1

I am trying to get a macvlan network to work on Docker. It has been deployed properly, but I cannot get it to be accessible. See related thread by me on Server Fault.

I have tried deploying it on my laptop, desktop and on an Oracle VM. I have tried activating promiscuous mode everywhere with sudo ip link set promisc on and also in my VM's settings. Also turning it on simultaneously for the host, the VM and the docker adapter.

An unexpected behaviour I have noticed reading the output of docker network ls is that the containers won't get a mac address unless I manually assign them one.

Nothing has worked. Also, sometimes, I inspect the network with ip -d link and promiscuous mode has a "2" instead of a "1" next to it. I don't know why that would be the case.

I have tried looking up whether my wireless card on my laptop is able to do promiscuous mode at all, but I cannot find relevant information online. Is there a reliable way to find out whether my network cards are capable of using it or not?

I should also mention, that the same behaviour happens when I tried through a wired connection.

Improve this question
5
  • I think you may want to clarify on what you actually mean by "do promiscuous mode". Are you trying to capture/sniff some VM/container traffics on the host or what? Commented Sep 3, 2023 at 17:41
  • I want to have a docker macvlan network set up with containers running on the host machine that each have their own MAC address on the host network. Commented Sep 3, 2023 at 17:52
  • Well, then sounds like you are kinda asking the wrong question. Have you been trying to access the containers from the host itself or from another host in the host's/physical network? For the former to work, you need to use a macvlan on the host (instead of its "link"/the interface of the physical NIC). Commented Sep 3, 2023 at 17:59
  • Normally you don't even have to run set promisc on to get macvlans to work. Their "link" will implicitly/automatically enter promiscuous mode when a macvlan is up. (You can check the kernel message for that.) Commented Sep 3, 2023 at 18:04
  • Maybe I am asking the wrong question. They cannot be reached via the network serverfault.com/questions/1142939/… here is my related question to the issue on Server Fault. I will edit the question so it also points at it. The network I create is on Docker on the host. Commented Sep 3, 2023 at 18:05

1 Answer 1

Reset to default
2

Should maybe the router also be configured to accept promiscuous mode? I haven't found any setting that indicates so.

The actual setting you're looking for is a bit different and specific to Wi-Fi.

There's no "promiscuous mode" setting in your router because promiscuous mode is by its nature a receiver-side thing – it only tells your network interface to accept frames that it is already receiving (but which have the wrong destination MAC address); it does not communicate with the rest of the network about the mode being enabled.

So, for example, promiscuous mode on an old-style "shared medium" Ethernet network would've allowed you to receive packets meant for other hosts because they were already arriving, and were only discarded at your end based on destination MAC address being unknown. On the other hand, the same mode is nearly ineffective on a switched Ethernet network because the switches only send packets through specific links – packets not meant for you never arrive on your interface. And although Wi-Fi is a "shared medium" network, the entire wireless side is still behind a bridge (the AP) and will never see stray packets from the wired side.

But promiscuous mode is only about receiving misaddressed frames – not sending. A much bigger issue with Wi-Fi is that unlike Ethernet, a Wi-Fi connection is not symmetric – only the access point gets to send packets with any source MAC address; Wi-Fi client devices cannot do that. The MAC address that your device "associated" from is the only MAC address that you can send packets from. (This is completely unlike Ethernet, which has no separate "association" and where any connected device can use any MAC address it wants.)

Behind the scenes, Wi-Fi packets have three or four MAC addresses instead of the usual two; in addition to "source" and "destination" you also have "transmitting radio" and "receiving radio". Normally only three are used, as for packets sent by clients, "transmitter" and "source" MAC addresses are always the same (and vice versa, for packets that you receive from the AP, "destination" is the same as "receiver"). This means that it is impossible for you to send packets that have the macvlan interface's MAC address on them; there's no "source MAC" field in the packets (and putting it in the "transmitter" field would cause them to be rejected by the AP as "packets from unassociated station").

So in order for a Wi-Fi client to send "spoofed" MAC addresses (i.e. to act as a bridge), it needs to be switched to the "4-address" mode also known as "WDS bridge" mode. This can be done on Linux using the iw command – although not all Wi-Fi interfaces support it properly – and the router (Wi-Fi access point) must be configured to accept 4addr/WDS packets from your device; how to do it varies greatly and is usually not even supported by most access points.

Improve this answer
3
  • Thank you for the tip and the explanation. The wifi settings of my router have a WDS section. I tried all permutations for ap-only/wds-only/hybrid and connect-to-ap's-in-the-list (yes/no), where I provided the mac addresses of my computer and some containers. I did this after running iw dev wlp0s20f4 set 4addr on. Nothing worked. Unfortunatelly, I don't know where to see whether my adapter has 4addr set to active. ip -d link doesn't mention the setting by name. By the way, promiscuous mode still has a 2 next to it, which buffles me. Commented Sep 3, 2023 at 17:11
  • My router also has a Wireless MAC filter section which I set to Filter-mode (Accept) and where I provided the relevant MAC addresses, but it didn't work either. I also configured it while making sure promiscuous mode on my adapter is on. Commented Sep 3, 2023 at 17:14
  • I should also mention, that the same behaviour happens when I tried through a wired connection. I have edited my question to include this. Commented Sep 3, 2023 at 17:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.