Recent updates in DSM7 have complicated the process of freeing up ports 80 and 443 for use by Traefik. By employing a mix of advanced methods in Docker networking, we can effectively overcome this challenge using the Macvlan driver once and for all.
Overview
The Macvlan driver assigns each container on your system a "real" IP address on your local network. This functionality is particularly beneficial as we require Traefik, our reverse proxy, to bind to ports 80 and 443; however, DSM utilizes these ports with the standard Docker bridge setup. Since only one service can bind to a port on a specific IP address at any given time, using Macvlan allows us to provide Traefik with its own IP. This enables Traefik to bind to ports 80 and 443 without interfering with DSM, eliminating the need to modify DSM with each update and enhancing stability moving forward.
NetworkChuck offers a fantastic introduction to Docker networking.
However, placing Traefik in its own Macvlan network presents another challenge: how can other containers, likely using the default bridge driver, direct traffic between the Synology host and the "real" IP assigned to Traefik?
The solution is relatively straightforward, though it can be conceptually challenging. We create a new Docker bridge network—referred to as "frontend" in the example code—and connect Traefik to both the Macvlan network and the frontend network. The final step involves setting up a route, ensuring packets from the Synology host reach their intended destination, like using the command ip route add 192.168.44.204/30 dev macvlan0.
As a result, Traefik can effectively handle traffic on its own IP address within the LAN and route requests to containers operating on the Synology itself.
Configuration
This post was written and tested again DSM 7.1-42661 Update 4 in September 2022.
The first step is to identify the network adapter to create the macvlan interface against. If you've been using Virtual Machine manager your interfaces will start ovs_ethX or if you have a bonded network you'll see something bond0. In my case, ovs_eth0 was the interface. Use ip link to find yours.
alexktz@elrond:~$ ip link
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: sit0@NONE: mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
link/sit 0.0.0.0 brd 0.0.0.0
3: eth0: mtu 1500 qdisc pfifo_fast master ovs-system state UP mode DEFAULT group default qlen 1000
link/ether 00:11:32:e4:58:23 brd ff:ff:ff:ff:ff:ff
...
8: ovs_eth0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1
link/ether 00:11:32:e4:58:23 brd ff:ff:ff:ff:ff:ff