Docker Networking Explained: Bridge vs Host vs Macvlan

If you run Docker containers in your homelab, understanding how Docker networking works is essential. Every container you launch needs to communicate — with other containers, with the host machine, and with devices on your local network. Docker provides several network drivers to handle these scenarios, and picking the right one can make or break your self-hosted setup.

In this article, we'll break down the three most commonly used Docker network drivers in homelab environments: bridge, host, and macvlan. You'll learn how each one works, when to use it, and how to configure it with practical examples.

What Are Docker Network Drivers?

Docker's networking subsystem is pluggable and uses drivers to provide core networking functionality. Several drivers exist by default. According to the official Docker documentation, the built-in network drivers include:

bridge — The default network driver for standalone containers

host — Removes network isolation between container and host

overlay — Connects multiple Docker daemons together (used with Swarm)

ipvlan — Gives containers control over IP addressing

macvlan — Assigns a MAC address to a container, making it appear as a physical device

none — Disables all networking for a container

For most homelab and self-hosting use cases, you will work primarily with bridge, host, and macvlan. Let's dive into each one.

The Bridge Network Driver

The bridge driver creates a private internal network on the Docker host. Containers attached to a bridge network can communicate with each other, while being isolated from networks that are not connected to that bridge. This is the default driver if you do not specify one.

How the Default Bridge Works

When you install Docker, it automatically creates a default bridge network called docker0. According to Cisco's exploration of Docker networking, this acts like a virtual switch that connects containers effortlessly. Each container gets a virtual Ethernet interface (_veth_) that connects it to the bridge, and Docker's built-in IPAM driver provides container interfaces with private IP addresses from the subnet of the bridge network.

Note: The default bridge network does not provide automatic DNS resolution between containers. Containers on the default bridge can only communicate with each other using IP addresses, not container names.

Custom Bridge Networks

For production and homelab use, Docker recommends creating custom bridge networks instead of relying on the default docker0 bridge. Custom bridge networks offer:

Automatic DNS resolution — Containers can resolve each other by container name

Better isolation — Only containers on the same custom bridge can communicate

Configurable subnet and gateway — You control the IP range

To create a custom bridge network:

bash

docker network create --driver bridge my-bridge-network

You can also specify a custom subnet and gateway:

bash

docker network create --driver bridge --subnet=172.20.0.0/16 --gateway=172.20.0.1 my-custom-bridge

Once the network exists, you can attach containers to it at runtime:

bash

docker run -d --name my-container --network my-bridge-network nginx

When to Use Bridge Networking

Bridge networking is ideal for:

Running multiple containers that need to talk to each other on a single host

Isolating groups of services (e.g., one bridge for your database stack, another for your web apps)

Scenarios where you do not need containers to appear as separate devices on your physical LAN

Most typical self-hosted applications like WordPress + MySQL, or a reverse proxy + backend services

Note: Containers on a bridge network can reach the outside world through NAT, but they are not directly reachable from the local network unless you publish ports with -p.

The Host Network Driver

The host driver removes network isolation between the container and the Docker host. When you use the host network mode, the container shares the host's networking namespace — it does not get its own IP address, and it binds directly to the host's interfaces.

How Host Networking Works

According to the official Docker documentation, if you run a container that binds to port 80 and use host networking, the container's application is available on port 80 on the host's IP address. There is no port mapping or NAT involved.

To run a container with host networking:

bash

docker run --network host nginx

Key Characteristics of Host Networking

No port mapping — The container uses the host's ports directly. If your container listens on port 8080, it will be available on port 8080 on the host's IP

No container IP — You cannot use docker inspect to find a separate IP for the container

Performance — Since there is no bridge or NAT, network performance is identical to running the application natively on the host

Security implications — The container has direct access to the host's network stack, which reduces isolation

When to Use Host Networking

Host networking is useful when:

You need maximum network performance (e.g., for high-throughput applications)

Your application needs to listen on many ports and you do not want to specify them all with -p flags

You are running network monitoring tools or VPN servers that require direct access to host interfaces

You are running a service that needs to access the host's network interfaces directly

Note: Host networking is not supported on Docker Desktop for Mac and Windows in the same way as on Linux. It is supported on Docker Desktop version 4.34 and later, but with different behavior.

Drawbacks in a Homelab

You cannot run two containers that both need to bind to the same port

You lose port-level isolation between containers and the host

Services are exposed on the host's IP without any firewall or NAT layer from Docker

The Macvlan Network Driver

The macvlan driver is one of the most powerful tools for homelab networking. It allows you to assign a MAC address to a container, making it appear as a physical device on your network. The container gets its own IP address from your local LAN subnet, just like any other device on your network.

How Macvlan Works

According to Docker's official documentation, the macvlan driver connects Docker containers directly to host network interfaces through layer 2 segmentation. You designate a physical interface on your Docker host to use for the macvlan, along with the subnet and gateway of the network.

When you use macvlan, your container appears as a real device on your physical network. Other devices on your LAN can reach the container directly at its assigned IP, and the container can reach them without going through any Docker-level NAT.

Creating a Macvlan Network

To create a macvlan network that bridges with a given physical network interface:

bash

docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=eth0 \
  my-macvlan-net

In this command:

-d macvlan specifies the macvlan driver

--subnet defines the IP range from which containers will receive addresses

--gateway is your network's gateway (usually your router)

-o parent=eth0 specifies the host's physical interface to bridge through

Using Macvlan in Docker Compose

A common pattern in the homelab community is to define an external macvlan network in Docker Compose and assign static IPs to containers. Here is an example based on practical self-hosted setups:

yaml

version: "3.8"

networks:
  macvlan_net:
    external: true

services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    networks:
      macvlan_net:
        ipv4_address: 192.168.1.100
    environment:
      - TZ=America/New_York
      - WEBPASSWORD=your-password
    volumes:
      - ./pihole/etc:/etc/pihole
      - ./pihole/dnsmasq:/etc/dnsmasq.d

In this example, the Pi-Hole container gets the IP 192.168.1.100 on the local LAN and acts as a DNS server for the entire network — just like a physical device.

