Firewall blocking WAN traffic to macvlan networked container

Currently reading
Firewall blocking WAN traffic to macvlan networked container

Last edited:
I am running a traefik docker container on a macvlan network so that I can use it as a reverse proxy for services in my local network without monopolizing ports 80,443 on my NAS. So the container has its own IP on my LAN, and is exposing ports 80 and 443. I have created both the traefik container and the macvlan network using docker-compose. I am forwarding a port from my router to port 443 on traefik's IP. However, WAN traffic is unable to reach traefik via the forwarded port from the router when the Synology firewall is enabled.

To be clear, this is not yet another question about host/macvlan networking, this is about traffic coming from the internet.

Diagnostics:
  • Outgoing traffik from traefik is fine
  • From my LAN, I am able to reach services behind traefik on 443 using its IP, so I know traefik is working properly and accepting traffik.
  • From WAN, if firewall is disabled, I am able to reach services behind traefik using the port I've forwarded from the router, so I know the router is not the issue.
  • From WAN, if firewall is enabled, I am unable to connect to traefik. Running nmap on my external IP shows that the previously open port is now filtered, further confirming that the firewall is indeed the issue here.
Now the question: What to allow in firewall to open this port on the traefik container to WAN traffic? As far as I understood, traffic to the macvlan IP should bypass the Synology firewall entirely but that's obviously not happening here.

Minimal docker-compose:
YAML:
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    networks:
      macvlan:
        ipv4_address: 192.168.1.10
networks:
  macvlan:
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.1.0/24
          gateway: 192.168.1.1
          ip_range: 192.168.1.10/31
          aux_addresses:
            host: 192.168.1.11

ETA: My firewall profile allows all traffic to 80,443 on all interfaces, so I expected this to include the macvlan services.
 
Yes and no. The parent interface is still responsible to connect the "virtual macvlan switch" with the real network. I would be surprised if a mavlan child interface would completely bypass a host(!) firewall. After all a container is just a jailed process on the host, unlike a vm which acts as a standalone computer.

Since your router forwards the traffic from its wan port to the port of the macvlan child interface, you would need to allow all source ips that should be able to access the container. Unless you know the ip-ranges for the geo locations you want to allow, you can only go with 0.0.0.0/0, which ultimately allows the whole internet to connect to your traefik container.
 
Thanks for the reply. Indeed it makes sense that the host still ultimately controls traffic to the container even if it’s connected to a macvlan. I’m happy to allow access to the whole internet for now, but I haven’t been able to allow access to any of the internet! The synology firewall UI is very simple, basically just select which ports to open, but the issue is that I don’t know which ports to choose in this case because they are not (obviously) ports on the host.

Or does this need to be solved at a deeper level than that?
 
I am not using macvlan, so I can't realy tell you whether the macvlan interface pops up when you edit firewall rules.

If it's in the list, then you would need to configure:

Ports: Type "destination port", Protocol "TCP", Ports: "443"
Source IP: would be either all or the locations of your choice.

If it's not in the list: no idea.
 
I can confirm it's not in the list. All I've got are the following:
1701986616009.png

Worth noting that I'm already allowing all traffic to 80,443 under All interfaces, so I would have expected that to cover it, but apparently not.

It's also not really clear to me how these interfaces map to interfaces output by ifconfig for example
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Solved
docker0 is the default gateway for the subnet 172.17.0.0/16 and has the ip 172.17.0.1 (see: ip addr show...
Replies
4
Views
5,966
Hi, I'll start by saying, my understanding of networking is very limited so I apologize if I'm asking an...
Replies
0
Views
615

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top