How to expose containers / apps to a vlan !!???

[Louis2]

I am new to apps and containers and struck-ling with them.

One of the issues is that apps / containers should communicate to the outside world via a couple of vlans. For that, I think that I, depending on the situation, need ingress functionallity or a reverse proxy like nginx or traefik (probably nginx).

There is a small video about treaefik setup (https://truecharts.org/charts/enterprise/traefik/how-to), but that one is far to simple. I assumes that:
- you use the truenas ip as revers proxyip and
- are going to replace the truenas gui port numbers
Both not ok, imho

My requirements are different:
- the revers proxy should use its own IP
- that ip is on another vlan than the the truenas gui
- I will probably use multiple proxys, in order to send data to different vlans (but lets start with one)
- ipv6 should be supported

Big question is how to do this?

I played around a bit with settings in the app setup like 'loadballancer ip' (in two ways a.b.c.d and a.b.c.d/24 no idea what is correct), but that does not seems to work.

So the big question is "what does work !!??" to expose the apps/containers to the outside world, given the requirements as described above.

​

 

[sretalla]

Kubernetes networking is hard and even if you can work out what you want to do, SCALE/TrueCharts will likely not have provided the controls for the bits you need to touch.

There are some hacks that generate the impression that a container is on a different IP than the host, but routing can then be probelmatic, so forget that.

I suggest what you will need to do to get what you're asking for and avoid insanity is:

Create a Bridge and attach to that VLAN.

Create a small VM and connect it to that bridge.

Run your reverse proxy of choice in that VM, pointing it at your Traefik instance.

 

[Louis2]

In the past I put a lot of effort trying to turn TrueNas / FreeNas in a generic NAS & VM-system supporting VLAN's and IPV6. That was never successful. My actual feeling is that it will work now, if I use VM's (NOT App's / docker).

However before I definitively decide which way to take, I have to understand better what is possible with apps / docker since they also have (maintenance) advantages. For example I am considering to implement local used functionality (e.g. a media server) via containers and global functionality e.g. web or sftp server via VM's.

However the more time I spend in digging into apps / containers, the more I think I am going to use VM's for nearly every thing. For a private environment like mine, important Kubernetes functionality like cluster management and automatic pod reallocation etc. is ... not relevant.

 

[PackElend]

I don't know if my use case is the same but it goes in the same direction.
I have two Hardware interface, one for System, one for home use.

I want that my personal apps such file sharing are connected to ether1 only, system apps such as syslog via ether2.

By they have way this talks about the same https://www.truenas.com/community/threads/how-to-use-different-vlans-for-different-apps.107777

This could be helpful too https://www.truenas.com/community/threads/question-about-using-vlans-with-containers.93457/

 

[Louis2]

Small update.

To start, my goal is to build one machine to be used as NAS and a couple of other purposes running in vm's and maybe containers / Kubernetes. Since those apps have different purposes and need different security I have them in different vlans. To give a few examples: My NAS should be highly secure separated, so the NAS is in the GreenZone. I do not trust IoT equipment at all, so I have a separate IoT vlan. The Webserver is exposed to the internet and is in the RedZone.

Since the very latest scale releases, this setup seems to be possible. At this moment I manage to come close to that goal using scale itself as NAS and using its VM's for the applications. Where I do logically connect the NAS-functionallity and the VM's all to the different / intendend vlan's. It is not 100% yet, but better than ever.

Related to containers / apps / Kubernetes, it is complicated. I am not yet convinced. I start playing a bit with it for home internal apps like a media player or a graylog server, but at this moment .... I prefer VM's

 

[PackElend]

I start playing a bit with it for home internal apps like a media player or a graylog server

Good luck with that, I'm looking forward to some positive results

 

[Trevor68]

I run a Windows 11 VM, I have just moved ALL my services onto it, so maybe that's what you want?
It runs Caddy as a service for Reverse Proxy, and Docker Desktop for most of the apps.

So far it's running Media Centre master, utorrent, Calibre, Caddy and Xteve directly, and Calibre-Web, Photoprism, Syncthing, Bitwarden, Ofelia, MariDB, Watchtower and Jellyseer all in Docker.
The whole thing accesses the host via a Bridge and SMB shares, works like a charm.

 

[LarsR]

You could Switch from the Default loadbalancer to metallb from truecharts. This way you can add IP's to your Apps and then those IP's to your vlans. See https://truecharts.org/charts/enterprise/metallb/setup-guide/ for a Basic Setup guide

 

[PackElend]

Related to containers / apps / Kubernetes, it is complicated. I am not yet convinced. I start playing a bit with it for home internal apps like a media player or a graylog server, but at this moment

have you made any progress here?
What about using "Apps"->"Launch Docker Image" as you can select VLAN interfaces?