When to Use Macvlan

Macvlan is ideal for:

Services that need their own IP — DNS servers (Pi-Hole, AdGuard Home), DHCP servers, or any service that needs to be addressable on your LAN

Legacy applications — As noted in the Portainer documentation, macvlan is sometimes the best choice for legacy applications that expect to be directly connected to the physical network

Simplifying firewall rules — Each container gets its own IP, so you can apply firewall policies per container rather than per port on the host

Eliminating Docker NAT — Traffic flows directly between the container and your LAN without address translation

Limitations of Macvlan

One-to-one parent interface mapping — Each macvlan network can only bridge one physical interface at a time. As noted in the libnetwork documentation on GitHub: "There can be only one network attached to a parent interface at a time"

Host cannot reach containers — By default, the Docker host cannot communicate directly with containers on a macvlan network. A workaround is to create a macvlan interface on the host itself in the same subnet

No DHCP — You must assign IPs manually or let Docker's IPAM handle it

Requires the physical interface — Macvlan only works if the host has a physical (or virtual) interface on the target network

Bridge vs Host vs Macvlan: Decision Guide

|---|---|---|---|

| Port mapping needed | Yes (-p flag) | No | No |

| DNS resolution by name | Yes (custom bridge only) | N/A | Yes |

Practical Homelab Scenarios

Scenario 1: Web Stack with Reverse Proxy

Use a custom bridge network. Place your reverse proxy (Nginx, Traefik, Caddy) and your web application containers on the same bridge. The reverse proxy can resolve containers by name and forward traffic internally. Expose only the reverse proxy's ports to the host.

Scenario 2: Network-Wide DNS Service

Use macvlan to give your Pi-Hole or AdGuard Home container its own IP on the LAN. Point your router's DHCP settings to that IP, and every device on your network uses your container as its DNS server.

Scenario 3: High-Performance Application

Use host networking for applications where every millisecond counts — for example, a gaming server, a real-time data pipeline, or a VPN gateway. Just be mindful of port conflicts.

Scenario 4: Isolated Development Environment

Use the default bridge for quick testing, or a custom bridge when you need name resolution. This keeps your experiments isolated from your production containers.

Troubleshooting Tips

Container Can't Communicate with Others

Check which network the container is attached to:

bash

docker inspect my-container | grep -A 10 "Networks"

Or use the dedicated command:

bash

docker network inspect my-bridge-network

This displays all containers connected to that network and their IP addresses.

Macvlan: Host Can't Reach Container

This is expected behavior by default. To work around it, you can create a macvlan interface on the host with the same parent interface and assign it an IP address in the Docker network's subnet, as documented in the official Docker docs.

Port Already in Use with Host Networking

Since host networking shares the host's namespace, you cannot run two containers that bind to the same port. Use a different port in one container, or switch to bridge networking with port mapping.

DNS Resolution Fails on Default Bridge

As mentioned earlier, the default bridge does not support DNS-based container discovery. Switch to a custom bridge network to resolve containers by name.

Conclusion

Understanding Docker networking is a critical skill for any homelab enthusiast. The bridge driver is your go-to for most self-hosted applications, providing solid isolation and easy container-to-container communication. The host driver gives you raw performance and direct port access when you need it. The macvlan driver is the secret weapon for making containers behave like first-class citizens on your physical network.

Each driver has its place. By matching your networking strategy to your use case, you can build a self-hosted environment that is both powerful and well-organized. Start with custom bridge networks for most services, then reach for macvlan when you need containers to exist directly on your LAN, and use host mode sparingly for performance-critical workloads.

For the official nitty-gritty details, always refer to the Docker documentation on network drivers. Happy container networking!

Docker Networking Explained: Bridge vs Host vs Macvlan for Your Homelab

Docker Networking Explained: Bridge vs Host vs Macvlan

What Are Docker Network Drivers?

The Bridge Network Driver

How the Default Bridge Works

Custom Bridge Networks

When to Use Bridge Networking

The Host Network Driver

How Host Networking Works

Key Characteristics of Host Networking

When to Use Host Networking

Drawbacks in a Homelab

The Macvlan Network Driver

How Macvlan Works

Creating a Macvlan Network

Using Macvlan in Docker Compose

When to Use Macvlan

Limitations of Macvlan

Bridge vs Host vs Macvlan: Decision Guide

Practical Homelab Scenarios

Scenario 1: Web Stack with Reverse Proxy

Scenario 2: Network-Wide DNS Service

Scenario 3: High-Performance Application

Scenario 4: Isolated Development Environment

Troubleshooting Tips

Container Can't Communicate with Others

Macvlan: Host Can't Reach Container

Port Already in Use with Host Networking

DNS Resolution Fails on Default Bridge

Conclusion

Related Articles

OpenClaw Agent Stuck: Root Causes and Fixes for Homelab Users

OpenClaw No Output / Empty Response Fix: A Homelab Practitioner's Guide to Debugging Silent Agent Failures

Why OpenClaw Is Not Responding: Full Fix Guide (2026)

6 Alternative CLI Tools I Immediately Install on Every Linux Machine — And Why You Should Too

More in Docker

GPU Not Used in Ollama? Full Fix Guide (NVIDIA / AMD) 2025

Best Apps to Run on TrueNAS for Your Homelab in 2025