Hi

Stock nginx built into Synology DSM won’t cut it, so I decided to install Nginx Proxy Manager. Before doing so, I created a macvlan and assigned the NPM container to use the assigned IP. Once install is finished, and I try to launch NPM, it fails to load. I tried the same install without macvlan, and it works and loads just fine. I have installed many other containers on macvlan, so I know what I am doing and have the knowledge and experience, but I have never run into this before where there seems to be a conflict I am not aware of.

Help? Anyone?

  • Rikudou_Sage@lemmings.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Not really related to your post, but you’ve marked your own account as a bot, I recommend you to remove that flag in settings.

  • isleepbad@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You shouldn’t have conflicts with the DSM ngnix after setting up a macvlan on a Synology.

    Saying that, there are a few more steps you have to do to get it working. I’ve done it successfully on my Synology. Here is a guide I wrote for traefik in my notes. Also see the references for additional explanations.

    I apologize for the formatting. I am on my phone.

    Introduction

    Long story short, Traefik uses ports 80 and 440. On the Synology NAS (from DSM 7 and upwards), those ports are occupied by the OS. There are two options to solve this issue:

    Reroute all traffic on 80 and 443 on the router to a new port

    Pros: no need for a VLAN (see 2.). Cons: need to expose all services on the Synology via Traefik Create a MAC VLAN + bridge, attach the docker container to it and assign an IP

    Pros: Cleaner approach as the docker container gets assigned a new IP Cons: More complicated

    This guide will discuss option 2.

    Preparation

    IP Reservation

    Before we begin, some ip configuration is necessary. First you must configure any DHCP service on your network such that it will not assign addresses in a given range. This guide assumes you already have your raspberry pi set up as your DHCP service (and turned DHCP off in your router). Go to your pi-hole admin page and go to settings→DHCP.

    Figure: DHCP Settings on the Pi-Hole

    Here an IP range of 192.168.2.50-192.168.2.199 has been reserved by the pi-hole to be assigned. This leaves addresses 192.168.2.2-192.168.2.49 and 192.168.2.200-192.168.2.254 to us to use. I shall use the tail end of the range 192.168.2.200-192.168.2.254.

    MACVLANs

    The following is specifically for those that have a Synology NAS with a single ethernet port. This port should be designated eth0. To be sure, check using the following command:

    ip link show

    Figure 2: List of IP links available

    Note: If you have multiple ethernet ports and have already set up a bond, follow this guide: https://blog.alexis.lc/docker-macvlan-network-synology

    We will link our macvlan to this physical port so that information and be routed from outside the NAS to the docker container.

    Docker and MACVLANs

    Warning! This is the danger zone. If you mess up and/or want to get your network settings back to normal follow these steps. TL;DR: find and press the reset button on the back of your NAS for 4 seconds until you hear a beep, then release.

    Now that we have our address range reserved and we know which device we can link our macvlan to, it is time to create our docker network and a macvlan network!

    Step 1: Create the necessary docker network:

     docker network create -d macvlan \
      -o parent=eth0 \
      --subnet=192.168.2.0/24 \
     	--gateway=192.168.2.1 \
      --ip-range 192.168.2.200/27 \
     	--aux-address="host=192.168.2.201" \
       dockervlan
    

    –aux-address reserves the address from our subnet (this is the new ip my NAS host will be accessed from on the macvlan network)

    –ip-range is the range of IPs that can be assigned by docker

    –gateway the gateway docker will use to communicate with the world (this is my router address)

    –subnet the macvlan’s subnet we will be creating

    -o parent specifies the interface through which we want to comminicate

    Synology NAS MACVLAN

    The next step is to create a MACVLAN that will act as a new host and network and provide new IP addresses to the containers we attach to it.

    First create a MACVLAN and add a fictitious MAC address to it. This is so that if you need to start over, you don’t have multiple virtual nodes popping up in your router

    sudo ip link add link eth0 name macvlan0 address 02:42:C0:A8:02:C9 type macvlan mode bridge

    Then assign the reserved host address (aux-address from above) to the MACVLAN

    sudo ip addr add 192.168.2.201/32 dev macvlan0

    Spin up the MACVLAN

    sudo ip link set macvlan0 up

    Allow routing to the subnet

    sudo ip route add 192.168.2.200/29 dev macvlan0

    Now you should see a new host on your network with ip 192.168.2.201 and MAC address 02:42:C0:A8:02:C9

    Make sure the synology can get packets to the macvlan subnet

    sudo iptables -A INPUT -s 192.168.2.200/29 -j ACCEPT &&
    sudo iptables -A OUTPUT -d 192.168.2.200/29 -j ACCEPT &&
    sudo iptables -A FORWARD -s 192.168.2.200/29 -j ACCEPT &&
    sudo iptables -A FORWARD -d 192.168.2.200/29 -j ACCEPT

    Traefik with a new IP

    To assign Traefik it’s own IP so that the NAS does not interfere with traefik (by taking up ports 80 and 443) add the following to your docker compose:

    service: . . networks: default: #eth0 linked network traefik-net: #traefik’s network proxy: #proxy network mac_address: “02:42:C0:A8:02:C9” . . . #define networks networks: traefik-net: external: true proxy: external: true default: external: name: “dockervlan”

    Note the 3 networks:

    default/dockervlan this docker network is the subnet that exists in the router and is linked to eth0. This manages all external communication

    proxy socket-proxy docker network (never to be exposed)

    traefik-net the network any container will use in order to communicate with traefik

    Sources:

    https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/

    https://community.synology.com/enu/forum/1/post/133969?page=2&sort=oldest

    https://www.reddit.com/r/synology/comments/s5j9d8/howto_vlan_configuration_with_docker/

    • Illuminated_Humanoid@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      What’s the main kicker here? Reading this over, it sounds like you’re saying to create two macvlans, but I only see an execution of one? I am confused brother

      • isleepbad@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Sorry. I wrote it for my notes and wasn’t necessarily polished for external use.

        The basic gist of it is:

        1. Reserve your IP range

        2. Create the docker network (compatible with MACVLANs)

        3. Create the macvlan on your Synology

        4. Set up your container with the new network

    • Illuminated_Humanoid@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I appreciate the heck out of you for trying, but my god this confuses the crap out of me even more lol. I’ve read it over several times, and I am just not connecting the dots ☹️

  • sk1nT7@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago
    • conflicting ports? Do you already use the mapped ports?
    • Macvlan prevents communication from the docker host to the macvlan IP and vice versa. Depending on how and from where you access the macvlan IP, it might not work natively.
    • Is NPM starting correctly? No errors in the container logs?
      • sk1nT7@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Usually, when using macvlan, the ports should not conflict as the container obtains a new, separate IP address. What happens if you use bridge networt and manually map the port 80 and 443 port to a random one on your synology like 8888 and 9999?

        • Illuminated_Humanoid@alien.topOPB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          What happens if you use bridge networt and manually map the port 80 and 443 port to a random one on your synology like 8888 and 9999? Can you then access these ports?

          Not exactly sure how to do that. Yes, you’re right, I created a whole new container and for some reason it doesn’t load. Without macvlan IP it loads fine, with the macvlan it just refuses to load.