-
Notifications
You must be signed in to change notification settings - Fork 880
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macvlan not passing back bridged traffic #2587
Comments
I noticed the same issue. Good to know, that further tests are useless. I hope that this issue will be solved, soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I can't tell if this is an intentional design or actually a bug.
I'd like to run a docker container that operates a layer 2 bridge to its hosts wired LAN. This will let me encapsulate the VPN setup into a nice composable docker image. However, I can't figure out how to persuade macvlan to actually pass over traffic from a bridge running in the container. This is my setup:
sudo docker network create -d macvlan --subnet=10.0.0.0/24 --gateway=10.0.0.1 -o parent=eth0 macnet32
Start image here:
sudo docker run -it --rm --net=macnet32 --privileged --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun balenalib/rpi-raspbian:stretch
Install tools we might need:
At this point, I have a virtualized Mac address
I can also see broadcast traffic on the docker host's LAN if I snoop using tcpdump on eth0. So far so good.
Next, I reconfigure eth0 onto a bridge:
Now I can tcpdump on br0, see the hosts network traffic, etc. Good so far.
The problem comes with I add into the br0 a virtual NIC from ZeroTier:
Once I do this, the docker container can see traffic and IP addresses both locally and on the VPN and can freely ping and TCP connect to services both on the LAN and within the virtual network. Nodes on the VPN network are able to see broadcast traffic originating from the docker host's physical network. So packets are flowing from the docker host's lan to the br0 device inside the docker container and then getting pushed out to the VPN. But this appears to be one way only -- traffic on the VPN network is not getting mirrored back to the docker's local LAN. For instance, if I ping a client on the VPN network from the local host network, I can see the arp requests for that IP address appear at that remote client as it should. However, traffic does not pass back from the VPN to the local host network. Thus I can't ping or connect between the networks.
Is this a limitation of macvlan?
The text was updated successfully, but these errors were encountered: