#Docker and Networking-related Questions

On my home network, most of my IoT devices are on a dedicated VLAN, however I also have my security cameras on their own VLAN, and Sonos speakers separated as well. In my docker-compose file, I am presenting multiple network interfaces (using macvlan networking type) to the HA docker container, and I am able to see all the different networks and check each on in HA's settings UI. In fact, I am able to Discover devices on multiple networks and it all just seems to work. The "default" network is my home LAN (yet-another separate VLAN) and Apps on mobile devices and client PCs work fine.

However, my question basically is... is this really the "cleanest" way to run it? Would I be better off (and future-proof for Matter, so I'm told?) to run the HA docker container in host mode (forwarding ports at layer 3, etc)?

How does that then work for communicating directly on multiple networks? If a server that is running Docker is multi-homed at the OS-level (w/IP addresses configured on each interface), will the HA docker container and daemon just listen and communicate on all interfaces, but more at the OS-level?

I'd really like to avoid running all the communications to HA through my router if possible, as the camera feeds are fairly high bandwidth.

if you want to avoid all data going through the router then your solution is probably the correct way tog go about it.

you MIGHT be able to overcome this with a layer 3 switch, probably worth looking at

you could also maybe have a 2nd router on the network to hanadle vlan traffic coming into the HA setup and have iot devices use that as their gateway. but this makes for a pretty complicated network

you really want to avoid having any network routing involved for stuff like sonos and matter/thread, which all rely on various discovery and communication methods that either can't be routed or need special handling.

so having multiple interfaces, one per network, probably is the best solution. it should be more or less equivalent for that to use several macvlan interfaces or to run with host networking where it can see multiple host network interfaces.

(fwiw, i ran into issues with having sonos devices on a separate subnet before, since even tho i set up multicast routing between subnets, some applications set the TTL on the multicast service discovery packets to just '1' so the router dropped them... iirc nowadays their discovery also uses other methods like mdns, which is a whole other issue with multiple subnets...)

having a system with multiple interfaces on different subnets and an mdns repeater to make things discoverable across subnets is not a combination that works well.

yeah I am actually using an mDNS repeater on my router for SONOS already, just to make it so the Desktop and Mobile apps can access the speakers. I have not really setup any Plex or Sonos integrations yet on HA, but I'll test it with adding the SONOS VLAN as a direct interface within the container.

good to know macvlan is somewhat of an accepted setup, last time I brought it up on forums (a couple years ago) it was generally scoffed-at and the insinuation was that I was doing it wrong if I wasn't running in Host mode.

yeah, macvlan should be (assuming you don't hit any weird limitations in the network hardware) equivalent to essentially installing a second network card in the machine connected to the same network, and passing that network card through to the container.

there's a bit of overhead from the kernel effectively having to run an ethernet bridge in software, and on some cheap network cards (which don't support multiple mac addresses in hardware) it might require switching the card into "promiscuous" mode, making the kernel handle traffic in software that normally would have been dropped/ignored by the hardware.

an example of problems with multi-homed devices and mdns repeaters is that if a device makes an mdns query on one network, the repeater can forward to the other network, and then the device receives the query it just made and answers it, which gets forwarded back by the repeater, so it receives its own answer. This can cause issues with allocation of ".local" hostnames, since devices need to periodically check if there's any other conflicting devices so they can change their hostname. This can trigger a loop of the device seeing itself, then changing its hostname to avoid the conflict, repeating forever.

i think home assistant is set up to at least partially avoid that problem by sending mdns queries it makes only on the interface configured with the "default" route, see https://www.home-assistant.io/integrations/network/ - but that does mean it's still relying on the mdns repeater even if it's connected directly to a second network with mdns discoverable devices.