Letsencrypt docker-compose macvlan / ipvlan

Hello all, new user here. I’m in the process of transitioning as much of what I host as I can to linuxserver images, so I’m working on one huge docker-compose file to do it with. (At this point, bitwarden_rs is the only thing I host that you don’t have an image for, but that’s neither here nor there).

I’ve seen the reverse proxy config samples for the letsencrypt container, (which fortunately has a bitwarden sample even if there’s no bitwarden image). I know that all my services need to be on the same network, which is fine, and right now I just have it setup to use the default bridged network.

I am on a Synology NAS though, so unfortunately ports 80 / 443 are in use. At the moment I am getting around this by having my router forward 80 / 443 to the ports I have nginx running on. But this means even requests from inside my home go out over the internet, which isn’t really ideal. Ideally, the requests would be handled by a private DNS server from within the house, and go out over the internet if I was outside of the house. But DNS doesn’t have a concept of ports as far as I know, so I think I need ports 80 / 443 for that.

I’m considering trying to run all my services on a macvlan network so I can give the letsencrypt container a static IP which should have 80 / 443. That way I can later set up a private DNS so that if I’m on my LAN my requests for self-hosted services shouldn’t go out over the internet.

It’s just hard to find macvlan examples, particularly using docker compose, and I wanted to ask if anyone had done anything of this nature using the linuxserver.io images, would the letsencrypt reverse proxy examples work on a macvlan network (I would assume so if all the services are attached to the same network), and maybe if whoever has done it has an example?

If there’s a better way altogether to achieve what I am after I am all ears as well. I am by no means a networking guru, I’ve only been running my own server for 2 or 3 months as it is.


I believe if you do macvlan, you’ll run into a couple of annoyances.

  1. Each container will have its own IP, so you’ll have to modify all the preset proxy confs and use ip instead of container names as dns hostnames.

  2. macvlan blocks connections between the container and the host (security feature)

I think your best course of action is to change the synology web gui port and put letsencrypt on port 443. Your router should do nat reflection or split dns so internally the requests go to syno directly rather than out and then back in

Thanks. I finally broke down and edited the three pertinent .mustache files to open up 80 / 443 (not that I’ll be using port 80, I think, but if I do I want it to use my own nginx rather than Synology’s).

I will look into NAT reflection / split DNS for the router. It’s a Netgear Nighthawk X8 (R8500 IIRC) . I recently had DD-WRT on it which would certainly be able to do that as I think it has dnsmasq built in, but I reverted to the stock firmware so I could turn the LED’s off through the UI because I got tired of my cron-scheduled shell script to turn them off at night not always running. I may have to go back to DD-WRT, or maybe find a docker hosted DNS to point at.

Hi, I don’t know if my answer is still relevant but I think you’re doing the wrong thing by going through the mustache files to adjust ports to achieve your goal. I think you’d better use Synology’s built-in reverse proxy. This is the easiest way to securely reach your NAS from the outside.
For example, if you have your own domain name, the use of reverse proxy will only make it more user friendly.

I also own a Synology NAS and have been running several containers successfully for a few years without any problems. And not all the containers I have in use are from here.

The only container I use in combination with macvlan is Pi-hole, because I set it up in combination with a VPN to protect my entire LAN network.

For example, I run these containers:

  • baikal
  • bitwarden_rs-mysql
  • bookstack
  • fireflyiii
  • mariadb
  • mongo
  • nextcloud
  • portainer
  • rocket-chat
  • phpmyadmin
  • pi-hole
  • and a few others

Everything is set up to be accessed via reverse proxy and I also have a wildcard SSL certificate for https.

I didn’t want to use Synology’s Reverse Proxy for several reasons:

  1. It’s no where near as configurable in the GUI as nginx configuration files are
  2. Its GUI is not capable of doing what I need to reverse proxy bitwarden_rs; there’s even a thread about it on their github or something somewhere.
  3. I wanted to use DNS-01 challenges for a wildcard certificate, and Synology’s certificate manager isn’t capable of that.
  4. I don’t really like the idea of Synology setting up nginx for me in the first place. I didn’t buy a Synology because their UI is good, I bought it because it was cheaper than building a Linux server (and I couldn’t afford anymore than 4 four 12 TB WD Red drives). It was just a convenient method to setup a server.

So I basically had a couple of choices. One would be using a mixture of Reverse Proxy GUI and nginx configuration files to suit my needs, which is inconsistent, and besides it’s more painful to edit Synology’s nginx config anyway as most of it is controlled by the mustache files so even if you change it it will get reset the next time you change something in the Reverse Proxy GUI.

The second is just changing the mustache files to have Synology’s nginx run on different ports and pretty much ignoring it. I kept backups of the original mustache files just in case, but I don’t really see that I’m losing anything. I am already reverse proxying Disk Station Manager on my docker nginx (just to see if I could, I probably won’t continue to do this when I switch to linuxserver.io’s letsencrypt), and if I wanted to use their Photo server I could do the same there, but I don’t really have any desire to use Synology’s anything besides the box itself and basic administration tools like creating users / groups / etc.

I’d much rather have absolutely every service I host (besides basic ones like SAMBA and SSH) be in docker containers on trusted services like nginx, nextcloud, bitwarden, mariadb etc.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.