ef7eb26        none                null                local

Any ideas why I can't see br0.5 in Docker network ls or the dropdown? I've tried running 'rm /var/lib/docker/network/files/local-kv.db;                                   /etc/rc.d/rc.docker restart' but that didnt help. Any ideas?

Link to comment
23 minutes ago, Weavus said:

Having trouble getting br0.5 showing up in the Docker 'Network Type' dropdown. I only see br0.

 


Network Settings
Enable VLANs: Yes
VLAN number: 5
Interface description: Docker VLAN
Network protocol: IPV4 Only
IPv4 address assignment: Static
IPv4 address: 192.168.5.0 
IPv4 default gateway: 192.168.5.1

Routing Table
IPv4	default	192.168.1.1 via br0	1	
IPv4	default	192.168.5.1 via br0.5	2	
IPv4	172.17.0.0/16	docker0	1	
IPv4	192.168.1.0/24	br0	1	
IPv4	192.168.5.0/24	br0.5	1	
IPv6	::1	lo	256	
IPv6	fd00:0:0:1::/64	br0	256	
  
Docker Settings
Docker version: 18.09.6
Docker vDisk location: /mnt/cache/docker.img
Default appdata storage location: /mnt/user/appdata/
Docker LOG rotation: Enabled
Preserve user defined networks: No
IPv4 custom network on interface br0:
Subnet: 192.168.1.0/24 Gateway: 192.168.1.1 DHCP pool: 192.168.1.128/26  (64 hosts)
IPv4 custom network on interface br0.5:
Subnet: 192.168.5.0/24 Gateway: 192.168.5.1 DHCP pool: 192.168.5.128/26  (64 hosts)

Docker Network LS
NETWORK ID          NAME                DRIVER              SCOPE
92afbb695547        br0                 macvlan             local
37e5ee6e805d        bridge              bridge              local
ea7a550c1b45        host                host                local
bd960ef7eb26        none                null                local

Any ideas why I can't see br0.5 in Docker network ls or the dropdown? I've tried running 'rm /var/lib/docker/network/files/local-kv.db;                                   /etc/rc.d/rc.docker restart' but that didnt help. Any ideas?

I have set up my VLAN in network settings (without a static IP for unraid server)

 

Then stop docker go to settings / docker, advanced view, and there you should be able to choose vlans for docker. And after that, see them in every container.

 

 

Edited by jowe
Link to comment
35 minutes ago, jowe said:

I have set up my VLAN in network settings (without a static IP for unraid server)

 

Then stop docker go to settings / docker, advanced view, and there you should be able to choose vlans for docker. And after that, see them in every container.

I have the VLAN listed in my Docker settings as shown above and br0.5 is listed on the Docker settings page. However Docker network ls or the 'Network Type' dropdown on container templates is not showing it.

Edited by Weavus
Link to comment
38 minutes ago, Weavus said:

I have the VLAN listed in my Docker settings as shown above and br0.5 is listed on the Docker settings page. However Docker network ls or the 'Network Type' dropdown on container templates is not showing it.

That's strange.

 

I just tried to enable/disable br0, and if i mark the checkbox, and start Docker. It's instantly showing up as a choice in any container. Or disappear if i disable the checkbox. br0 is not a vlan, all other are.

 

image.thumb.png.3d9fa6b4b000ec8d711ffdbc483641fd.png

Edited by jowe
Link to comment
On 1/3/2020 at 3:51 PM, Weavus said:

Having trouble getting br0.5 showing up in the Docker 'Network Type' dropdown. I only see br0.

Can you post a screenshot of your network settings and a screenshot of your Docker settings (docker service stopped and advanced view)

Link to comment
  • 2 months later...
On 1/4/2020 at 2:37 AM, Weavus said:

I have the VLAN listed in my Docker settings as shown above and br0.5 is listed on the Docker settings page. However Docker network ls or the 'Network Type' dropdown on container templates is not showing it.

I have the same problem. Did you find a solution?

Edited by noski
Link to comment
  • 2 weeks later...
33 minutes ago, ken-ji said:

@noski @NKnusperer Did you add the network to the Docker settings? Make sure to have the array stopped and to toggle the Advanced view in the upper right corner.

image.thumb.png.e7eacbececc751b91bfe6dd9b39aff85.png

RESOLVED !

 

The problem was that I entered the wrong Gateway IP in the Docker settings.

This is correct:

Quote

Subnet: 192.168.50.0/24
Gateway: 192.168.50.1

However I used 192.168.1.1 as Gateway.

Edited by NKnusperer
Link to comment
  • 2 months later...

Is it possible to leave the Unraid GUI and Unifi docker container on VLAN 1 untagged and have all the other docker containers on another VLAN and have those other docker containers share the same IP address?

 

I want to avoid having to update the IP address of each docker to docker connection with a unique IP address and would like to reduce the noise when viewing my Router's DHCP lease table (and not see a client for each docker container). 

Edited by loheiman
Link to comment
  • 1 year later...

