Creating macvlan in Synology NAS
I use Synology NAS to host some of my internal home websites. For a while I had had using reverse proxy from Synology NAS but was soon hitting limitations. I wanted to have a new IP have a dedicate IP with full control so I could use Traefik and Tailscale to the full potentialy.
Overview
| Router IP | 192.168.1.1 |
| Router DHCP IP Range | 192.168.11-192.168.1.119 |
| Macvlan reserved IP | 192.168.1.200-192.168.1.207 |
| Macvlan subnet | 192.168.1.200/29 |
| Synology NAS IP assigned by router | 192.168.1.10 |
| Synology NAS IP when accessing from docker using macvlan network | 192.168.1.206 |
Update DHCP server allocation and reserve IP address
First you need to decide on a subnet IP address to reserve for Docker such that it doesn't conflict with others. I updated my router configuration to only allocate DHCP from 192.168.1.11-192.168.1.199. This allows me to reserve 192.168.1.200-192.168.1.207 (192.168.1.200/29 in CIDR notation) for Docker containers. You can use this tool to calculate the subnet.
Create macvlan docker network
I then use the above configuration to create a macvlan docker network named macvlan.
Due to isolation of container and host in macvlan, we use 192.168.1.206 as the NAS IP instead of the original NAS when communcating from docker containers to NAS when using macvlan.
To find parent network use sudo ip link show.
sudo docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
--ip-range=192.168.1.200/29 \
--aux-address 'host=192.168.1.206' \
-o parent=ovs_eth0 macvlan0
Create macvlan network
Create a macvlan network named macvlan0.
sudo ip link add macvlan0 link ovs_eth0 type macvlan mode bridge
Attach link to the NAS.
sudo ip addr add 192.168.1.206/32 dev macvlan0
Startup the macvlan
sudo ip link set macvlan0 up
Route packet address to IP address to the new link
sudo ip route add 192.168.1.200/29 dev macvlan0
Testing Macvlan IP
Now that we have setup the macvlan network we will create a sample nginx docker container to test the IP. We will manually assign 192.168.1.201 to this docker container. Navigating to the IP should show the nginx page.
sudo docker run --net=macvlan0 -dit --name nginx-test-01 --ip=192.168.1.201 nginx:alpine nginx-debug -g 'daemon off;'
Configurating macvlan on every reboot
Once you have verified, you can add a startup task via Control Pannel>Task Schedule so it persist during every reboot.
ip link add macvlan0 link ovs_eth0 type macvlan mode bridge
ip addr add 192.168.1.206/32 dev macvlan0
ip link set macvlan0 up
ip route add 192.168.1.200/29 dev
Configurating OPNSense Router to access macvlan network in tailnet
Due to limitations in Synology NAS I wasn't able to get tailnet working on the macvlan IP. I installed tailscale on my OPNSense router and then ran the following command to expose the macvlan IP so I can access via Tailscale. You can then use 192.168.1.201 IP to access the above nginx docker image from tailnet instead of using tailscale IP.
sudo service tailscaled enable
sudo service tailscaled start
sudo tailscale up --advertise-routes=192.168.1.200/29 --advertise-exit-node --accept-routes=true