When running Docker on a Proxmox host, many administrators run into a frustrating and often misunderstood networking issue: The Proxmox host cannot ping or connect to Docker containers that use a macvlan network — even though other machines on the LAN can. This behavior isn’t a bug — it’s by design. But with a few well-placed systemd scripts, you can fix it cleanly and persistently. Here’s how. The Problem: Macvlan Isolation by Design Docker’s macvlan network driver gives containers direct access to the LAN. Each container gets its own MAC and IP address, and behaves like a first-class network citizen. ...

In this post, we’ll demonstrate how to securely set up a Ghost blog using Docker Compose with a focus on network isolation. The stack will consist of three containers: Ghost, MySQL (version 8), and Caddy (as a reverse proxy with automatic SSL certificates provided by Let’s Encrypt). We’ll ensure that only ports 80 and 443 are exposed by Caddy, while MySQL remains isolated on an internal network. Network Design web network: This public network will host Caddy, allowing external access only through Caddy. internal network: This private network will be used exclusively for communication between the Ghost and MySQL containers, with no external exposure. Docker Compose Configuration We’ll define everything in a docker-compose.yml file. This file will configure the services, networks, and volumes required for the setup. ...