When I create a Bridge network, Incus will always use the host’s IP address to NAT the traffic to the outside world. My host’s primary IP is on a special VLAN, so I’d like the traffic to instead be NAT-ed out through a different interface.
Side note: what does bridge.external_networks do? I would’ve though that this would’ve been what I was looking for.
bridge.external_interfaces is a way to add physical network interfaces on your host into the bridge.
We have ipv4.nat.address that you can use to pick what IPv4 address should be used for the traffic NAT-ed on the way out of the bridge.
But that won’t control over what interface the traffic goes out of your host, that part is handled by your host’s routing table and routing policy not by Incus.
Then policy routing is what’s needed: you can set a different default route for traffic with a particular source IP address.
# Add to /etc/iproute2/rt_tables
150 backdoor
Temporary test: say the vlan device is “br-oob”, source IP is 192.168.15.22, and gw is 192.168.15.1
ip rule add from 192.168.15.22 table backdoor
ip route add default via 192.168.15.1 dev br-oob metric 100 table backdoor
ip route add 192.168.15.0/24 dev br-oob proto kernel scope link src 192.168.15.22 table backdoor
Permanent implementation via netplan YAML:
br-oob:
routing-policy:
- {from: 192.168.15.22, table: 150}
routes:
- {to: 0.0.0.0/0, via: 192.168.15.1, metric: 100, table: 150}
- {to: 192.168.15.0/24, scope: link, from: 192.168.15.22, table: 150}