Hi I have followed the instructions for incus network and the firewall part. But still no joy. I have a br-eno1 which libvirt uses on the host no issues I can access the vms on the same network which gets DHCP or static. But when I use the bridge for incus hist can’t see containers. Containers can’t see the hist network. And I can’t get access to anything in incus from remote VPN access yet libvirt works fine. This is ridiculous now. Shouldn’t be this hard to setup.
Please help me. And I have filled all documents. And nothing works.
I’m really starting to think I might have to setup a ovn to see if that solves the issue
incus config show --expanded webserver
architecture: x86_64
config:
cloud-init.user-data: |-
#cloud-config
package_update: true
packages:
- nginx
write_files:
- path: /etc/nginx/sites-available/default
content: |
server {
listen 8081 default_server;
listen [::]:8081 default_server;
root /var/www/html;
index index.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
- path: /var/www/html/index.html
content: |
<!DOCTYPE html>
<html>
<head>
<title>Welcome to NGINX!</title>
</head>
<body>
<h1>Hello, World!</h1>
<p>This is a test page served by NGINX on port 8081.</p>
</body>
</html>
runcmd:
- systemctl restart nginx
- systemctl enable nginx
image.architecture: amd64
image.description: Ubuntu noble amd64 (20250129_07:42)
image.os: Ubuntu
image.release: noble
image.requirements.cgroup: v2
image.serial: "20250129_07:42"
image.type: squashfs
image.variant: cloud
volatile.base_image: d33c2a8ab318758a3b9defa43800affa44887ac42336b4b143d5603c5e66a932
volatile.cloud-init.instance-id: dc5c33ab-4c63-4e23-b1b7-c03dc588fed3
volatile.eth0.host_name: veth0b30e782
volatile.eth0.hwaddr: 00:16:3e:ed:8d:e1
volatile.eth0.name: eth0
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[]'
volatile.last_state.power: RUNNING
volatile.last_state.ready: "false"
volatile.uuid: 1398d52f-8c86-44a1-96a3-b1a781d3397e
volatile.uuid.generation: 1398d52f-8c86-44a1-96a3-b1a781d3397e
devices:
eth0:
nictype: bridged
parent: br-eno1
type: nic
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- bridged
stateful: false
description: test
sudo iptables -L -n -v
[sudo] password for nphillips:
Chain INPUT (policy ACCEPT 1610K packets, 555M bytes)
pkts bytes target prot opt in out source destination
1610K 555M LIBVIRT_INP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 508K packets, 542M bytes)
pkts bytes target prot opt in out source destination
508K 542M LIBVIRT_FWX 0 -- * * 0.0.0.0/0 0.0.0.0/0
508K 542M LIBVIRT_FWI 0 -- * * 0.0.0.0/0 0.0.0.0/0
508K 542M LIBVIRT_FWO 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1563K packets, 582M bytes)
pkts bytes target prot opt in out source destination
1563K 582M LIBVIRT_OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT 0 -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT 0 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT 6 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT 17 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT 6 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT 6 -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT 17 -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT 6 -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
sudo nft list ruleset
table inet incus {
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain LIBVIRT_PRT {
ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 4 bytes 438 return
ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 ip protocol tcp counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 ip protocol udp counter packets 0 bytes 0 masquerade to :1024-65535
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 28781 bytes 4182967 jump LIBVIRT_PRT
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain LIBVIRT_INP {
iifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
iifname "virbr0" udp dport 67 counter packets 0 bytes 0 accept
iifname "virbr0" tcp dport 67 counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 1612910 bytes 555488016 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
oifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
oifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
oifname "virbr0" udp dport 68 counter packets 0 bytes 0 accept
oifname "virbr0" tcp dport 68 counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 1564863 bytes 582263439 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
ip saddr 192.168.122.0/24 iifname "virbr0" counter packets 0 bytes 0 accept
iifname "virbr0" counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 508324 bytes 541796259 jump LIBVIRT_FWX
counter packets 508324 bytes 541796259 jump LIBVIRT_FWI
counter packets 508324 bytes 541796259 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
ip daddr 192.168.122.0/24 oifname "virbr0" ct state related,established counter packets 0 bytes 0 accept
oifname "virbr0" counter packets 0 bytes 0 reject
}
chain LIBVIRT_FWX {
iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
}
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
chain LIBVIRT_PRT {
oifname "virbr0" udp dport 68 counter packets 0 bytes 0 xt target "CHECKSUM"
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 2069633 bytes 1123563956 jump LIBVIRT_PRT
}
}
table ip6 filter {
chain LIBVIRT_INP {
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 1952 bytes 217715 jump LIBVIRT_INP
}
chain LIBVIRT_OUT {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 695 bytes 105448 jump LIBVIRT_OUT
}
chain LIBVIRT_FWO {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 11969 bytes 4202946 jump LIBVIRT_FWX
counter packets 11969 bytes 4202946 jump LIBVIRT_FWI
counter packets 11969 bytes 4202946 jump LIBVIRT_FWO
}
chain LIBVIRT_FWI {
}
chain LIBVIRT_FWX {
}
}
table ip6 nat {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 5688 bytes 818138 jump LIBVIRT_PRT
}
}
table ip6 mangle {
chain LIBVIRT_PRT {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 12597 bytes 4200935 jump LIBVIRT_PRT
}
}
table inet firewalld {
ct helper helper-tftp-udp {
type "tftp" protocol udp
l3proto inet
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_POLICIES
}
chain mangle_PREROUTING_POLICIES {
iifname "virbr0" jump mangle_PRE_policy_allow-host-ipv6
iifname "virbr0" jump mangle_PRE_libvirt
iifname "virbr0" return
iifname "br-eno1" jump mangle_PRE_policy_allow-host-ipv6
iifname "br-eno1" jump mangle_PRE_trusted
iifname "br-eno1" return
iifname "incusbr0" jump mangle_PRE_policy_allow-host-ipv6
iifname "incusbr0" jump mangle_PRE_trusted
iifname "incusbr0" return
jump mangle_PRE_policy_allow-host-ipv6
jump mangle_PRE_public
return
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_POLICIES
}
chain nat_PREROUTING_POLICIES {
iifname "virbr0" jump nat_PRE_policy_allow-host-ipv6
iifname "virbr0" jump nat_PRE_libvirt
iifname "virbr0" return
iifname "br-eno1" jump nat_PRE_policy_allow-host-ipv6
iifname "br-eno1" jump nat_PRE_trusted
iifname "br-eno1" return
iifname "incusbr0" jump nat_PRE_policy_allow-host-ipv6
iifname "incusbr0" jump nat_PRE_trusted
iifname "incusbr0" return
jump nat_PRE_policy_allow-host-ipv6
jump nat_PRE_public
return
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_POLICIES
}
chain nat_POSTROUTING_POLICIES {
iifname "virbr0" oifname "virbr0" jump nat_POST_libvirt
iifname "virbr0" oifname "virbr0" return
iifname "br-eno1" oifname "virbr0" jump nat_POST_libvirt
iifname "br-eno1" oifname "virbr0" return
iifname "incusbr0" oifname "virbr0" jump nat_POST_libvirt
iifname "incusbr0" oifname "virbr0" return
oifname "virbr0" jump nat_POST_libvirt
oifname "virbr0" return
iifname "virbr0" oifname "br-eno1" jump nat_POST_trusted
iifname "virbr0" oifname "br-eno1" return
iifname "br-eno1" oifname "br-eno1" jump nat_POST_trusted
iifname "br-eno1" oifname "br-eno1" return
iifname "incusbr0" oifname "br-eno1" jump nat_POST_trusted
iifname "incusbr0" oifname "br-eno1" return
oifname "br-eno1" jump nat_POST_trusted
oifname "br-eno1" return
iifname "virbr0" oifname "incusbr0" jump nat_POST_trusted
