1-macvlan-setup

## get interface name (ovs_eth0 below) via ip link
ip link add macvlan0 link ovs_eth0 type macvlan mode bridge
##192.168.4.204/30 (204-207)
ip addr add 192.168.4.204/30 dev macvlan0
ip link set macvlan0 up
ip route add 192.168.44.204/30 dev macvlan0

docker network create frontend

2-docker-compose.yml

---
version: "2"
services:
  traefik:
    image: traefik
    container_name: tr
    volumes:
      - /volume2/appdata/traefik/config:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CLOUDFLARE_EMAIL=example@email.com
      - CLOUDFLARE_API_KEY=123
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.email=example@email.com
    networks:
      macvlan:
        ipv4_address: 192.168.44.204
      frontend:
    restart: unless-stopped
  nginxtest:
    image: nginx
    container_name: nginxtest
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginxtest.rule=Host(`test.domain.com`)
      - traefik.http.routers.nginxtest.entrypoints=websecure
      - traefik.http.routers.nginxtest.tls.certresolver=cloudflare
    networks:
      - frontend
    restart: unless-stopped
  minio:
    image: minio/minio
    container_name: minio
    volumes:
      - /volume1/minio:/data
    labels:
      - traefik.enable=true
      #console
      - traefik.http.routers.minio-console.rule=Host(`console.minio.domain.com`)
      - traefik.http.routers.minio-console.entrypoints=websecure
      - traefik.http.routers.minio-console.tls.certresolver=cloudflare
      - traefik.http.routers.minio-console.service=minio-console
      - traefik.http.services.minio-console.loadbalancer.server.port=9001
      #api
      - traefik.http.routers.minio.rule=Host(`minio.domain.com`)
      - traefik.http.routers.minio.entrypoints=websecure
      - traefik.http.routers.minio.tls.certresolver=cloudflare
      - traefik.http.routers.minio.service=minio
      - traefik.http.services.minio.loadbalancer.server.port=9000
    networks:
      - frontend
    environment:
      - MINIO_ROOT_USER=123
      - MINIO_ROOT_PASSWORD=123
      - MINIO_BROWSER_REDIRECT_URL=https://console.minio.domain.com
    command: server --console-address :9001 /data
    restart: unless-stopped

networks:
  frontend:
    external: true
  macvlan:
    name: macvlan
    driver: macvlan
    driver_opts:
      parent: ovs_eth0
    ipam:
      config:
        - subnet: 192.168.44.0/24
          ip_range: 192.168.44.204/30
          gateway: 192.168.44.254

3-useful-links

https://blog.alexis.lc/docker-macvlan-network-synology
https://gist.github.com/xirixiz/ecad37bac9a07c2a1204ab4f9a17db3c
https://community.synology.com/enu/forum/1/post/120118
https://techoverflow.net/2022/03/27/a-working-traefik-docker-compose-minio-setup-with-console/
https://stackoverflow.com/questions/69385638/minio-install-behind-traefik
https://www.ipaddressguide.com/cidr

Thank you for sharing this!

One question that came up: Wouldn't multiple containers/stacks residing e.g. in different compose files suddenly be able to see each other/be exposed to each other where they weren't before and where there is strictly speaking no need?

If they are all under the same "frontend" network this would be the case, wouldn't it?
Is there any way to mitigate this (only expose them to traefik but not against each other where is no need)?

Creating several "frontend" networks feels tiresome as I like the elegance of only using a macvlan for traefik and leaving the rest mostly untouched