Setup on Synology with macvlan not working

Hi,

I'v searched on the whole internet a solution about my issue but I can't make it work.

I've a Synology NAS running with some reverse proxies enabled and I was looking to switch to traefik for exposed containers.

I wanted to still have access to the 80 and 443 ports on Synology so I've created a macvlan using

ip link add macvlan0 link eth0 type macvlan mode bridge
ip addr add 192.168.0.103/32 dev macvlan0
ip link set macvlan0 up
ip route add 192.168.0.102/31 dev macvlan0

It seems to work as I can see the route

image887×65 2.86 KB

and from SSH Synology I can ping traefik (192.168.0.102)

Here is my docker-compose for traefik

version: '3'

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    networks:
      macvlan:
      traefik:
    volumes:
      - /volume1/docker/traefik/config:/etc/traefik
      - /volume1/docker/traefik/config/dyn_traefik/:/dyn_traefik/
      - /volume1/docker/traefik/config/acme.json:/acme.json
      - /etc/localtime:/etc/localtime:ro

    depends_on:
      - socket-proxy

    environment:
        OVH_ENDPOINT: ovh-eu
        OVH_APPLICATION_KEY: xxxxx
        OVH_APPLICATION_SECRET: xxxxx
        OVH_CONSUMER_KEY: xxxxx

  
  socket-proxy:
    image: tecnativa/docker-socket-proxy
    container_name: traefik_docker_socket-proxy
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      CONTAINERS: 1
    networks:
      - traefik

networks:
  macvlan:
    name: macvlan
    driver: macvlan
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 192.168.0.0/24
          ip_range: 192.168.0.102/32
          gateway: 192.168.0.1

  traefik:
    name: traefik

and ./traefik/config/traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entrypoints:
  web:
    address: :80
  websecure:
    address: :443
  traefik:
    address: :8080

ping : {}

log:
  level: debug

accessLog:
  filePath: "/etc/traefik/access.log"

serversTransport:
  insecureSkipVerify: true

api:
  dashboard: true
  insecure: true
  debug: true


providers:
  docker:
    endpoint: tcp://socket-proxy:2375
    exposedByDefault: false
  file:
    filename: /etc/traefik/rules.yaml

certificatesResolvers:
  staging:
    acme:
      email: xxxx@xxxx.com
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: ovh
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"
  production:
    acme:
      email: xxxx@xxxx.com
      storage: /etc/traefik/certs/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      dnsChallenge:
        provider: ovh
        resolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

Let's pick one container I try to deploy code-server

version: "2.1"
services:
  code-server:
    image: lscr.io/linuxserver/code-server:latest
    container_name: code-server
    environment:
      - PUID=XXXX
      - PGID=XXX
    volumes:
      - /volume1/docker/codeserver/config:/config
    restart: unless-stopped
    networks:
      traefik:
    labels:
      traefik.enable: true
      traefik.http.routers.code-server.rule: Host(`vs.my-domain.com`)
      traefik.http.routers.code-server.entrypoints: web, websecure
      traefik.http.routers.code-server.tls: true
      traefik.http.routers.code-server.tls.certresolver: staging

networks:
  traefik:
    external: true

Now the issue :
Traefik is running fine, it can see code-server container with the Docker IP (not NAS IP) and port

image941×377 16.8 KB

But when I do vs.my-domain.com there are 2 cases :

• with WebStation turned off : I am redirected to https://vs.my-domain.com:5001/ (Synology DSM)
• with WebStation turned on : Error 502 bad gateway

I am lost on what to try next as I would like to keep the 80 and 443 port of Synology (for not exposed containers for example)

Additional info :

• On portainer, when accessing traefik with console as /bin/sh, I can't ping my NAS
• I am running a DNS server on Synology
  • When accessing from outside without local DNS, I am still redirected to port 5001 and the page loads and reloads and reloads for ever

Thank you for your help

If you want to have Traefik listen only on one of the available IPs on the NAS, then define it in docker-compose.yml:

    ports:
      - 192.168.0.103:80:80

FYI the NAS is running on 192.168.0.48 over local network and 192.168.0.103 is created for macvlan only
I mean I do not know if I have to do

ip addr add 192.168.0.103/32 dev macvlan0

or

ip addr add 192.168.0.48/32 dev macvlan0

I've tried both in docker-compose with

ports:
      - 192.168.0.103:80:80
      - 8080:8080

and

ports:
      - 192.168.0.48:80:80
      - 8080:8080

but I have the same issue + infinite loop even on local and it still shows me a docker IP

1. Do I have to turn ON or OFF Web Station ? As the result is not the same

2. I've added redirect http to https in entrypoints

entrypoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
  traefik:
    address: :8080

On Synology reverse proxy, I have those and it works fine

(it's vscode and not vs as it was how it worked before trying to switch to traefik)

When I check the page with infinite loop, I can see this javascript

<body>
        <input type="hidden" id="http" name="http" value="5000">
        <input type="hidden" id="https" name="https" value="5001">
        <input type="hidden" id="prefer_https" name="prefer_https" value="false">
    </body>
    <script type="text/javascript">
        var protocol=location.protocol;
        var port=location.protocol === "https:" ? 5001 : 5000;
        var URL=protocol+"//"+location.hostname+":"+port+location.pathname+location.search;
        location.replace(URL);
    </script>

Thank you

Ok I FINALLY got it.

As I said I run a DNS Server on the Synology. When I tried to access to vs.my-domain.com, DNS Server was sending back to the IP of my Synology instead of the IP of Traefik. I had to change ns.my-domain.com type A from 192.168.0.48 to 192.168.0.102 (Traefik IP). On my router I have to do the same thing to redirect external access to Traefik.

And yes, reverse proxies set in Synology DSM still work as Traefik is part of Synology

WebStation HAS to be ON to avoid infinite redirect.

If other have the issue, I'll post the final route and docker-compose that work

route

ip link add macvlan0 link eth0 type macvlan mode bridge
ip addr add 192.168.0.103/32 dev macvlan0
ip link set macvlan0 up
ip route add 192.168.0.102/31 dev macvlan0

docker-compose

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    ports: #Removed other ports otherwise it tries to link to the Synology
      - 8080:8080
    networks:
      macvlan:
      traefik:
[...]

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entrypoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    http:
      tls:
        certresolver: staging
  traefik:
    address: :8080

ping : {}

log:
  level: debug

accessLog:
  filePath: "/etc/traefik/access.log"

serversTransport:
  insecureSkipVerify: true

api:
  dashboard: true
  insecure: true
  debug: true


providers:
  docker:
    endpoint: tcp://socket-proxy:2375
    exposedByDefault: false
  file:
    filename: /etc/traefik/rules.yaml

certificatesResolvers:
  staging:
    acme:
[...]

Now I'll have to deal with certificates

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.