Firewall breaks macvlan enabled docker containers in LXC

mrwonka

New Member
Feb 1, 2024
7
1
3
I have docker installed in a debian LXC container on my Proxmox host. I want to utilise Proxmox's firewall on that container to improve the security of my setup.
  • Proxmox - 10.5.0.64
    • Unprivileged LXC - 10.5.0.66
      • Docker
        • Container - 10.5.0.57 (macvlan bound to eth0)
I have a container that's running in docker that is using a macvlan to host the container on a VLAN from my home network. This all works fine, until I turn on the Proxmox firewall. When I turn it on the assigned macvlan IP stops being resolvable. I have setup (as best I can tell) all appropriate firewall rules to allow access, the most important being: INPUT allow proto tcp dst 10.5.0.57 port 32400

I appreciate this is a fairly complex setup that maybe isn't going to work, but maybe it's just a bug in Proxmox? The fact it's all perfectly functional until I enable the firewall tells me it's probably the latter.

Where do I start to look to debug this? For now, and to keep things running, I've stopped using the macvlan and have instead mounted an additional interface to the LXC. Because docker doesn't allow you to bind it's bridges to particular interfaces I've had to instead use a port mapping of "10.5.0.67:32400:32400". This is working (with the firewall on) but is not what I really want as the container (Plex) has a whole bunch of other ports that probably need exposing and I don't want to do each of those by hand.
 
Do you have MAC Filtering enabled in the Firewall settings for the Container?
 
iirc MACVLAN causes the sub-interfaces to have different MAC-addresses, so MAC filtering will block all those packets automatically.

Generally said, we do recommend not running Docker inside a Container at all and using a VM instead. Docker in LXC is known to cause issues and incompatibilities.
 
Generally said, we do recommend not running Docker inside a Container at all and using a VM instead. Docker in LXC is known to cause issues and incompatibilities.
Yeah, I understand, but I've only got the one integrated GPU and figuring out IOV functions to share it with multiple containers/vms seems the harder option.

Thanks for the pointer. I'll try that now.

EDIT.
iirc MACVLAN causes the sub-interfaces to have different MAC-addresses, so MAC filtering will block all those packets automatically.
That was the one. I disabled MAC filtering on the LXC firewalls and it's all working fine. Thanks :)
 
Last edited:
Ah well, rebooted the host after updates and the issue has returned. No amount of toggling mac filtering appears to reinstate a working service.
 
It is but I just turned it off using `bridge-disable-mac-learning 1` and that didn't make a difference. Though it did stop ping from working to the .57 IP consistently.

I've got all the firewall logging turned up and I can see requests for the ip/port are being allowed but they just time out. There is definitely something odd going on with how docker routes traffic to macvlan'd containers and how that's interacting with the LXC/Host firewall.
 
I'm having the exact same issue... Turning off "MAC filter" firewall rule in Proxmox for the LXC allows services to communicate out the LXC/docker/macvlan but only "for a while" as eventually it stops working. I didn't check but it probably stops working after reloading the host as well like mrwonka experienced

Any solution out there?