Bridging WiFi to LAN

I have a setup working reasonably well with an architecture like this:

image692×1120 53.9 KB

The blue box is my Incus server.
It has three Ethernet NICs connecting with two independent modem/routers and with my internal LAN.
An OPNsense Virtual Machine with 4 NICs provides separation/connectivity and a couple of simple containers provide services to the Internet.

My current network setup on server (called lxd for historical reasons ) is quite simple:

mcon@lxd:~$ cat /etc/network/interfaces
source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary (LAN/GREEN) network interface
auto enxa0cec887415e
iface enxa0cec887415e inet static
    address 192.168.7.99/24

# The secondary (WAN/RED) network interface
auto enp1s0
iface enp1s0 inet static
    address 192.168.1.99/24
    gateway 192.168.1.1

OPNsense V.M. setup is quite straightforward:

mcon@lxd:~$ incus config show opnsense2
architecture: x86_64
config:
  limits.cpu: 0,1
  limits.memory: 2GiB
  raw.qemu: |
    -cpu host
  raw.qemu.conf: |
    [device "dev-qemu_rng"]
  security.secureboot: "false"
  volatile.cloud-init.instance-id: 00264431-d0bc-4bc5-916b-d95a5e951406
  volatile.eth0.host_name: mac18e39b06
  volatile.eth0.hwaddr: 00:16:3e:43:77:c3
  volatile.eth0.last_state.created: "false"
  volatile.eth1.host_name: mac94db7f06
  volatile.eth1.hwaddr: 00:16:3e:96:cf:27
  volatile.eth1.last_state.created: "false"
  volatile.eth2.host_name: tap14f0fea6
  volatile.eth2.hwaddr: 00:16:3e:7d:c3:53
  volatile.eth3.host_name: mace2894b2d
  volatile.eth3.hwaddr: 00:16:3e:42:eb:33
  volatile.eth3.last_state.created: "false"
  volatile.last_state.power: RUNNING
  volatile.uuid: 9463442f-b5e1-4d70-ae0b-37c642dc3c87
  volatile.uuid.generation: 9463442f-b5e1-4d70-ae0b-37c642dc3c87
  volatile.vsock_id: "29"
devices:
  eth0:
    nictype: macvlan
    parent: enxa0cec887415e
    type: nic
  eth1:
    nictype: macvlan
    parent: enp1s0
    type: nic
  eth2:
    network: ORANGE
    type: nic
  eth3:
    nictype: macvlan
    parent: enxa0cec8b35133
    type: nic
  root:
    path: /
    pool: default
    size: 4GiB
    type: disk
ephemeral: false
profiles: []
stateful: false
description: Dual WAN setup for OPNsense

ORANGE network and the two service containers are standard stuff and, with a bit of OPNsense setup everything seems to work fine.

Problem arose when I wanted to use the WiFi adapter on lxd to provide wireless connectivity.

First I tried to handle the whole subsystem to the V.M.
This would be preferred because OPNsense has provisions to handle WiFi, but it proved difficult because WiFi adapter comes in the same “IOMMU group” with other stuff:

IOMMU Group 5:
	00:13.0 PCI bridge [0604]: Intel Corporation Celeron N3350/Pentium N4200/Atom E3900 Series PCI Express Port A #1 [8086:5ad8] (rev fb)
	00:13.1 PCI bridge [0604]: Intel Corporation Celeron N3350/Pentium N4200/Atom E3900 Series PCI Express Port A #2 [8086:5ad9] (rev fb)
	00:13.2 PCI bridge [0604]: Intel Corporation Celeron N3350/Pentium N4200/Atom E3900 Series PCI Express Port A #3 [8086:5ada] (rev fb)
	00:13.3 PCI bridge [0604]: Intel Corporation Celeron N3350/Pentium N4200/Atom E3900 Series PCI Express Port A #4 [8086:5adb] (rev fb)
	01:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 0c)
	02:00.0 Network controller [0280]: Intel Corporation Wireless 3165 [8086:3165] (rev 81)

I could handle over both “Ethernet controller” and “network Controller” together but my attempts to do so (essentially changing relevant nictype: macvlan into nictype: physical) failed.