I know this thread is very old but I haven’t found any other discussions along these topics. I have read through it and am left with a couple of questions I’m hoping someone can answer.

 

1. In @bonienl’s original post he mentions that it’s also possible to use spare ethernet ports on the unRAID server to accomplish this but doesn’t give any details on that procedure. I don’t have any current plans to do this but would like to know how just in case?

 

2. Is it possible to add dockers and VMs to the same VLAN? I have created a security camera VLAN and added my Frigate docker to it but would also like to add my Home Assistant VM to the same VLAN. Maybe 2 bridges both assigned to the same VLAN?

 

3. Is the number of VLAN and bridge assignments limited? I can see that it might be useful to have several different VLANs for dockers to be grouped.

Link to comment
23 hours ago, wgstarks said:

2. Is it possible to add dockers and VMs to the same VLAN? I have created a security camera VLAN and added my Frigate docker to it but would also like to add my Home Assistant VM to the same VLAN. Maybe 2 bridges both assigned to the same VLAN?

 

3. Is the number of VLAN and bridge assignments limited? I can see that it might be useful to have several different VLANs for dockers to be grouped.

 

2. Yeah, no reason that should be a problem. The original post is very old, I see the UI is different now, do you see how you can add them to the same?

 

3. The 802.1Q standard allows for 4096 VLANs, I assume the limit in unraid isn't lower than that. I don't know anything about bridge assignments, that doesn't apply to VLANs on my machine (again, five year old post).

Link to comment
2 hours ago, Ademar said:

2. Yeah, no reason that should be a problem. The original post is very old, I see the UI is different now, do you see how you can add them to the same?

I haven’t had a chance to give this a try. Maybe it’s possible to just assign the VM to the same bridge as the dockers are using?

 

2 hours ago, Ademar said:

3. The 802.1Q standard allows for 4096 VLANs, I assume the limit in unraid isn't lower than that. I don't know anything about bridge assignments, that doesn't apply to VLANs on my machine (again, five year old post).

Doubt I’ll ever need more than 5 or 6. 😁

Link to comment

1. This is possible.

As long as the Spare interfaces are configured without IP addresses, network isolation on those interfaces is enforced, though on the IP level only

image.thumb.png.73891d925d13eeb5c35ec93b9e4970bb.png

 

2. I rarely do it since my config uses br1.3 for my docker containers, and my VMs on br0.3, but nothing is preventing the VM and docker container from sharing the same bridge interface.

My Docker container:

image.thumb.png.466b3c00dd0246ca1422e183de778e29.png

 

My VM

image.png.446dec5ce6e06e86fd5367ef6961e951.png

 

From the VM

image.png.e838ed9871d1644862898dab5c1ac4d5.png

image.png

Edited by ken-ji
  • Thanks 1
Link to comment
3 hours ago, ken-ji said:

2. I rarely do it since my config uses br1.3 for my docker containers, and my VMs on br0.3, but nothing is preventing the VM and docker container from sharing the same bridge interface.

Thanks. I have a camera VLAN setup so that I can isolate them. Running Home Assistant in a VM that I want to add to the same VLAN just to minimize router traffic. I’ll just have to setup some special pass rules in pfsense for it since it will need internet access.

Link to comment
  • 1 year later...
On 2/6/2022 at 12:29 PM, wgstarks said:

Thanks. I have a camera VLAN setup so that I can isolate them. Running Home Assistant in a VM that I want to add to the same VLAN just to minimize router traffic. I’ll just have to setup some special pass rules in pfsense for it since it will need internet access.

 Hi , I  am new to networking and pfsense,  I have pfs installed  on a HPT620 4 gig Nic ( 1 spare for cameras) and Unraid on its own pc. I see that you have a camera Vlan setup. I  have Frigate NVR docker with 4 cameras  are you able to share how how connected the camera /Vlan to pfsense or guidance where to look.  Dose pfsense have to be install in unRaid for this to work?

Link to comment
1 hour ago, mikey6283 said:

 Hi , I  am new to networking and pfsense,  I have pfs installed  on a HPT620 4 gig Nic ( 1 spare for cameras) and Unraid on its own pc. I see that you have a camera Vlan setup. I  have Frigate NVR docker with 4 cameras  are you able to share how how connected the camera /Vlan to pfsense or guidance where to look.  Dose pfsense have to be install in unRaid for this to work?

I created a VLAN in pfsense and configured my ethernet switch to allow both LAN and VLAN traffic to the unRAID server with port tagging. You’ll have to have a switch that supports this.

Link to comment
2 hours ago, wgstarks said:

I created a VLAN in pfsense and configured my ethernet switch to allow both LAN and VLAN traffic to the unRAID server with port tagging. You’ll have to have a switch that supports this.

Sir, Thank you for your reply. I have  a TL-SG108E switch which  unraid is connected a so I can create  VLans  on pfsense. would you be able to give me  some pointers or image of your  pfsense/ switch setup, this would be helpful.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.