I forgot to answer the veth and lxdpriv0 parts:
If you configure a container to join a bridge, LXD does everything that’s needed for that automatically. That is creating a veth pair, moving one side into the container as e.g.
eth0, and connect the other side to the bridge.
And that works as is with the default bridge
lxdbr0. I just needed to disable LXDs firewall with
ipv4.firewall: false and
ipv6.firewall: false since I’m using a nftables script to make the whole setup more secure. Replacing what LXD did is just 5 simple lines so that’s not much of a loss.
If you also want a more secure bridge like what I did with
lxdpriv0, here’s how that works:
First, what do I want?
- a bridge without any IP config because I need no host-communication
- openwrt should be connected to that bridge and provide DNS and DHCP.
- openwrt can then also define firewall rules for forwarding between hosts on that bridge, to a different network or to the internet.
- openwrt’s DNS server can also provide DNS names for hosts on that network(e.g.
- even on umanaged LXD bridges, LXD can provide the following functionality:
security.mac_filtering: to prevent spoofing MAC addresses to bypass openwrts firewall. This is implemented using nftables and does not conflict with my nftable rules.
security.port_isolation: this sets a flag on the bridge port to prevent communication with all other hosts that have that flag.
While you can disable LXDs dnsmasq for a single bridge, I still created lxdpriv0 through ifupdown-ng because I didn’t find a way to set
net.ipv6.conf.lxdpriv0.* sysctls at the right time through ifupdown-ng. Creating the bridge outside of LXD doesn’t have any disadvantages anyway if you don’t want it’s dnsmasq service.
All that’s left is to allow forwarding between ports on lxdpriv0 in the LXD hosts nftables firewall, connect openwrt to that bridge, and configure openwrt to provide it’s services on that interface.
I’ve also created a LXD profile named private to simplify creating containers that are connected to that bridge.
If I assumed knowledge that you don’t have just ask more questions or say what you don’t know so I can explain it or provide links to sites with more information about these topics.