Following @stgraber advice on IRC I tried to setup a bridge between wlan0 and enxa0cec887415e (LAN interface).
Bridge itself has an IP address because I need to be able to access lxd(which is headless) also when Firewall is not running for some reason.
To this end I changed

mcon@lxd:~$ cat /etc/network/interfaces
source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The secondary (WAN/RED) network interface
auto enp1s0
iface enp1s0 inet static
    address 192.168.1.99/24
    gateway 192.168.1.1

#iface enxa0cec887415e inet manual
#iface enxa0cec8b35133 inet manual
#iface wlan0 inet manual

auto wbr0
iface wbr0 inet static
    bridge_ports enxa0cec887415e wlan0
        address 192.168.7.99/24

and also changed in opnsense2 configuration:

...
  eth0:
    nictype: macvlan
    parent: wbr0
    type: nic
...

This did not work at all because I could reach lxd server, but apparently packets were not forwarded to Firewall (i.e.: I could ping/ssh/whatever 192.168.7.99 but 192.168.7.254 was “unreachable”).
I also had a very strange behavior: incus console lxd:opnsense2 --type=vga would fail with error:

Error: Get "https://192.168.7.99:8443/1.0": Unable to connect to: 192.168.7.99:8443 ([dial tcp 192.168.7.99:8443: connect: connection refused])

opnsense2 V.M. was “RUNNING”, but apparently not reachable.

I went back to previous config to be able to write this

Any hint on how to solve the problem (or otherwise work around it)would be very welcome

Let’s tackle one problem at a time

1. My understanding of macvlan is to avoid use of any bridges. So it seems weird to me that you are trying to mix both bridges and macvlan.

   So you either
   A. Choose to use macvlan and delete all bridges
   B. Choose to make bridges and forget about macvlan.

2. Beware when you choose to use macvlan, the lxd host cannot reach its vm instances by default. you need to do some workarounds in order to make this happen.

docker with macvlan has the same kind of issue

3. For your use case, I would recommend the use of bridge. (not macvlan). For this, I think you would have to use a nictype of “bridged”.

4. let’s give your Wi-Fi bridge an IP addreess of 192.168.7.99 and your OPN instance’s bridged interface an IP address of 192.168.7.254

I believe, then, you should be able to ping your OPNsense from your LXD host.

I am not an Incus Expert by any means. I might be wrong But i hope my idea helps you out a little bit

Thanks @prudentcircle,

Issue (2) is known and not relevant here.
My Firewall setup (LAN+WAN+DMZ) is fully working with no problem.
Problem arises only when I try to bring up the WiFi interface.

I am (was, actually) attempting to bridge WiFi to LAN on host, without touching Incus setup at all.

Anyways there’s something basic I don’t understand in network setup.
Now I’m leaving alone my firewall machine and I installed Incus on a spare server to experiment without disrupting my net.

This new server has 4 physical NICs:

1) USB - Bus 003 Device 002: ID 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet
2) USB - Bus 002 Device 002: ID 0e8d:7610 MediaTek Inc. WiFi
3) PCI - 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 0c)
4) PCI - 04:00.0 Network controller: Broadcom Inc. and subsidiaries BCM43142 802.11b/g/n (rev 01)

(1) [enxa0cec8b43055] connected directly to my modem/router (192.168.2.1)
(2) currently unused
(3) [enp2s0] connected to my home LAN (192.168.7.x/24) and receives IP from my “real” firewall (i.e.: previous server).
(4) currently unused
I also have (5) internal Incus bridge (incusbr0)

• First test: simple container with 2 NICs, second NIC is physical

  mcon@cinderella:~$ incus create images:debian/bookworm incus:test
  Creating test
  
  The instance you are starting doesn't have any network attached to it.
    To create a new network, use: incus network create
    To attach a network to an instance, use: incus network attach
  
  mcon@cinderella:~$ incus config device add incus:test eth0 nic nictype=macvlan parent=enp2s0
  Device eth0 added to test
  mcon@cinderella:~$ incus config device add incus:test eth1 nic nictype=physical parent=enxa0cec8b43055
  Device eth1 added to test
  mcon@cinderella:~$ incus start incus:test
  mcon@cinderella:~$ incus shell incus:test
  root@test:~# ip a
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
      inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
  28: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
      link/ether a0:ce:c8:b4:30:55 brd ff:ff:ff:ff:ff:ff
      inet6 fe80::a2ce:c8ff:feb4:3055/64 scope link 
         valid_lft forever preferred_lft forever
  36: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
      link/ether 00:16:3e:59:51:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
      inet 192.168.7.216/24 metric 1024 brd 192.168.7.255 scope global dynamic eth0
         valid_lft 7163sec preferred_lft 7163sec
      inet6 fe80::216:3eff:fe59:51b2/64 scope link 
         valid_lft forever preferred_lft forever
  root@test:~# cd /etc/systemd/network
  root@test:/etc/systemd/network# cp eth0.network eth1.network 
  root@test:/etc/systemd/network# vi eth1.network 
  root@test:/etc/systemd/network# cat eth1.network 
  [Match]
  Name=eth1
  [Network]
  DHCP=true
  [DHCPv4]
  UseDomains=true
  root@test:/etc/systemd/network# systemctl restart systemd-networkd
  root@test:/etc/systemd/network# ip a
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
      inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
  28: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
      link/ether a0:ce:c8:b4:30:55 brd ff:ff:ff:ff:ff:ff
      inet6 fe80::a2ce:c8ff:feb4:3055/64 scope link 
         valid_lft forever preferred_lft forever
  36: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
      link/ether 00:16:3e:59:51:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
      inet 192.168.7.216/24 metric 1024 brd 192.168.7.255 scope global dynamic eth0
         valid_lft 6795sec preferred_lft 6795sec
      inet6 fe80::216:3eff:fe59:51b2/64 scope link 
         valid_lft forever preferred_lft forever
  root@test:/etc/systemd/network# systemctl status systemd-networkd
  ● systemd-networkd.service - Network Configuration
       Loaded: loaded (/lib/systemd/system/systemd-networkd.service; disabled
  ; preset: enabled)
      Drop-In: /run/systemd/system/service.d
               └─zzz-lxc-service.conf
       Active: active (running) since Tue 2024-01-09 17:55:40 UTC; 44s ago
  TriggeredBy: ● systemd-networkd.socket
         Docs: man:systemd-networkd.service(8)
               man:org.freedesktop.network1(5)
     Main PID: 164 (systemd-network)
       Status: "Processing requests..."
        Tasks: 1 (limit: 4548)
       Memory: 1.5M
          CPU: 64ms
       CGroup: /system.slice/systemd-networkd.service
               └─164 /lib/systemd/systemd-networkd
  
  Jan 09 17:55:40 test systemd-networkd[164]: eth1: Link UP
  Jan 09 17:55:40 test systemd-networkd[164]: eth1: Gained carrier
  Jan 09 17:55:40 test systemd-networkd[164]: lo: Link UP
  Jan 09 17:55:40 test systemd-networkd[164]: lo: Gained carrier
  Jan 09 17:55:40 test systemd-networkd[164]: eth0: Gained IPv6LL
  Jan 09 17:55:40 test systemd-networkd[164]: eth1: Gained IPv6LL
  Jan 09 17:55:40 test systemd-networkd[164]: Enumeration completed
  Jan 09 17:55:40 test systemd[1]: Started systemd-networkd.service - Network Configuration.
  Jan 09 17:55:40 test systemd-networkd[164]: eth0: Configuring with /etc/systemd/network/eth0.network.
  Jan 09 17:55:40 test systemd-networkd[164]: eth0: DHCPv4 address 192.168.7.216/24, gateway 192.168.7.254 acquired from 192.168.7.254
    
  root@test:/etc/systemd/network# vi eth1.network 
  root@test:/etc/systemd/network# cat eth1.network 
  [Match]
  Name=eth1
  [Network]
  Address=192.168.2.253/24
  
