Container with WAN NAT and second NIC for LAN

miro · June 21, 2022, 5:06pm

Hello,
I have an Ubuntu 21.10 cloud instance which has several interfaces, one is connected to internet (ens3) and others connected to private networks.

I want to run lxc container with Ubuntu 22.04 which has internet access NAT through one nic and access to one of the private networks (ens13 - 192.168.1.0/24) through another nic.

If i create bridged network i am able to access all private networks.
I guess i should create routed 2 nic for lxc but how to configure them?

tomp · June 21, 2022, 9:06pm

Please take a look at How to get LXD containers get IP from the LAN with routed network

miro · June 22, 2022, 7:58am

Thank you for the reply.
The LXD host has WAN connection on ens3 and private network 192.168.1.0/24 on ens13
For accessing internet i need routed nic to ens3 and for accessing private net - a routed nic to ens13.
I created container with the settings from your tutorial:

lxc profile create garb_intranet

lxc profile edit garb_intranet << EOF
config:
  user.network-config: |
    version: 2
    ethernets:
        eth0:
            addresses:
            - 192.168.100.200/32
            nameservers:
                addresses:
                - 8.8.8.8
                search: []
            routes:
            -   to: 0.0.0.0/0
                via: 169.254.0.1
                on-link: true
        eth1:
            addresses:
            - 192.168.1.59/24
description: Galera Arbitrator Intranet (Production)
devices:
  eth0:
    ipv4.address: 192.168.100.200
    nictype: routed
    parent: ens3
    type: nic
  root:
    path: /
    pool: garb_intranet
    type: disk
name: garb_intranet
used_by:
EOF

lxc launch ubuntu:22.04 garb-intranet -p garb_intranet

Now i have container with eth0 192.168.100.200/32 and gateway 169.254.0.1
Host has additional vethb5c9d2ad attached with IP 169.254.0.1/32
Still no internet, i added iptables rule:

iptables -t nat -A POSTROUTING -s 192.168.100.200/32 -o ens3 -j SNAT --to-source 51.210.186.123

Using SNAT instead of MASQUERADE because ens3 has multiple public IPs attached and not all of them may be attached on this host instance (it’s main purpose is load balancing). Internet started working.

How can i set the iptables rule permanent on reboot?
Is it possible to configure iptables in lxc profile? Or should i include it in Ubuntu netplan config for ens3?

How to configure second nic in lxc? If i add eth1 in profile devices

  eth1:
    ipv4.address: 192.168.1.59
    nictype: routed
    parent: ens13
    type: nic

then launching lxc shows error:

Creating garb-intranet
Error: Failed instance creation: Failed creating instance record: Failed initialising instance: Invalid devices: Device validation failed for "eth0": Existing NIC "eth1" already uses "ipv4.gateway" in auto mode

miro · June 22, 2022, 8:50am

I tried adding bridge br0 to ens13 and using nictype: bridged for the profile and it seems to be working good.

lxc profile edit garb_intranet << EOF
config:
  user.network-config: |
    version: 2
    ethernets:
        eth0:
            addresses:
            - 192.168.100.200/32
            nameservers:
                addresses:
                - 8.8.8.8
                search: []
            routes:
            -   to: 0.0.0.0/0
                via: 169.254.0.1
                on-link: true
        eth1:
            addresses:
            - 192.168.1.59/24
description: Galera Arbitrator Intranet (Production)
devices:
  eth0:
    ipv4.address: 192.168.100.200
    nictype: routed
    parent: ens3
    type: nic
  eth1:
    nictype: bridged
    parent: br0
    type: nic
  root:
    path: /
    pool: garb_intranet
    type: disk
name: garb_intranet
used_by:
EOF