LXD bridge using ip other than the host

seven · March 4, 2020, 9:43am

@tomp offcourse.

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 5000
    link/ether hidden_mac brd ff:ff:ff:ff:ff:ff
    inet host_pulic_ip/26 brd xyz scope global eth0
       valid_lft forever preferred_lft forever
    inet public_ip_4/29 brd new_xyz scope global eth0:lxdbr1
       valid_lft forever preferred_lft forever
9: lxdbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 3a:2b:12:5b:e0:60 brd ff:ff:ff:ff:ff:ff
    inet 10.172.55.1/24 scope global lxdbr1
       valid_lft forever preferred_lft forever

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
default via xx.xx.xx.xx dev eth0 
10.172.55.0/24 dev lxdbr1 proto kernel scope link src 10.172.55.1 
xx.xx.xx.xx/26 dev eth0 proto kernel scope link src host_pulic_ip 
xx.xx.xx.yy/29 dev eth0 proto kernel scope link src public_ip_4
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
lxc network show lxdbr1
config:
  ipv4.address: 10.172.55.1/24
  ipv4.nat: "true"
  ipv4.nat.address: public_ip_4
description: ""
name: lxdbr1
type: bridge
used_by:
- /1.0/instances/c1
managed: true
status: Created
locations:
- none
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
iptables -L -v -n -t nat
[sudo] password for admin: 
Chain PREROUTING (policy ACCEPT 55 packets, 3280 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  150  8453 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  150  8453 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  150  8453 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 3 packets, 446 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 66 packets, 5002 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  294 21842 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 66 packets, 5002 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       10.172.55.0/24      !10.172.55.0/24       /* generated for LXD network lxdbr1 */ to:public_ip_4
  294 21842 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  294 21842 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  294 21842 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 POST_public  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 POST_mailer  all  --  *      br0     0.0.0.0/0            0.0.0.0/0           
    0     0 POST_internal  all  --  *      br1     0.0.0.0/0            0.0.0.0/0           [goto] 
  294 21842 POST_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         
        

Chain POST_internal (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 POST_internal_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_internal_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_internal_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POST_internal_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_internal_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_internal_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_mailer (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 POST_mailer_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_mailer_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 POST_mailer_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POST_mailer_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !lo     0.0.0.0/0            0.0.0.0/0           

Chain POST_mailer_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_mailer_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  294 21842 POST_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  294 21842 POST_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  294 21842 POST_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POST_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   69  3683 PRE_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           [goto] 
   18  1712 PRE_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_internal (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PRE_internal_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 PRE_internal_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 PRE_internal_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PRE_internal_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_internal_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_internal_log (1 references)
 pkts bytes target     prot opt in     out     source               destination                   

Chain PRE_mailer_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_mailer_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_mailer_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  150  8453 PRE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  150  8453 PRE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  150  8453 PRE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PRE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
nfw list ruleset
sudo: nfw: command not found

tomp · March 4, 2020, 10:02am

Great thanks.

Can you ping the public_ip_4 address from an outside host, to check that the IP alias is working.

Also, the iptables SNAT rule doesn’t appear to be being hit:

    0     0 SNAT       all  --  *      *       10.172.55.0/24      !10.172.55.0/24       /* generated for LXD network lxdbr1 */ to:public_ip_4

I’d expect a non-zero packet counter if your outbound pings were being NATted.

Next step is to run tcpdumps on the lxdbr1 and external interface and check where those ICMP packets are going and what source address they have.

seven · March 4, 2020, 10:07am

No, i can not ping it.
6 packets transmitted, 0 received, 100% packet loss, time 5105ms
why its snat rather than masquerade. on my local machine running same commands shows lxdbr0 masquerade
am running into class, right now. anything else will be able to do it after couple of hours.

tomp · March 4, 2020, 10:15am

OK so don’t worry about NAT for now, if that IP alias isn’t pingable then that needs fixing. You need to use tcpdump on the external interface to check if packets are coming in or going out.

SNAT is used instead of masquerade because you are using a fixed outbound source IP, whereas masquerade just takes the first IP on the outgoing interface (which is the original problem you’re trying to avoid).

seven · March 4, 2020, 2:47pm

@tomp, thank you. some strange ips there tho. please test result below.

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:37:03.560618 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2467, length 64
17:37:03.560698 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2467, length 64
17:37:03.823054 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 216, length 64
17:37:04.040660 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2409, length 64
17:37:04.563234 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2468, length 64
17:37:04.563310 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2468, length 64
17:37:04.847046 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 217, length 64
17:37:05.064416 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2410, length 64
17:37:05.563564 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2469, length 64
17:37:05.563644 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2469, length 64
17:37:05.871045 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 218, length 64
17:37:06.088535 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2411, length 64
17:37:06.564807 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2470, length 64
17:37:06.564887 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2470, length 64
17:37:06.895048 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 219, length 64
17:37:07.112426 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2412, length 64
17:37:07.566205 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2471, length 64
17:37:07.566284 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2471, length 64
17:37:07.918856 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 220, length 64
17:37:08.136436 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2413, length 64
17:37:08.567580 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2472, length 64
17:37:08.567660 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2472, length 64
17:37:08.943042 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 221, length 64
17:37:09.160433 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2414, length 64
17:37:09.568899 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2473, length 64
17:37:09.568981 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2473, length 64
17:37:09.967055 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 222, length 64
17:37:10.184578 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2415, length 64
17:37:10.570093 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2474, length 64
17:37:10.570174 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2474, length 64
17:37:10.991047 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 223, length 64
17:37:11.208459 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2416, length 64
17:37:11.479304 IP public_ip_host > 103.98.160.50: ICMP host public_ip_host unreachable - admin prohibited, length 48
17:37:11.571126 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2475, length 64
17:37:11.571206 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2475, length 64
17:37:12.014969 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 224, length 64
17:37:12.232526 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2417, length 64
17:37:12.572377 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2476, length 64
17:37:12.572457 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2476, length 64
17:37:13.039047 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 225, length 64
17:37:13.257252 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2418, length 64
17:37:13.573765 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2477, length 64
17:37:13.573845 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2477, length 64
17:37:14.063054 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 226, length 64
17:37:14.280567 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2419, length 64
17:37:14.575151 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2478, length 64
17:37:14.575231 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2478, length 64
17:37:15.087044 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 227, length 64
17:37:15.304519 IP public_ip_home > public_ip_4: ICMP echo request, id 45406, seq 2420, length 64
17:37:15.576490 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2479, length 64
17:37:15.576570 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2479, length 64
17:37:16.111052 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 228, length 64
17:37:16.328365 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2421, length 64
17:37:16.577755 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2480, length 64
17:37:16.577836 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2480, length 64
17:37:17.135053 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 229, length 64
17:37:17.352556 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2422, length 64
17:37:17.578711 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2481, length 64
17:37:17.578791 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2481, length 64
17:37:18.159056 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 230, length 64
17:37:18.376543 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2423, length 64
17:37:18.580395 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2482, length 64
17:37:18.580475 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2482, length 64
17:37:19.183056 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 231, length 64
17:37:19.400357 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2424, length 64
17:37:19.581469 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2483, length 64
17:37:19.581550 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2483, length 64
17:37:20.207045 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 232, length 64
17:37:20.424281 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2425, length 64
17:37:20.582531 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2484, length 64
17:37:20.582610 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2484, length 64
17:37:21.231080 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 233, length 64
17:37:21.448287 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2426, length 64
17:37:21.584033 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2485, length 64
17:37:21.584112 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2485, length 64
17:37:22.255045 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 234, length 64
17:37:22.472555 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2427, length 64
17:37:22.585042 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2486, length 64
17:37:22.585121 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2486, length 64
17:37:23.279080 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 235, length 64
17:37:23.496676 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2428, length 64
17:37:23.586339 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2487, length 64
17:37:23.586418 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2487, length 64
17:37:24.303045 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 236, length 64
17:37:24.520313 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2429, length 64
17:37:24.587545 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2488, length 64
17:37:24.587625 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2488, length 64
17:37:25.330808 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 237, length 64
17:37:25.544387 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2430, length 64
17:37:25.588850 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2489, length 64
17:37:25.588929 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2489, length 64
17:37:26.351045 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 238, length 64
17:37:26.568436 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2431, length 64
17:37:26.589876 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2490, length 64
17:37:26.589955 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2490, length 64
17:37:27.196452 IP public_ip_host > 103.72.8.7: ICMP host public_ip_host unreachable - admin prohibited, length 52
17:37:27.374821 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 239, length 64
17:37:27.591827 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2491, length 64
17:37:27.591907 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2491, length 64
17:37:27.592378 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2432, length 64
17:37:28.399043 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 240, length 64
17:37:28.593318 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2492, length 64
17:37:28.593394 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2492, length 64
17:37:28.616202 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2433, length 64
17:37:29.422799 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 241, length 64
17:37:29.594302 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2493, length 64
17:37:29.594381 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2493, length 64
17:37:29.640416 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2434, length 64
17:37:30.447049 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 242, length 64
17:37:30.596396 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2494, length 64
17:37:30.596459 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2494, length 64
17:37:30.664291 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2435, length 64
17:37:31.470941 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 243, length 64
17:37:31.598388 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2495, length 64
17:37:31.598461 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2495, length 64
17:37:31.688326 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2436, length 64
17:37:32.495052 IP public_ip_4 > 172.217.23.174: ICMP echo request, id 486, seq 244, length 64
17:37:32.599661 IP public_ip_home > public_ip_host: ICMP echo request, id 45310, seq 2496, length 64
17:37:32.599742 IP public_ip_host > public_ip_home: ICMP echo reply, id 45310, seq 2496, length 64
17:37:32.712736 IP public_ip_home > public_ip_4: ICMP echo request, id 46004, seq 2437, length 64