  root@test:/etc/systemd/network# systemctl restart systemd-networkd
  root@test:/etc/systemd/network# ip a
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
      inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
  28: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
      link/ether a0:ce:c8:b4:30:55 brd ff:ff:ff:ff:ff:ff
      inet6 fe80::a2ce:c8ff:feb4:3055/64 scope link 
         valid_lft forever preferred_lft forever
  36: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
      link/ether 00:16:3e:59:51:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
      inet 192.168.7.216/24 metric 1024 brd 192.168.7.255 scope global dynamic eth0
         valid_lft 6333sec preferred_lft 6333sec
      inet6 fe80::216:3eff:fe59:51b2/64 scope link 
         valid_lft forever preferred_lft forever
  root@test:/etc/systemd/network# ping -c3 192.168.2.1
  PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
  
  --- 192.168.2.1 ping statistics ---
  3 packets transmitted, 0 received, 100% packet loss, time 2028ms
  
  root@test:/etc/systemd/network# ping -c3 192.168.7.12
  PING 192.168.7.12 (192.168.7.12) 56(84) bytes of data.
  64 bytes from 192.168.7.12: icmp_seq=1 ttl=64 time=0.213 ms
  64 bytes from 192.168.7.12: icmp_seq=2 ttl=64 time=0.229 ms
  64 bytes from 192.168.7.12: icmp_seq=3 ttl=64 time=0.234 ms
  
  --- 192.168.7.12 ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2052ms
  rtt min/avg/max/mdev = 0.213/0.225/0.234/0.009 ms
  root@test:/etc/systemd/network# ping -c3 ftp.funet.fi
  PING ftp.funet.fi (193.166.3.2) 56(84) bytes of data.
  64 bytes from ftp-test.nic.funet.fi (193.166.3.2): icmp_seq=1 ttl=50 time=63.8 ms
  64 bytes from ftp-test.nic.funet.fi (193.166.3.2): icmp_seq=2 ttl=50 time=63.5 ms
  64 bytes from ipv4.ftp.funet.fi (193.166.3.2): icmp_seq=3 ttl=50 time=63.4 ms
  
  --- ftp.funet.fi ping statistics ---
  3 packets transmitted, 3 received, 0% packet loss, time 2003ms
  rtt min/avg/max/mdev = 63.391/63.581/63.826/0.181 ms
  root@test:/etc/systemd/network# systemctl status systemd-networkd
  ● systemd-networkd.service - Network Configuration
       Loaded: loaded (/lib/systemd/system/systemd-networkd.service; disabled
  ; preset: enabled)
      Drop-In: /run/systemd/system/service.d
               └─zzz-lxc-service.conf
       Active: active (running) since Tue 2024-01-09 18:03:24 UTC; 3min 19s ago
  TriggeredBy: ● systemd-networkd.socket
         Docs: man:systemd-networkd.service(8)
               man:org.freedesktop.network1(5)
     Main PID: 174 (systemd-network)
       Status: "Processing requests..."
        Tasks: 1 (limit: 4548)
       Memory: 1.5M
          CPU: 51ms
       CGroup: /system.slice/systemd-networkd.service
               └─174 /lib/systemd/systemd-networkd
  
  Jan 09 18:03:24 test systemd-networkd[174]: eth1: Link UP
  Jan 09 18:03:24 test systemd-networkd[174]: eth1: Gained carrier
  Jan 09 18:03:24 test systemd-networkd[174]: lo: Link UP
  Jan 09 18:03:24 test systemd-networkd[174]: lo: Gained carrier
  Jan 09 18:03:24 test systemd-networkd[174]: eth0: Gained IPv6LL
  Jan 09 18:03:24 test systemd-networkd[174]: eth1: Gained IPv6LL
  Jan 09 18:03:24 test systemd-networkd[174]: Enumeration completed
  Jan 09 18:03:24 test systemd[1]: Started systemd-networkd.service - Network Configuration.
  Jan 09 18:03:24 test systemd-networkd[174]: eth0: Configuring with /etc/systemd/network/eth0.network.
  Jan 09 18:03:24 test systemd-networkd[174]: eth0: DHCPv4 address 192.168.7.216/24, gateway 192.168.7.254 acquired from 192.168.7.254
  
  root@test:/etc/systemd/network# 
  logout
  

Apparently physical NIC can’t be set up correctly.
Notice systemctl status systemd-networkd do not show the line

