Exposed Network for Docker Containers

Sometimes you need or want a Docker Container exposed from the Host Network. It may also become necessary if you have to publish the same Port on two or more Containers on the same host.

This Tutorial covers the Assignment of 1 separate IP-Address for 1 Container. We will use the “macvlan” Driver to do this. You can also extend the IP-Range if you want to assign IP-Addresses to multiple Containers.

The Tutorial was created for Raspberry Pi OS, but should also work for other Linux Distributions running Portainer.

Requirements

• Optional: Raspberry Pi*
• Optional: Micro SD Card for Raspberry Pi*
• A running Portainer Installation (See our Tutorial here)
• A Container you would like to assign a separate IP (i.e. Pi-hole – See our Tutorial here)
• Important: A wired Network Connection

*Amazon Affiliate Link

Please note – A wired network Connection will be essential – The “macvlan” Driver will not work on your wifi interface.

Configuration

Login to your Portainer Installation and go to Menu “Networks”. We will create two “Networks” in Portainer with Driver “macvlan”:

• #Network1: Our Network Configuration
• #Network2: Our (Creation) Container Network – The Container will use it.

Click on “Add network” to start with the first Network Configuration

“Configuration Network”

Chose a Name for the Network – i recommend to name it with an additional “_conf” to identify the second “Container Network” later on. In this example, we will create a own Network for “Pi-hole” with only 1 IP-Address. The Name will be “pihole_conf” with Driver “macvlan”

At Section “Macvlan configuration”, the Setting needs to be “Configuration – I want to configure a network before deploying it”. The Raspberry Pi Ethernet Card is usually named “eth0”.

You can lookup your Network Device name i.e. with

ip link show

This will list all Devices. To lookup for your IP-Address and interface Name, use i.e.

ip a

Atstage “IPV4 Network configuration”, set your Subnet and Gateway. To define only 1 IP add “/32” to the IP range.

Example:

• Our Network is “192.168.1.0” with Subnet “255.255.255.0” – so the Subnet would be “192.168.1.0/24”.
• Our Router is “192.168.1.1” – so the Gateway would be “192.168.1.1”
• Network will contain only 1 Container and should get the IP “192.168.1.70” so the IP range would be “192.168.1.70/32”

Finally click on “Create the network” at Stage “Actions”.

Note: You can setup a bigger Network and place multiple Container into it, if you need. You’ll find various Subnet Calculators on the Internet, if you need help to get started with Subnetting.

“(Creation) Container Network”

From Menu “Network” click on “Add network” to create the Container Network based on our “Configuration Network”:

Name your Network – i recommend to add “_net” to the Name, to make the Identification of the Network within a Container Configuration easier. Once again, select “macvlan” as Driver.

Example: “Pi-hole” Container Network

At Section “Macvlan configuration”, select “Creation – I want to create a network from a configuration”. From the Dropdown List below, select the “Creation Network”, we created before:

Finally click on “Create the network” at the Actions Stage

Container Configuration

Go to the Conainer list Menu, to edit / change a Containers Network Configuration or create a new Container which should get your Network Configuration.

Within the Container “Advanced container settings” Section, select Tab “Network”. Now change the Network to your created Network – in our Example “pihole_net”

Deploy the Container the Container – It should get the IP-Address we defined before.

Hint: The Container will only be reachable while your Device is connected by wire (eth0).

Optional / Important for ESXi Configuration

If your Portainer Host is running on an ESXi, you’ll need to change the Port Group Configuration to allow “Promiscuous Mode” and “Forged transmits” for your Docker Host (Usually VM Network). Please note this Configuration is not recommended on big productive Environments – You can anyway add a second vSwitch and assigned Port-Group if your ESXi does have an additional Ethernet Interface to optimize Performance.

Promiscuous mode

Depending on your Docker Host OS (i.e. Ubuntu), you’ll need to allow Promiscuous mode on the Network Interface. i.e. for Interface eth0:

ip link set eth0 promisc on

An ESXi VM with vmxnet3 Network Adapter will probably have Interface “ens192”. A VMware Fusion 13 VM might have “ens162”. – You can identify your Interface Name by typing “ip a“

To enable the Promiscuous mode after a reboot automatically, i recommend to create a Service (Source: askubuntu.com – Thanks to “longer“):

sudo nano -w /etc/systemd/system/bridge-promisc.service

Add the following Content, change the Interface-Name to your needs:

[Unit]
Description=Makes interfaces run in promiscuous mode at boot
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev eth0 promisc on
TimeoutStartSec=0
RemainAfterExit=yes

[Install]
WantedBy=default.target