seven · March 5, 2020, 3:40pm

@tomp Hi, what do we do now?

seven · March 7, 2020, 3:59am

I think am going to open new thread, that ipv4.nat.address is not working.

gpatel-fr · March 7, 2020, 6:20am

What is your host OS version ? this is important since newer versions of RH family OS are not well supported with current LXD version (3.21)

seven · March 7, 2020, 6:36am

Open-suse 15.1.

gpatel-fr · March 7, 2020, 6:46am

I am absolutely not familiar with Opensuse 15.1, but looking at this post there could be some sort of subterranean upgrade to nftables. If your system is using nftables it may be affected by the problem that default LXD rules are not applied - it’s a problem scheduled to be fixed in 3.22.

seven · March 7, 2020, 6:50am

no nftables, using pure firewalld. refer to earlier post in this thread where you can see iptables logs.

tomp · March 7, 2020, 9:13am

That trace is quite hard to understand, especially as the actual IPs have been removed (means I cant test from here either).

However generally speaking with networking problems the trick is to break the problem down into smaller chunks.

So first I would strongly suggest taking LXD out of the equation and first focus on getting your IP alias pingable from external sources. That way when you add outbound NAT via LXD back into the equation you can know that the at least the IP alias you’re using for outbound packets will allow returns packets back to the host.

In the trace above there is a Google IP address which is strange, any ideas where that is coming from?

tomp · March 7, 2020, 9:15am

There appears to be several concurrent ping flows going on in your trace, so it would be helpful to narrow it down to a single ping flow (either by stopping any concurrent pings you have running on adding a tcpdump filter for just the IP alias we are interested in).

seven · March 7, 2020, 9:23am

Hi, i thought you abandoned the thread, nice to know you are back
i agree about breaking it.
i followed this tut from my server provider.
https://wiki.hetzner.de/index.php/Zusätzliche_IP-Adressen_Suse/en
the thing is each additional ip, has another gateway. and that i can not get to ping it from outside world.
i tried all tutorial online how to add alias ips, same result.

tomp · March 7, 2020, 9:56am

Can you try removing the IP alias and re-adding it as a /32 single host, rather than a /29 as that will result in it setting up a local route for the rest of the subnet, that may be causing problems.

Also, not sure what the eth0:lxdbr1 part is on that line, is that a friendly name?

seven · March 7, 2020, 12:14pm

/29 is what server provider allows for my ip.
lxdbr1 is my alias ip label.

tomp · March 7, 2020, 12:29pm

You can use just a /32 even if they have allocated you an IP in a /29 subnet. The only thing the subnet indicates is which IPs in the same subnet your host will use for local ARP resolution rather than forwarding the packets to your default gateway. I was thinking perhaps that is the issue.

Especially as the link you provided specifies that:

IPADDR_2='188.40.40.74/32'

tomp · March 7, 2020, 7:01pm

Ah good so that solved it.

seven · March 7, 2020, 7:10pm

that was a good catch man. Thanks a lot.
last question though. is project good way of separating projects management? and is it possible for 2 lxd managed bridges communicate with each-other, because that seem not to work.

tomp · March 9, 2020, 9:04am

No problem.

I’ve addressed your question on the new thread: LXD 2 bridges comunication