Instances can't reach gateway

hi folks,

after a long time I got an issue with my incus host.

My instances can’t reach the default gateway, so they don’t have access to the internet.

I got the issues after changing some system kernel varibales, but I turned them back to default.
Without success…

That’s the routing of the lxd host:

ansible@op-lxd-02:~$ ip rout
default via 192.168.137.1 dev br0 proto static
10.194.176.0/24 dev lxdbr0 proto kernel scope link src 10.194.176.1
192.168.137.0/24 dev br0 proto kernel scope link src 192.168.137.4

The lxdbr01 gw offcourse t is reachable:

ansible@op-lxd-02:~$ ping 10.194.176.1 -c 2
PING 10.194.176.1 (10.194.176.1) 56(84) bytes of data.
64 bytes from 10.194.176.1: icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from 10.194.176.1: icmp_seq=2 ttl=64 time=0.100 ms

--- 10.194.176.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1029ms
rtt min/avg/max/mdev = 0.082/0.091/0.100/0.009 ms

That’s the routing of an instance:

root@lxd-tailscale-01:~# ip route
default via 10.194.176.1 dev eth0 proto dhcp src 10.194.176.92 metric 100
10.194.176.0/24 dev eth0 proto kernel scope link src 10.194.176.92 metric 100
10.194.176.1 dev eth0 proto dhcp scope link src 10.194.176.92 metric 100

Any ideas?

PS: My naming convention still based on lxd but I migrated to incus and love it! <3

Firewalling?

Noooo, firewall at all. :dotted_line_face:

You’ll want to do some tcpdump on br0 on your host when pinging 192.168.137.1 from the container.

My main suspects would be:

  • You somehow have ip_forward or forwarding off on your host or on one of the relevant interfaces (you mentioning sysctls makes me think of this one)
  • You have something in nftables or iptables messing with your traffic
  • You have somehow lost the NAT entries which causes the traffic to go out as-is, with your router not knowing how to respond