docker – Is there any value in using macvlan/VLANs to create router aware networks to segment internet exposed containers vs non exposed containers?

I have a single home server with a single NIC. I intend to run numerous Docker containers — some will be internet exposed, some will not.

The way I see it, I have two options:

  1. Use the normal bridge network driver:
    1. Create 2 unique bridge networks to segment the traffic:
      1. One for internet exposed Docker containers
      2. One for non-internet exposed containers
    2. Use -p in my docker run to expose my hosts ports for containers
    3. Use port forwarding on my router to redirect WAN ports to the necessary ports on host
    4. For example:
      1. Docker networks: network1 and network2
      2. Docker containers: container1 on network1 and container2 on network2
      3. host:1234 maps to :2345 of container1 on network1
      4. host:5678 maps to :6789 of container2 on network2
      5. Port forwarding of my router to forward WAN:443 to host:1234
  2. Use macvlan:
    1. Create router aware VLAN networks in Docker with containers in their own VLAN network
    2. No need to use -p with docker run since the containers have router aware IPs and I can just access them using [IP of container]:[service port]
    3. Use port forwarding on my router to redirect WAN ports to to the IP of the container
    4. For example:
      1. Docker networks: network3 on eth0.30 and network4 on eth0.40
      2. Docker containers: container3 on network3 and container4 on network4
      3. port forward WAN:443 to the [IP of container3]:2345

Both give the same end result. macvlan makes my containers router aware. One way the traffic is segmented by Docker, and one they are segmented by my router and the 802.1q trunk.

I appreciate any thoughts, perspective, advice. TIA!