Access instances in OVN from host

guillomep · January 28, 2025, 12:44pm

Hello,

I have setup OVN using a bridge as a parent interface. When I’m going in the instance, I’m able to ping everything (the host, my router, other machines in my network, internet), but from the outside I cannot ping the instance. This is normal because I have set NAT to true on OVN. See the configuration:

networks:
- name: incusbr0
  type: bridge
  config:
    ipv4.address: 10.100.1.1/24
    ipv4.dhcp.ranges: 10.100.1.25-10.100.1.125
    ipv4.ovn.ranges: 10.100.1.126-10.100.1.226 
    ipv6.address: fd12:3456:7890:1::1/64
    ipv6.dhcp.ranges: fd12:3456:7890:1::25-fd12:3456:7890:1::125
    ipv6.ovn.ranges: fd12:3456:7890:1::126-fd12:3456:7890:1::226 
    ipv4.routes: 10.100.2.0/24
    ipv6.routes: fd12:3456:7890:2::/64
    bgp.ipv4.nexthop: 10.10.10.6
    bgp.ipv6.nexthop: 2a01::ffff
    bgp.peers.openwrt.address: 10.10.10.1
    bgp.peers.openwrt.asn: 65000
- name: incusovn
  type: ovn
  config:
    network: incusbr0
    ipv4.address: 10.100.2.1/24
    ipv4.nat: true
    ipv6.address: fd12:3456:7890:2::1/64
    ipv6.nat: true

If I remove the following line

ipv4.nat: true
ipv6.nat: true

Then my instance cannot access anything (no internet, not the host, not other machines…).
So my question is how can I do to allow access to my instance from the host or another machine and the other way around ?

There is no firewall enabled.

guillomep · January 28, 2025, 3:39pm

I also tried with physical but with no success

config:
  bgp.peers.openwrt.address: 10.10.10.1
  bgp.peers.openwrt.asn: "65000"
  dns.nameservers: 10.10.10.1
  ipv4.gateway: 10.100.1.1/24
  ipv4.ovn.ranges: 10.100.1.100-10.100.1.200
  ipv4.routes: 10.100.2.0/24
  ipv6.gateway: fd12:3456:7890::1/64
  ipv6.ovn.ranges: fd12:3456:7890:1::100-fd12:3456:7890::200
  ipv6.routes: fd12:3456:7890:2::/64
  ovn.ingress_mode: routed
  parent: br1010

In this configuration OVN takes 100% of the CPU

Student · January 28, 2025, 8:47pm

(Disclaimer: I too am still learning). I believe we need to write forward rules and apply them onto the network. May want to look into “incus network forward …”

catfish · January 29, 2025, 3:59am

if I understand correctly, you want your lan devices to have access to your instances in NAT.

I suggest just port forwarding, so you can keep your ovn setup. How to use the LXD Proxy Device to map ports between the host and the containers – Mi blog lah!

or route: https://discuss.linuxcontainers.org/t/how-to-access-lxd-containers-in-ovn-network-from-host/

or give up ovn: How to make your LXD containers get IP addresses from your LAN using a bridge – Mi blog lah!

guillomep · January 29, 2025, 7:57am

Yes, I think you’ve right.