iifname "virbr0" oifname "incusbr0" return
iifname "br-eno1" oifname "incusbr0" jump nat_POST_trusted
iifname "br-eno1" oifname "incusbr0" return
iifname "incusbr0" oifname "incusbr0" jump nat_POST_trusted
iifname "incusbr0" oifname "incusbr0" return
oifname "incusbr0" jump nat_POST_trusted
oifname "incusbr0" return
iifname "virbr0" jump nat_POST_public
iifname "virbr0" return
iifname "br-eno1" jump nat_POST_public
iifname "br-eno1" return
iifname "incusbr0" jump nat_POST_public
iifname "incusbr0" return
jump nat_POST_public
return
}
chain nat_OUTPUT {
type nat hook output priority dstnat + 10; policy accept;
jump nat_OUTPUT_POLICIES
}
chain nat_OUTPUT_POLICIES {
oifname "virbr0" jump nat_OUT_libvirt
oifname "virbr0" return
oifname "br-eno1" jump nat_OUT_trusted
oifname "br-eno1" return
oifname "incusbr0" jump nat_OUT_trusted
oifname "incusbr0" return
jump nat_OUT_public
return
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_POLICIES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_POLICIES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES
}
chain filter_INPUT_POLICIES {
iifname "virbr0" jump filter_IN_policy_allow-host-ipv6
iifname "virbr0" jump filter_IN_libvirt
iifname "virbr0" accept
iifname "br-eno1" jump filter_IN_policy_allow-host-ipv6
iifname "br-eno1" jump filter_IN_trusted
iifname "br-eno1" accept
iifname "incusbr0" jump filter_IN_policy_allow-host-ipv6
iifname "incusbr0" jump filter_IN_trusted
iifname "incusbr0" accept
jump filter_IN_policy_allow-host-ipv6
jump filter_IN_public
reject with icmpx admin-prohibited
}
chain filter_FORWARD_POLICIES {
iifname "virbr0" oifname "virbr0" jump filter_FWD_libvirt
iifname "virbr0" oifname "virbr0" accept
iifname "virbr0" oifname "br-eno1" jump filter_FWD_libvirt
iifname "virbr0" oifname "br-eno1" accept
iifname "virbr0" oifname "incusbr0" jump filter_FWD_libvirt
iifname "virbr0" oifname "incusbr0" accept
iifname "virbr0" jump filter_FWD_libvirt
iifname "virbr0" accept
iifname "br-eno1" oifname "virbr0" jump filter_FWD_trusted
iifname "br-eno1" oifname "virbr0" accept
iifname "br-eno1" oifname "br-eno1" jump filter_FWD_trusted
iifname "br-eno1" oifname "br-eno1" accept
iifname "br-eno1" oifname "incusbr0" jump filter_FWD_trusted
iifname "br-eno1" oifname "incusbr0" accept
iifname "br-eno1" jump filter_FWD_trusted
iifname "br-eno1" accept
iifname "incusbr0" oifname "virbr0" jump filter_FWD_trusted
iifname "incusbr0" oifname "virbr0" accept
iifname "incusbr0" oifname "br-eno1" jump filter_FWD_trusted
iifname "incusbr0" oifname "br-eno1" accept
iifname "incusbr0" oifname "incusbr0" jump filter_FWD_trusted
iifname "incusbr0" oifname "incusbr0" accept
iifname "incusbr0" jump filter_FWD_trusted
iifname "incusbr0" accept
oifname "virbr0" jump filter_FWD_public
oifname "virbr0" reject with icmpx admin-prohibited
oifname "br-eno1" jump filter_FWD_public
oifname "br-eno1" reject with icmpx admin-prohibited
oifname "incusbr0" jump filter_FWD_public
oifname "incusbr0" reject with icmpx admin-prohibited
jump filter_FWD_public
reject with icmpx admin-prohibited
}
chain filter_OUTPUT_POLICIES {
oifname "virbr0" jump filter_OUT_libvirt
oifname "virbr0" return
oifname "br-eno1" jump filter_OUT_trusted
oifname "br-eno1" return
oifname "incusbr0" jump filter_OUT_trusted
oifname "incusbr0" return
jump filter_OUT_public
return
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 accept
ip6 daddr fe80::/64 udp dport 546 accept
}
chain filter_IN_public_post {
}
chain filter_OUT_public {
jump filter_OUT_public_pre
jump filter_OUT_public_log
jump filter_OUT_public_deny
jump filter_OUT_public_allow
jump filter_OUT_public_post
}
chain filter_OUT_public_pre {
}
chain filter_OUT_public_log {
}
chain filter_OUT_public_deny {
}
chain filter_OUT_public_allow {
}
chain filter_OUT_public_post {
}
chain nat_OUT_public {
jump nat_OUT_public_pre
jump nat_OUT_public_log
jump nat_OUT_public_deny
jump nat_OUT_public_allow
jump nat_OUT_public_post
}
chain nat_OUT_public_pre {
}
chain nat_OUT_public_log {
}
