Hello,
first of all: I’m not a network specialist. So I need to have some support here.
My goal: I want to have a setup which I can:
a) access all LXC-containers from LAN
AND
b) internet access for LXC-containers
Situation:
LAN 192.168.1.0 (Router)
Windows 10 - Oracle Virtual Box: LXC-host on Debian-9 (192.168.1.112)
On this LXC-host are different LXC-containers. For example another Debian-9 system.
I tried different network settings.
1st (internet accessible but no connection from LAN):
root@lxc-vm:~# cat /etc/network/interfaces
[...]
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet dhcp
root@lxc-vm:~# cat /var/lib/lxc/debian-9/config
[...]
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:b8:52:96
root@lxc-vm:~# lxc-ls --fancy
NAME STATE AUTOSTART GROUPS IPV4 IPV6
debian-9 RUNNING 0 - 10.0.3.67 -
Have set a route in my router:
I can ping this LXC-container from LXC-host but not from LAN.
But I have an internet connection.
2nd (accessible from LAN, but no internet):
root@lxc-vm:~# cat /etc/network/interfaces
[...]
# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet manual
# The br0 bridge
auto br0
iface br0 inet dhcp
bridge-ifaces enp0s3
bridge-ports enp0s3
up ifconfig enp0s3 up
root@lxc-vm:~# cat /var/lib/lxc/debian-9/config
[...]
# Network configuration
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:b8:52:96
lxc.network.ipv4.gateway = 192.168.1.1
lxc.network.ipv4 = 0.0.0.0/24
root@lxc-vm:~# lxc-ls --fancy
NAME STATE AUTOSTART GROUPS IPV4 IPV6
debian-9 RUNNING 0 - 192.168.1.20 -
I can ping this LXC-container from LAN but have no internet connection.
What do I have to do?
Thanks for help!
Changed some settings.
New Situation. My container is getting now ip-address from router.
I can reach every LAN address from container.
But I can’t reach container from LAN - only from Windows 10 and LXC-host
On LXC-host:
root@lxc-vm:~# lxc-ls --fancy
NAME STATE AUTOSTART GROUPS IPV4 IPV6
debian-9 RUNNING 0 - 10.0.3.124, 192.168.1.81 -
root@lxc-vm:~# cat /var/lib/lxc/debian-9/config
[...]
# Network configuration
lxc.network.0.type = veth
lxc.network.0.link = lxcbr0
lxc.network.0.flags = up
lxc.network.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.network.1.type = veth
lxc.network.1.link = br0
lxc.network.1.flags = up
lxc.network.1.hwaddr = 00:17:3e:xx:xx:xx
root@lxc-vm:~# cat /etc/sysctl.conf
[...]
net.ipv4.ip_forward=1
On LXC-container:
root@debian-9:~# cat /etc/network/interfaces
[...]
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp
up route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.3.1 dev eth0
root@debian-9:~# cat /etc/sysctl.conf
[...]
net.ipv4.ip_forward=1
Well, for a non-network specialist you are trying to do complex stuff. I am playing with networks since too many years now and I’m not trying to do stuff so painfully low level, life is way too short for that. I just use Ubuntu, lxd and ufw and I only touch iptables if I absolutely have to (hopefully never).
From what you are posting, I think that your VM has an address by itself on the local LAN so if what you need is to access a service on a container from your LAN you could I think create 2 rules (1 prerouting in NAT table and 1 routing) and expose one port on the LAN. So for example port 443 on your VM would be redirected to port 443 of a given container. It’s very doable. If you want to create several web servers, you could add a proxy on the VM and redirect to your containers from the VM address.
There are a lot of posts by @simos on this subject.
If you want to expose each container on your LAN as if it was a full blown computer with its own IP address, if your Linux host was a ‘real’ computer it could be done with Macvlan, but in your case it involves your particular VM software, Windows 10… it’s far beyond what I know. I don’t even think it’s on topic for this forum.
Thanks @gpatel-fr
Can you provide the 2 rules to set (commands) ?
And where I have to set them? On LXC-host or LXC-container(s) ?
Thanks in advance!
Please note that I am setting myself in your first scenario. I tend to never use bridging myself as it’s more complex when you have to deal with routing on a local Lan. In your last config, it seems that you have setup a double bridge on your container, something that I would never think (or even dream in a nightmare) to do.
So:let’s assume that:
the container has the default bridge and gets a 10.3.1.67 address
the (logical) bridge on the host (your vm) has an address of 10.3.1.1, and it should be the default route in the container.
the adress of your host on your local lan would be let’s say 192.168.1.100
If you want to access a given service on say port 80 (http) of your container, you can redirect port 80 of your host on port 80 of your container.
This can be done with a DNAT rule on the host, it could be something like
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.3.1.67:80
I assume that the network lan interface on your vm is labelled eth0.
You may have (or not) to allow the port 80 with a standard iptables (not NAT) rule. It depends on your exact setup (default rules)
In this way, if you access from the LAN your vm on the port 80, it will go to the container (if all is well configured)
This is a pretty standard setup and should work.
