Hi
Stock nginx built into Synology DSM won’t cut it, so I decided to install Nginx Proxy Manager. Before doing so, I created a macvlan and assigned the NPM container to use the assigned IP. Once install is finished, and I try to launch NPM, it fails to load. I tried the same install without macvlan, and it works and loads just fine. I have installed many other containers on macvlan, so I know what I am doing and have the knowledge and experience, but I have never run into this before where there seems to be a conflict I am not aware of.
Help? Anyone?
Not really related to your post, but you’ve marked your own account as a bot, I recommend you to remove that flag in settings.
You shouldn’t have conflicts with the DSM ngnix after setting up a macvlan on a Synology.
Saying that, there are a few more steps you have to do to get it working. I’ve done it successfully on my Synology. Here is a guide I wrote for traefik in my notes. Also see the references for additional explanations.
I apologize for the formatting. I am on my phone.
Introduction
Long story short, Traefik uses ports 80 and 440. On the Synology NAS (from DSM 7 and upwards), those ports are occupied by the OS. There are two options to solve this issue:
Reroute all traffic on 80 and 443 on the router to a new port
Pros: no need for a VLAN (see 2.). Cons: need to expose all services on the Synology via Traefik Create a MAC VLAN + bridge, attach the docker container to it and assign an IP
Pros: Cleaner approach as the docker container gets assigned a new IP Cons: More complicated
This guide will discuss option 2.
Preparation
IP Reservation
Before we begin, some ip configuration is necessary. First you must configure any DHCP service on your network such that it will not assign addresses in a given range. This guide assumes you already have your raspberry pi set up as your DHCP service (and turned DHCP off in your router). Go to your pi-hole admin page and go to settings→DHCP.
Figure: DHCP Settings on the Pi-Hole
Here an IP range of 192.168.2.50-192.168.2.199 has been reserved by the pi-hole to be assigned. This leaves addresses 192.168.2.2-192.168.2.49 and 192.168.2.200-192.168.2.254 to us to use. I shall use the tail end of the range 192.168.2.200-192.168.2.254.
MACVLANs
The following is specifically for those that have a Synology NAS with a single ethernet port. This port should be designated eth0. To be sure, check using the following command:
ip link show
Figure 2: List of IP links available
Note: If you have multiple ethernet ports and have already set up a bond, follow this guide: https://blog.alexis.lc/docker-macvlan-network-synology
We will link our macvlan to this physical port so that information and be routed from outside the NAS to the docker container.
Docker and MACVLANs
Warning! This is the danger zone. If you mess up and/or want to get your network settings back to normal follow these steps. TL;DR: find and press the reset button on the back of your NAS for 4 seconds until you hear a beep, then release.
Now that we have our address range reserved and we know which device we can link our macvlan to, it is time to create our docker network and a macvlan network!
Step 1: Create the necessary docker network:
docker network create -d macvlan \ -o parent=eth0 \ --subnet=192.168.2.0/24 \ --gateway=192.168.2.1 \ --ip-range 192.168.2.200/27 \ --aux-address="host=192.168.2.201" \ dockervlan
–aux-address reserves the address from our subnet (this is the new ip my NAS host will be accessed from on the macvlan network)
–ip-range is the range of IPs that can be assigned by docker
–gateway the gateway docker will use to communicate with the world (this is my router address)
–subnet the macvlan’s subnet we will be creating
-o parent specifies the interface through which we want to comminicate
Synology NAS MACVLAN
The next step is to create a MACVLAN that will act as a new host and network and provide new IP addresses to the containers we attach to it.
First create a MACVLAN and add a fictitious MAC address to it. This is so that if you need to start over, you don’t have multiple virtual nodes popping up in your router
sudo ip link add link eth0 name macvlan0 address 02:42:C0:A8:02:C9 type macvlan mode bridge
Then assign the reserved host address (aux-address from above) to the MACVLAN
sudo ip addr add 192.168.2.201/32 dev macvlan0
Spin up the MACVLAN
sudo ip link set macvlan0 up
Allow routing to the subnet
sudo ip route add 192.168.2.200/29 dev macvlan0
Now you should see a new host on your network with ip 192.168.2.201 and MAC address 02:42:C0:A8:02:C9
Make sure the synology can get packets to the macvlan subnet
sudo iptables -A INPUT -s 192.168.2.200/29 -j ACCEPT &&
sudo iptables -A OUTPUT -d 192.168.2.200/29 -j ACCEPT &&
sudo iptables -A FORWARD -s 192.168.2.200/29 -j ACCEPT &&
sudo iptables -A FORWARD -d 192.168.2.200/29 -j ACCEPTTraefik with a new IP
To assign Traefik it’s own IP so that the NAS does not interfere with traefik (by taking up ports 80 and 443) add the following to your docker compose:
service: . . networks: default: #eth0 linked network traefik-net: #traefik’s network proxy: #proxy network mac_address: “02:42:C0:A8:02:C9” . . . #define networks networks: traefik-net: external: true proxy: external: true default: external: name: “dockervlan”
Note the 3 networks:
default/dockervlan this docker network is the subnet that exists in the router and is linked to eth0. This manages all external communication
proxy socket-proxy docker network (never to be exposed)
traefik-net the network any container will use in order to communicate with traefik
Sources:
https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/
https://community.synology.com/enu/forum/1/post/133969?page=2&sort=oldest
https://www.reddit.com/r/synology/comments/s5j9d8/howto_vlan_configuration_with_docker/
What’s the main kicker here? Reading this over, it sounds like you’re saying to create two macvlans, but I only see an execution of one? I am confused brother
Sorry. I wrote it for my notes and wasn’t necessarily polished for external use.
The basic gist of it is:
-
Reserve your IP range
-
Create the docker network (compatible with MACVLANs)
-
Create the macvlan on your Synology
-
Set up your container with the new network
-
I appreciate the heck out of you for trying, but my god this confuses the crap out of me even more lol. I’ve read it over several times, and I am just not connecting the dots ☹️
- conflicting ports? Do you already use the mapped ports?
- Macvlan prevents communication from the docker host to the macvlan IP and vice versa. Depending on how and from where you access the macvlan IP, it might not work natively.
- Is NPM starting correctly? No errors in the container logs?
Looks like you’ve marked your own account as a bot, I recommend you to remove that flag in settings.
I’m not sure, but there certainly must be a conflict with the built-in DSM Nginx.
There are zero error logs.
Usually, when using macvlan, the ports should not conflict as the container obtains a new, separate IP address. What happens if you use bridge networt and manually map the port 80 and 443 port to a random one on your synology like 8888 and 9999?
What happens if you use bridge networt and manually map the port 80 and 443 port to a random one on your synology like 8888 and 9999? Can you then access these ports?
Not exactly sure how to do that. Yes, you’re right, I created a whole new container and for some reason it doesn’t load. Without macvlan IP it loads fine, with the macvlan it just refuses to load.