You shouldn’t have to do this, as LXD will add that when the container starts.
Can you confirm this is occurring please?
You are right, I didn’t realize lxc does this for you.
root@poseidon:/etc/network/interfaces.d# lxc stop c19
root@poseidon:/etc/network/interfaces.d# ip -6 neighbour list proxy
root@poseidon:/etc/network/interfaces.d# lxc start c19
root@poseidon:/etc/network/interfaces.d# ip -6 neighbour list proxy
2606:#:#: a::c19 dev eth0 proxy
I presumed wrongly because lxc container is in a stopped state when host reboots
Thats likely because the response is coming from a link-local fe80 address, which we think your ISP is filtering out.
I have setup forward on the host and its working but I have a single concern now, the target_address points to a private ipv6 address of the container setup by the lxdbr0. What if the said private ipv6 address were to change? I wish there was an option to just specify the target_container_name instead of the ip. Is there a way to solve this ?
Well, network forwards were specifically designed to not be locked to instances, so you could dynamically move the target address around if you wanted.
However, the proxy
device is defined on a container, and can support two different modes:
-
nat=false
is then an actual proxy process and that can be targeted at the loopback address inside the container, so that is always static and independent of container’s external IP address. However you will lose the source address of any connecting clients. -
nat=true
is then a DNAT firewall rule, the same as network forwards, so the source address is retained. This allows to target the container’s main IP using[::]
as the target address (see Type: proxy - LXD documentation). However for that to work the container will need a static address that LXD knows about. To achieve this withbridged
NIC devices, you need the parent network to haveipv6.dhcp.stateful
enabled it, and thenipv6.address
defined on the container’s NIC. In this way the container will always be allocated the static IP assigned, and the DNAT rule will be configured to forward to that.