Does Traefik works with docker macvlan?

Traefik Traefik v2
1

I have this docker-compose already working in my homeLab for quite a while and now I'm trying to migrate most of my docker containers to Synology.

Adding a macvlan network to my previous compose file just can't make it working, I'm getting to the conclusion that it's impossible to use Traefik on Synology with macvlan.

version: '3.5'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      macvlan:
        ipv4_address: 192.168.xx.xx
      proxy:
    ports:
      - 80:80
      - 443:443
    environment:
      - PIHOLE_UID=111
      - PIHOLE_GID=111
      - TZ=Europe/Warsaw
      - CF_API_EMAIL=xxx.com
      - CF_API_KEY=xxx
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik/data/traefik.yml:/traefik.yml:ro
      - /volume1/docker/traefik/data/acme.json:/acme.json
      - /volume1/docker/traefik/data/config.yml:/config.yml:ro      
      - /volume1/docker/traefik/logs:/var/log/traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`proxy.local.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=xxx:xxx"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`proxy.local.domain.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=local.domain.com"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.domain.com"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik.service=api@internal"

networks:
  macvlan:
    external: true    
  proxy:
    external: true
2

What does that mean? Any errors?

If Synology and Docker enable the IP, then Traefik should be able to listen to it inside a container.

3

Meaning I keep getting "404 page not found" accessing the dashboad and any other A/CNAME it supposed to proxy.

Yes, I updated already the DNS entry to point to the new IP, which apparently is working because my HTTP call gets redirected to HTTPS.

4

You still have an issue? Is the 404 coming from Traefik? Or the target service? Enable Traefik access log in JSON format (doc).

You missed to share Traefik static config (traefik.yml) and the config of your target service, if it’s not Traefik dashboard itself.

5

Yes, the issue persist.

Like I said, it's strange because the same config works on a regular unix/docker instance. But it fails with Synology+macvlan.

traefik.yaml

api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
    watch: true
certificatesResolvers:
  cloudflare:
    acme:
      email: xxx@xxx.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

access.log

192.168.xxx.xxx - - [05/Nov/2024:08:06:05 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 5 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:06:35 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 6 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:06:35 +0000] "GET /favicon.ico HTTP/2.0" 404 19 "-" "-" 7 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:06:54 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 8 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:06:54 +0000] "GET /favicon.ico HTTP/2.0" 404 19 "-" "-" 9 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:09:34 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 10 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:09:34 +0000] "GET /favicon.ico HTTP/2.0" 404 19 "-" "-" 11 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:09:45 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 12 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:09:45 +0000] "GET /favicon.ico HTTP/2.0" 404 19 "-" "-" 13 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:09:51 +0000] "GET /items HTTP/2.0" 404 19 "-" "-" 14 "-" "-" 0ms
192.168.xxx.xxx - - [05/Nov/2024:08:09:54 +0000] "GET /items HTTP/2.0" 404 19 "-" "-" 15 "-" "-" 0ms
6

Enable Traefik access log in JSON format (doc).

7

Sorry, there you go:

{
    "ClientAddr": "192.168.xx.xx:60125",
    "ClientHost": "192.168.xx.xx",
    "ClientPort": "60125",
    "ClientUsername": "-",
    "DownstreamContentSize": 19,
    "DownstreamStatus": 404,
    "Duration": 29337,
    "GzipRatio": 0,
    "OriginContentSize": 0,
    "OriginDuration": 0,
    "OriginStatus": 0,
    "Overhead": 29337,
    "RequestAddr": "192.168.xx.xx",
    "RequestContentSize": 0,
    "RequestCount": 1,
    "RequestHost": "192.168.xx.xx",
    "RequestMethod": "GET",
    "RequestPath": "/",
    "RequestPort": "-",
    "RequestProtocol": "HTTP/2.0",
    "RequestScheme": "https",
    "RetryAttempts": 0,
    "StartLocal": "2024-11-05T15:06:10.793341647+01:00",
    "StartUTC": "2024-11-05T14:06:10.793341647Z",
    "TLSCipher": "TLS_AES_128_GCM_SHA256",
    "TLSVersion": "1.3",
    "entryPointName": "websecure",
    "level": "info",
    "msg": "",
    "time": "2024-11-05T15:06:10+01:00"
  },
  {
    "ClientAddr": "192.168.xx.xx:60138",
    "ClientHost": "192.168.xx.xx",
    "ClientPort": "60138",
    "ClientUsername": "-",
    "DownstreamContentSize": 19,
    "DownstreamStatus": 404,
    "Duration": 48908,
    "GzipRatio": 0,
    "OriginContentSize": 0,
    "OriginDuration": 0,
    "OriginStatus": 0,
    "Overhead": 48908,
    "RequestAddr": "proxy.local.domain.com",
    "RequestContentSize": 0,
    "RequestCount": 2,
    "RequestHost": "proxy.local.domain.com",
    "RequestMethod": "GET",
    "RequestPath": "/",
    "RequestPort": "-",
    "RequestProtocol": "HTTP/2.0",
    "RequestScheme": "https",
    "RetryAttempts": 0,
    "StartLocal": "2024-11-05T15:06:49.748311655+01:00",
    "StartUTC": "2024-11-05T14:06:49.748311655Z",
    "TLSCipher": "TLS_AES_128_GCM_SHA256",
    "TLSVersion": "1.3",
    "entryPointName": "websecure",
    "level": "info",
    "msg": "",
    "time": "2024-11-05T15:06:49+01:00"
  },
  {
    "ClientAddr": "192.168.xx.xx:60138",
    "ClientHost": "192.168.xx.xx",
    "ClientPort": "60138",
    "ClientUsername": "-",
    "DownstreamContentSize": 19,
    "DownstreamStatus": 404,
    "Duration": 44284,
    "GzipRatio": 0,
    "OriginContentSize": 0,
    "OriginDuration": 0,
    "OriginStatus": 0,
    "Overhead": 44284,
    "RequestAddr": "proxy.local.domain.com",
    "RequestContentSize": 0,
    "RequestCount": 3,
    "RequestHost": "proxy.local.domain.com",
    "RequestMethod": "GET",
    "RequestPath": "/dashboard/",
    "RequestPort": "-",
    "RequestProtocol": "HTTP/2.0",
    "RequestScheme": "https",
    "RetryAttempts": 0,
    "StartLocal": "2024-11-05T15:08:43.126278024+01:00",
    "StartUTC": "2024-11-05T14:08:43.126278024Z",
    "TLSCipher": "TLS_AES_128_GCM_SHA256",
    "TLSVersion": "1.3",
    "entryPointName": "websecure",
    "level": "info",
    "msg": "",
    "time": "2024-11-05T15:08:43+01:00"
  },