chain nat_OUT_public_deny {
}
chain nat_OUT_public_allow {
}
chain nat_OUT_public_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_trusted {
jump filter_IN_trusted_pre
jump filter_IN_trusted_log
jump filter_IN_trusted_deny
jump filter_IN_trusted_allow
jump filter_IN_trusted_post
}
chain filter_IN_trusted_pre {
}
chain filter_IN_trusted_log {
}
chain filter_IN_trusted_deny {
}
chain filter_IN_trusted_allow {
tcp dport 443 accept
tcp dport 8443 accept
}
chain filter_IN_trusted_post {
}
chain filter_OUT_trusted {
jump filter_OUT_trusted_pre
jump filter_OUT_trusted_log
jump filter_OUT_trusted_deny
jump filter_OUT_trusted_allow
jump filter_OUT_trusted_post
}
chain filter_OUT_trusted_pre {
}
chain filter_OUT_trusted_log {
}
chain filter_OUT_trusted_deny {
}
chain filter_OUT_trusted_allow {
}
chain filter_OUT_trusted_post {
}
chain nat_OUT_trusted {
jump nat_OUT_trusted_pre
jump nat_OUT_trusted_log
jump nat_OUT_trusted_deny
jump nat_OUT_trusted_allow
jump nat_OUT_trusted_post
}
chain nat_OUT_trusted_pre {
}
chain nat_OUT_trusted_log {
}
chain nat_OUT_trusted_deny {
}
chain nat_OUT_trusted_allow {
}
chain nat_OUT_trusted_post {
}
chain nat_POST_trusted {
jump nat_POST_trusted_pre
jump nat_POST_trusted_log
jump nat_POST_trusted_deny
jump nat_POST_trusted_allow
jump nat_POST_trusted_post
}
chain nat_POST_trusted_pre {
}
chain nat_POST_trusted_log {
}
chain nat_POST_trusted_deny {
}
chain nat_POST_trusted_allow {
}
chain nat_POST_trusted_post {
}
chain filter_FWD_trusted {
jump filter_FWD_trusted_pre
jump filter_FWD_trusted_log
jump filter_FWD_trusted_deny
jump filter_FWD_trusted_allow
jump filter_FWD_trusted_post
}
chain filter_FWD_trusted_pre {
}
chain filter_FWD_trusted_log {
}
chain filter_FWD_trusted_deny {
}
chain filter_FWD_trusted_allow {
oifname "incusbr0" accept
oifname "br-eno1" accept
}
chain filter_FWD_trusted_post {
}
chain nat_PRE_trusted {
jump nat_PRE_trusted_pre
jump nat_PRE_trusted_log
jump nat_PRE_trusted_deny
jump nat_PRE_trusted_allow
jump nat_PRE_trusted_post
}
chain nat_PRE_trusted_pre {
}
chain nat_PRE_trusted_log {
}
chain nat_PRE_trusted_deny {
}
chain nat_PRE_trusted_allow {
}
chain nat_PRE_trusted_post {
}
chain mangle_PRE_trusted {
jump mangle_PRE_trusted_pre
jump mangle_PRE_trusted_log
jump mangle_PRE_trusted_deny
jump mangle_PRE_trusted_allow
jump mangle_PRE_trusted_post
}
chain mangle_PRE_trusted_pre {
}
chain mangle_PRE_trusted_log {
}
chain mangle_PRE_trusted_deny {
}
chain mangle_PRE_trusted_allow {
}
chain mangle_PRE_trusted_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_libvirt {
jump filter_IN_libvirt_pre
jump filter_IN_libvirt_log
jump filter_IN_libvirt_deny
jump filter_IN_libvirt_allow
jump filter_IN_libvirt_post
}
chain filter_IN_libvirt_pre {
}
chain filter_IN_libvirt_log {
}
chain filter_IN_libvirt_deny {
}
chain filter_IN_libvirt_allow {
udp dport 67 accept
udp dport 547 accept
tcp dport 53 accept
udp dport 53 accept
tcp dport 22 accept
udp dport 69 ct helper set "helper-tftp-udp"
udp dport 69 accept
meta l4proto icmp accept
meta l4proto ipv6-icmp accept
}
chain filter_IN_libvirt_post {
reject
}
chain filter_OUT_libvirt {
jump filter_OUT_libvirt_pre
jump filter_OUT_libvirt_log
jump filter_OUT_libvirt_deny
jump filter_OUT_libvirt_allow
jump filter_OUT_libvirt_post
}
chain filter_OUT_libvirt_pre {
}
chain filter_OUT_libvirt_log {
}
chain filter_OUT_libvirt_deny {
}
chain filter_OUT_libvirt_allow {
}
chain filter_OUT_libvirt_post {
}
chain nat_OUT_libvirt {
jump nat_OUT_libvirt_pre
jump nat_OUT_libvirt_log
jump nat_OUT_libvirt_deny
jump nat_OUT_libvirt_allow
jump nat_OUT_libvirt_post
}
chain nat_OUT_libvirt_pre {
}
chain nat_OUT_libvirt_log {
}
chain nat_OUT_libvirt_deny {
}
chain nat_OUT_libvirt_allow {
}
chain nat_OUT_libvirt_post {
}
chain nat_POST_libvirt {
jump nat_POST_libvirt_pre
jump nat_POST_libvirt_log
jump nat_POST_libvirt_deny
jump nat_POST_libvirt_allow
jump nat_POST_libvirt_post
}
chain nat_POST_libvirt_pre {
}
chain nat_POST_libvirt_log {
}
chain nat_POST_libvirt_deny {
}
