Understanding Recent Changes to TrueNAS Scale Apps & Viability of MACVLANs

Apps and Virtualization
1

Hi everyone,

I’m looking to better understand the recent changes to Apps in TrueNAS Scale and determine whether my desired setup is feasible. Currently, the apps can be assigned their IP, but due to a bug, ports aren’t allowed to overlap despite being on separate IPs eg 80/443.

Goal: I’d like to have apps function similarly to jails in TrueNAS Core. I want all my apps to host their web interface on 80/443. Furthermore, I’d like to VPN traffic of that specific IP regardless of port at the router level.

Current Understanding: After researching, it seems that achieving this behaviour may require the use of MACVLANs. However, I’d appreciate further insights from the community regarding:

  • How MACVLANs work in the context of TrueNAS Scale. Will it be added to Scale in the future?
  • Whether they would provide the level of isolation and network control that jails offer in Core.

Really appreciate it for those who know better to explain things to me. Also curiously am I the only one who had this misconception about the new IP’s for apps?

If anyone has experience with this approach or alternative solutions, I’d love to hear your thoughts. Thanks in advance!

1 Like
TrueNAS Plans for 2026
2

There’s a Feature Request you can vote for.

2 Likes
3

Recently I tried a little something regarding MACVLAN, could be interesting for you or someone, so I post it here. Most of the time I use Portainer and write my docker compose files myself to have full control over everything. And with that one can get around the TN GUI limitations/bugs.

  1. Create a macvlan interface:
docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=enp8s0 \
  macvlan_enp8s0
  1. docker compose file example:
services:
  pihole:
    image: pihole/pihole
    restart: unless-stopped
    networks:
      macvlan_enp8s0:
        ipv4_address: 192.168.1.9
        
networks:
  macvlan_enp8s0:
    external: true

And so the “pihole” container has it’s LAN IP. Port mapping in the compose file is inherently irrelevant, because the container has it’s own IP. In this case, pihole web gui will be on 192.168.1.9:80

4 Likes
Fangtooth Apps and Multiple Nics
4

Yes, this is similar to what stux and others posted in the previously linked Feature Request thread.

It works, but the hope is that iXsystems adds actual support for the infrastructure.

3 Likes
5

I need to use macvlan for my TrueNAS Docker network, mainly because of Unbound and AdGuard. I’d like TrueNAS to “see” my apps.

I’ll have to use the command line for now.

Is there any estimated time for when this feature will be available in the user interface?

6

It may never be implemented. TrueNAS is looking into it. You can look at version 26 nightly to see if it is mentioned there but, otherwise, who knows at this time.

1 Like
7

I believed this until recently, but my need to have port 443 accessible repeatedly (in TrueNAS itself, PiHole, Reverse Proxy etc) drove me to once again trying to add a MACVLAN thru Portainer. The network was saved, but the driver was marked as none. So, I tried in create the network on the command line and it worked on TrueNAS Scale 25.10.3 and 3.1

MACVLAN solved the port conflict issue, each container has its own MAC address and LAN IP, no port conflicts.

Maybe a little off-topic, but has anyone an idea why the Portainer UI fails to add the macvlan driver where the command-line succeeds? Could that bring any hidden problems that I didn’t see until now?