Jan 09 18:47:57 test systemd-networkd[143]: eth1: Configuring with /etc/systemd/network/eth1.network.

which is present for eth0 and also below for macvlan test (this even after systemctl daemon-reload and full restart)

• second test: convert second NIC to macvlan

mcon@cinderella:~$ incus stop incus:test
mcon@cinderella:~$ incus config device set incus:test eth1 nictype=macvlan
mcon@cinderella:~$ ssh incus -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 60:02:92:57:66:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.213/24 brd 192.168.7.255 scope global dynamic enp2s0
       valid_lft 6316sec preferred_lft 6316sec
    inet6 fe80::6202:92ff:fe57:66c1/64 scope link 
       valid_lft forever preferred_lft forever
3: enxa0cec8b43055: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a0:ce:c8:b4:30:55 brd ff:ff:ff:ff:ff:ff
4: wlx00c0cab2bd76: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:c0:ca:b2:bd:76 brd ff:ff:ff:ff:ff:ff
5: incusbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:16:3e:54:c8:5c brd ff:ff:ff:ff:ff:ff
    inet 10.127.15.1/24 scope global incusbr0
       valid_lft forever preferred_lft forever
mcon@cinderella:~$ incus start incus:test
mcon@cinderella:~$ incus exec incus:test -- ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
7: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:59:51:b2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.7.216/24 metric 1024 brd 192.168.7.255 scope global dynamic eth0
       valid_lft 5824sec preferred_lft 5824sec
    inet6 fe80::216:3eff:fe59:51b2/64 scope link 
       valid_lft forever preferred_lft forever
8: eth1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:3a:3f:f9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.2.100/24 brd 192.168.2.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe3a:3ff9/64 scope link 
       valid_lft forever preferred_lft forever
mcon@cinderella:~$ incus exec incus:test -- ping -c3 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
From 192.168.2.100 icmp_seq=1 Destination Host Unreachable
From 192.168.2.100 icmp_seq=2 Destination Host Unreachable
From 192.168.2.100 icmp_seq=3 Destination Host Unreachable

--- 192.168.2.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2044ms
pipe 3
mcon@cinderella:~$ incus exec incus:test -- ip r
default via 192.168.7.254 dev eth0 proto dhcp src 192.168.7.216 metric 1024 
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.100 
192.168.7.0/24 dev eth0 proto kernel scope link src 192.168.7.216 metric 1024 
192.168.7.254 dev eth0 proto dhcp scope link src 192.168.7.216 metric 1024 
mcon@cinderella:~$ ssh incus -- ifup enxa0cec8b43055
bash: line 1: ifup: command not found
mcon@cinderella:~$ ssh root@incus -- ifup enxa0cec8b43055
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/enxa0cec8b43055/a0:ce:c8:b4:30:55
Sending on   LPF/enxa0cec8b43055/a0:ce:c8:b4:30:55
Sending on   Socket/fallback
DHCPDISCOVER on enxa0cec8b43055 to 255.255.255.255 port 67 interval 4
DHCPOFFER of 192.168.2.62 from 192.168.2.1
DHCPREQUEST for 192.168.2.62 on enxa0cec8b43055 to 255.255.255.255 port 67
DHCPACK of 192.168.2.62 from 192.168.2.1
Timeout too large reducing to: 2147483646 (TIME_MAX - 1)
bound to 192.168.2.62 -- renewal in 2147483647 seconds.
mcon@cinderella:~$ incus exec incus:test -- ping -c3 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=3.04 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.72 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=1.73 ms

--- 192.168.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.715/2.159/3.036/0.619 ms

macvlan seems to work as expected, but only if/when interface is already correctly set up on host.

Is this the expected behavior?
What am I missing?