chain nat_POST_libvirt_allow {
}
chain nat_POST_libvirt_post {
}
chain filter_FWD_libvirt {
jump filter_FWD_libvirt_pre
jump filter_FWD_libvirt_log
jump filter_FWD_libvirt_deny
jump filter_FWD_libvirt_allow
jump filter_FWD_libvirt_post
}
chain filter_FWD_libvirt_pre {
}
chain filter_FWD_libvirt_log {
}
chain filter_FWD_libvirt_deny {
}
chain filter_FWD_libvirt_allow {
}
chain filter_FWD_libvirt_post {
}
chain nat_PRE_libvirt {
jump nat_PRE_libvirt_pre
jump nat_PRE_libvirt_log
jump nat_PRE_libvirt_deny
jump nat_PRE_libvirt_allow
jump nat_PRE_libvirt_post
}
chain nat_PRE_libvirt_pre {
}
chain nat_PRE_libvirt_log {
}
chain nat_PRE_libvirt_deny {
}
chain nat_PRE_libvirt_allow {
}
chain nat_PRE_libvirt_post {
}
chain mangle_PRE_libvirt {
jump mangle_PRE_libvirt_pre
jump mangle_PRE_libvirt_log
jump mangle_PRE_libvirt_deny
jump mangle_PRE_libvirt_allow
jump mangle_PRE_libvirt_post
}
chain mangle_PRE_libvirt_pre {
}
chain mangle_PRE_libvirt_log {
}
chain mangle_PRE_libvirt_deny {
}
chain mangle_PRE_libvirt_allow {
}
chain mangle_PRE_libvirt_post {
}
}
sudo tcpdump -ni br-eno1 ether host 00:16:3e:ed:8d:e1
libibverbs: Warning: couldn't open config directory '/etc/libibverbs.d'.
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:54:21.234430 IP 10.0.4.19.68 > 10.0.4.6.67: BOOTP/DHCP, Request from 00:16:3e:ed:8d:e1, length 265
14:54:22.589573 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
14:54:22.978643 IP6 :: > ff02::1:ffed:8de1: ICMP6, neighbor solicitation, who has fe80::216:3eff:feed:8de1, length 32
14:54:23.097601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
14:54:23.291632 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:ed:8d:e1, length 296
14:54:23.332370 IP 10.0.4.6 > 10.0.4.19: ICMP echo request, id 57580, seq 0, length 28
14:54:24.001771 IP6 fe80::216:3eff:feed:8de1 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
14:54:24.348903 IP 10.0.4.6.67 > 10.0.4.19.68: BOOTP/DHCP, Reply, length 343
14:54:24.349172 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:ed:8d:e1, length 306
14:54:24.395818 IP 10.0.4.6.67 > 10.0.4.19.68: BOOTP/DHCP, Reply, length 343
14:54:24.704010 IP6 fe80::216:3eff:feed:8de1 > ff02::2: ICMP6, router solicitation, length 16
14:54:24.898551 IP6 fe80::216:3eff:feed:8de1 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
14:54:28.336635 ARP, Request who-has 10.0.4.19 tell 10.0.4.6, length 46
14:54:28.336680 ARP, Reply 10.0.4.19 is-at 00:16:3e:ed:8d:e1, length 28
14:54:28.997726 IP6 fe80::216:3eff:feed:8de1 > ff02::2: ICMP6, router solicitation, length 16
14:54:37.964583 IP6 fe80::216:3eff:feed:8de1 > ff02::2: ICMP6, router solicitation, length 16
stgraber
January 30, 2025, 3:19pm
8
You mentioned following the documentation, did you add the bridge to the trusted zone for firewalld? It’s kinda hard to follow exactly what firewalld is doing with all those nft rules, but I’m not seeing any obvious exception in there.
Linux firewalls are based on netfilter. Incus uses the same subsystem, which can lead to connectivity issues. If you run a firewall on your system, you might need to configure it to allow network t...
yes did what it said in the doc a few times, i have tried bridged macvlan a proxy device and mapped if im local on the office network everything works fine, but i can not get to any container while at home through the vpn but i have no issue with libvirt vms. i will disable firewall it didn’t work when i first did it that why i added the firewall to see if it makes a difference but now nothing
stgraber
January 30, 2025, 3:45pm
10
The tcpdump output shows you’re getting a reply back from the DHCP server, but rather unusually, tcpdump doesn’t seem to see the lease address, so it may be that the DHCP server is somehow refusing to allocate an address for some reason?
weird cause the devices are picking up dhcp lease and getting a lease that was never the issue is just they arent visble with the gui when i vpn on to network to access. But I can ping them and curl. crap this isnt good. and very confusing