0

Currently my home network is logically segmented in 2 separate VLANS.

  • LAN (untagged native LAN 10.20.0.0/16): where all the trusted devices will operate
  • IOT_LAN (with tag 30 10.30.0.0/16): where all the IOT/home entertainment untrusted devices will operate.

At firewall level LAN can access IOT_LAN but not viceversa.

I'm running Docker on a raspberry pi 4 connected via ethernet cable to a trunk port of my switch. At Raspi level, the Native LAN is bound to the eth0 interface while IOT_LAN is bound to eth0.30.

The question here is: is it possible to have 2 different containers running at the same time one bound to the eth0 interface and the other bound to eth0.30?

For sake of example we can say container 1 is an application which needs to be able to access the main LAN network and container 2 is an IOT specific app which I want to be restricted to the IOT_LAN network.

Thank you

gabric
  • 1,865
  • 2
  • 21
  • 32
  • Yes; the `docker run -p` and Docker Compose `ports:` option let you specify a host IP address to bind to. – David Maze Apr 18 '20 at 15:30
  • Thanks @DavidMaze, I've tried that option without any luck. The container is still able to ping devices on `LAN` network – gabric Apr 21 '20 at 09:32

1 Answers1

1

This is how I solved the issue:

I've created a network in the docker-compose.yml file:

# IOT_LAN.
networks:
  vlan30:
    driver: macvlan
    driver_opts:
      parent: eth0.30
    ipam:
      config:
        - subnet: 10.30.0.0/16

Each container which needs to stay in the 10.30 network is then attached to the network above using the following syntax:

networks:
  vlan30:
    ipv4_address: "10.30.0.15"

The IP address gets defined in the docker-compose file and should belong to a reserved range previously created on the router to avoid collision with DHCP assigned addresses.

This worked for me. All the container now belong only to 10.30 network.

gabric
  • 1,865
  • 2
  • 21
  • 32