Configure container to use an existing bridge with VLANs

I am running lxc on a OpenWrt host, the networking is setup using OpenWrt’s style. Currently, I have a linux container come up on its own bridge on this device. I need a way to have it be part of my network zoned off with VLAN 10.

I am thinking that it would be possible to create attach to my existing br.lan bridge so I can assign it to VLAN-10. But I am not able to implement it.

For reference, below is the network config where the container is on its own bridge along with the container’s config. Can I simply use an appropriate container config to attach to the existing bridge or will I need to modify it as well?

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = aarch64

# Container specific configuration
lxc.rootfs.path = dir:/mnt/data/lxc/pihole/rootfs
lxc.uts.name = pihole

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.ipv4.address = 10.0.4.250/24
/etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3c:e2af:62b3::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr 'my.public.ip'
	option netmask '255.255.255.192'
	option gateway 'my.public.gateway'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.6'
	option type '8021q'
	option ifname 'br-lan'
	option vid '6'
	option ipv6 '0'

config device
	option name 'br-lan.7'
	option type '8021q'
	option ifname 'br-lan'
	option vid '7'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn'
	option device 'br-lan.6'
	option proto 'static'
	option ipaddr '10.9.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn2'
	option device 'br-lan.7'
	option proto 'static'
	option ipaddr '10.9.3.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option auto '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

I believe that I figured it out after carefully reading the lxc.container.conf man page.

On OpenWrt host

  1. Compiled in kmod-bond (not sure if needed)
  2. Create a virtual ethernet, I used veth0
  3. Edit my br-lan adding veth0 to the bridge ports option then adding untagged/is primary VLAN on VLAN 10

After some trial and error here is the working network config section of the container config:

lxc.net.0.type = veth
lxc.net.0.veth.pair = veth0
lxc.net.0.link = br-lan
lxc.net.0.veth.vlan.id = 10
lxc.net.0.ipv4.address = 10.9.8.69/24
lxc.net.0.ipv4.address = 10.9.8.1
lxc.net.0.flags = up

For completeness, here is the diff of my /etc/config/network from the one I posted above. I hope this helps someone out one day.

--- a/etc/config/network
+++ b/etc/config/network
@@ -19,6 +19,7 @@ config device
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0' 
+       list ports 'veth0'
 
 config interface 'lan'
        option device 'br-lan.10'
@@ -66,6 +67,7 @@ config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'
+       list ports 'veth0:u*'
 
 config device
        option type 'bridge'
@@ -115,6 +117,11 @@ config device
        option vid '10'
        option ipv6 '0' 
 
+config device
+       option type 'veth'
+       option name 'veth0'
+       option ipv6 '0'
+
 config interface 'guest'
        option device 'br-lan.3'
        option proto 'static'