1

I am trying to get a macvlan network to work on Docker. It has been deployed properly, but I cannot get it to be accessible. See related thread by me on Server Fault.

I have tried deploying it on my laptop, desktop and on an Oracle VM. I have tried activating promiscuous mode everywhere with sudo ip link set promisc on and also in my VM's settings. Also turning it on simultaneously for the host, the VM and the docker adapter.

An unexpected behaviour I have noticed reading the output of docker network ls is that the containers won't get a mac address unless I manually assign them one.

Nothing has worked. Also, sometimes, I inspect the network with ip -d link and promiscuous mode has a "2" instead of a "1" next to it. I don't know why that would be the case.

I have tried looking up whether my wireless card on my laptop is able to do promiscuous mode at all, but I cannot find relevant information online. Is there a reliable way to find out whether my network cards are capable of using it or not?

I should also mention, that the same behaviour happens when I tried through a wired connection.

Centaro
  • 11

1 Answers1

2

Should maybe the router also be configured to accept promiscuous mode? I haven't found any setting that indicates so.

The actual setting you're looking for is a bit different and specific to Wi-Fi.

There's no "promiscuous mode" setting in your router because promiscuous mode is by its nature a receiver-side thing – it only tells your network interface to accept frames that it is already receiving (but which have the wrong destination MAC address); it does not communicate with the rest of the network about the mode being enabled.

So, for example, promiscuous mode on an old-style "shared medium" Ethernet network would've allowed you to receive packets meant for other hosts because they were already arriving, and were only discarded at your end based on destination MAC address being unknown. On the other hand, the same mode is nearly ineffective on a switched Ethernet network because the switches only send packets through specific links – packets not meant for you never arrive on your interface. And although Wi-Fi is a "shared medium" network, the entire wireless side is still behind a bridge (the AP) and will never see stray packets from the wired side.

But promiscuous mode is only about receiving misaddressed frames – not sending. A much bigger issue with Wi-Fi is that unlike Ethernet, a Wi-Fi connection is not symmetric – only the access point gets to send packets with any source MAC address; Wi-Fi client devices cannot do that. The MAC address that your device "associated" from is the only MAC address that you can send packets from. (This is completely unlike Ethernet, which has no separate "association" and where any connected device can use any MAC address it wants.)

Behind the scenes, Wi-Fi packets have three or four MAC addresses instead of the usual two; in addition to "source" and "destination" you also have "transmitting radio" and "receiving radio". Normally only three are used, as for packets sent by clients, "transmitter" and "source" MAC addresses are always the same (and vice versa, for packets that you receive from the AP, "destination" is the same as "receiver"). This means that it is impossible for you to send packets that have the macvlan interface's MAC address on them; there's no "source MAC" field in the packets (and putting it in the "transmitter" field would cause them to be rejected by the AP as "packets from unassociated station").

So in order for a Wi-Fi client to send "spoofed" MAC addresses (i.e. to act as a bridge), it needs to be switched to the "4-address" mode also known as "WDS bridge" mode. This can be done on Linux using the iw command – although not all Wi-Fi interfaces support it properly – and the router (Wi-Fi access point) must be configured to accept 4addr/WDS packets from your device; how to do it varies greatly and is usually not even supported by most access points.

grawity
  • 501,077