Network isolation for a container: do I need to use a software-defined switch?

googleg · Post by **googleg** » Wed Nov 20, 2024 3:28 am

Hi all,
I have a TS-251+ on which I need to spin up a container that must be completely isolated from my LAN.

The two NICs of the NAS are connected to two different ports on a switch which are tagged as VLAN1 (for the LAN) and VLAN10 is my DMZ.

I want to be 100% certain that the container cannot reach any hosts on the LAN, including the NAS itself, and vice versa (e.g. cannot ping the container from the NAS console).

If I understood correctly the various opions for creating a virtual switch, what I need is a software-defined virtual switch, attached to my interface on VLAN10 - am I correct?

Thank you for the confirmation.

dolbyman · Post by **dolbyman** » Wed Nov 20, 2024 3:47 am

No, a software defined switch would be to bridge traffic between both ports, but you want to have each port in it's own (V)LAN

googleg · Post by **googleg** » Wed Nov 20, 2024 4:31 am

Thanks for your answer.

I am still struggling to have the complete isolation. If I add VLAN10 on my interface Adapter1, I give it an IP say 10.0.0.14, and I do NOT attach it any virtual switch, I can still ping it from the NAS IP:

sudo ping 10.0.0.14 -I 192.168.1.14
Password:
PING 10.0.0.14 (10.19.10.14) from 192.168.1.14: 56 data bytes
64 bytes from 10.0.0.14: seq=0 ttl=64 time=0.164 ms
64 bytes from 10.0.0.14: seq=1 ttl=64 time=0.133 ms
64 bytes from 10.0.0.14: seq=2 ttl=64 time=0.134 ms
64 bytes from 10.0.0.14: seq=3 ttl=64 time=0.144 ms
^C

That should not be the case.

Obviously I am missing something so any help will be more than welcome

dolbyman · Post by **dolbyman** » Wed Nov 20, 2024 4:40 am

Where is that ping coming from ?

googleg · Post by **googleg** » Wed Nov 20, 2024 4:41 am

From the NAS cli (ssh)...

dolbyman · Post by **dolbyman** » Wed Nov 20, 2024 4:48 am

Check if the NAS added a static route between both networks

Network&Virtual switch > Network/Route

googleg · Post by **googleg** » Wed Nov 20, 2024 4:59 am

I do not have a static route but indeed I have a connected route in my routing table.

I guess this is normal and to achieve through isolation I need to add some firewall rules.

googleg · Post by **googleg** » Wed Nov 20, 2024 9:09 pm

...currently looking at network namespaces to achieve this isolation, will report on my findings here.

googleg · Post by **googleg** » Thu Nov 21, 2024 6:09 am

So afer quite a lot of trial and error I finally came to the conclusion that the network isolation works but the fact that I can ping the interface attached to my DMZ VLAN using the source address of the interface connected to the LAN still seems very odd to me.

QNAP NAS Community Forum

Network isolation for a container: do I need to use a software-defined switch?

Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?

Re: Network isolation for a container: do I need to use a software-defined switch?