Going mad trying to configure unrouted static ipv6 for my containers

tomp · January 11, 2023, 11:36am

You shouldn’t have to do this, as LXD will add that when the container starts.
Can you confirm this is occurring please?

denisrud · January 11, 2023, 11:45am

You are right, I didn’t realize lxc does this for you.
root@poseidon:/etc/network/interfaces.d# lxc stop c19 root@poseidon:/etc/network/interfaces.d# ip -6 neighbour list proxy root@poseidon:/etc/network/interfaces.d# lxc start c19 root@poseidon:/etc/network/interfaces.d# ip -6 neighbour list proxy 2606:#:#: a::c19 dev eth0 proxy

I presumed wrongly because lxc container is in a stopped state when host reboots

tomp · January 11, 2023, 11:52am

Thats likely because the response is coming from a link-local fe80 address, which we think your ISP is filtering out.

denisrud · January 11, 2023, 2:12pm

I have setup forward on the host and its working but I have a single concern now, the target_address points to a private ipv6 address of the container setup by the lxdbr0. What if the said private ipv6 address were to change? I wish there was an option to just specify the target_container_name instead of the ip. Is there a way to solve this ?

tomp · January 11, 2023, 2:40pm

Well, network forwards were specifically designed to not be locked to instances, so you could dynamically move the target address around if you wanted.

However, the proxy device is defined on a container, and can support two different modes:

nat=false is then an actual proxy process and that can be targeted at the loopback address inside the container, so that is always static and independent of container’s external IP address. However you will lose the source address of any connecting clients.
nat=true is then a DNAT firewall rule, the same as network forwards, so the source address is retained. This allows to target the container’s main IP using [::] as the target address (see Type: proxy - LXD documentation). However for that to work the container will need a static address that LXD knows about. To achieve this with bridged NIC devices, you need the parent network to have ipv6.dhcp.stateful enabled it, and then ipv6.address defined on the container’s NIC. In this way the container will always be allocated the static IP assigned, and the DNAT rule will be configured to forward to that.