Creating macvlan in Synology NAS

I use Synology NAS to host some of my internal home websites. For a while I had had using reverse proxy from Synology NAS but was soon hitting limitations. I wanted to have a new IP have a dedicate IP with full control so I could use Traefik and Tailscale to the full potentialy.

Overview

Router IP192.168.1.1
Router DHCP IP Range192.168.11-192.168.1.119
Macvlan reserved IP192.168.1.200-192.168.1.207
Macvlan subnet192.168.1.200/29
Synology NAS IP assigned by router192.168.1.10
Synology NAS IP when accessing from docker using macvlan network192.168.1.206

Update DHCP server allocation and reserve IP address

First you need to decide on a subnet IP address to reserve for Docker such that it doesn't conflict with others. I updated my router configuration to only allocate DHCP from 192.168.1.11-192.168.1.199. This allows me to reserve 192.168.1.200-192.168.1.207 (192.168.1.200/29 in CIDR notation) for Docker containers. You can use this tool to calculate the subnet.

Create macvlan docker network

I then use the above configuration to create a macvlan docker network named macvlan.

Due to isolation of container and host in macvlan, we use 192.168.1.206 as the NAS IP instead of the original NAS when communcating from docker containers to NAS when using macvlan.

To find parent network use sudo ip link show.

sudo docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  --ip-range=192.168.1.200/29 \
  --aux-address 'host=192.168.1.206' \
  -o parent=ovs_eth0 macvlan0

Create macvlan network

Create a macvlan network named macvlan0.

sudo ip link add macvlan0 link ovs_eth0 type macvlan mode bridge

Attach link to the NAS.

sudo ip addr add 192.168.1.206/32 dev macvlan0

Startup the macvlan

sudo ip link set macvlan0 up

Route packet address to IP address to the new link

sudo ip route add 192.168.1.200/29 dev macvlan0

Testing Macvlan IP

Now that we have setup the macvlan network we will create a sample nginx docker container to test the IP. We will manually assign 192.168.1.201 to this docker container. Navigating to the IP should show the nginx page.

sudo docker run --net=macvlan0 -dit --name nginx-test-01 --ip=192.168.1.201 nginx:alpine nginx-debug -g 'daemon off;'

Configurating macvlan on every reboot

Once you have verified, you can add a startup task via Control Pannel>Task Schedule so it persist during every reboot.

ip link add macvlan0 link ovs_eth0 type macvlan mode bridge
ip addr add 192.168.1.206/32 dev macvlan0
ip link set macvlan0 up
ip route add 192.168.1.200/29 dev

Configurating OPNSense Router to access macvlan network in tailnet

Due to limitations in Synology NAS I wasn't able to get tailnet working on the macvlan IP. I installed tailscale on my OPNSense router and then ran the following command to expose the macvlan IP so I can access via Tailscale. You can then use 192.168.1.201 IP to access the above nginx docker image from tailnet instead of using tailscale IP.

sudo service tailscaled enable
sudo service tailscaled start
sudo tailscale up --advertise-routes=192.168.1.200/29 --advertise-exit-node --accept-routes=true