LXD cluster with pfsense scenario

alizowghi · February 6, 2023, 3:04am

Hi everyone

We have a lxd cluster with below config:
3 nodes as lxd cluster
1 node as router (pfsense)
1 switch 2960

We have 2 vlans on switch:

lxd cluster,ovn
uplink

we routed public ips to uplink and use dhcp for assigning them to vms.
everything is okay but!!

when a vm in cluster pings another in the same cluster, they see them in layer2 and this is a security issue. because we can not prevent attacks or observer bad traffics.

tomp · February 9, 2023, 9:11am

Can you give me an example, I’m not really following?

Please also show output of lxc network show <ovn network> and lxc config show <instance> --expanded and lxc network show <uplink network>.

Thanks

alizowghi · February 15, 2023, 5:12am

ubuntu@node1:~$ lxc network show  UPLINK
config:
  dns.nameservers: 8.8.8.8
  ipv4.gateway: 192.168.8.1/21
  ipv4.ovn.ranges: 192.168.8.100-192.168.15.250
  ipv4.routes: 185.x.x.1/28
  ovn.ingress_mode: routed
  volatile.last_state.created: "false"
description: ""
name: UPLINK
type: physical
used_by:
- /1.0/networks/my-ovn
- /1.0/networks/test-ovn
managed: true
status: Created
locations:
- node1
- node3
- node2

ubuntu@node1:~$ lxc network show my-ovn
config:
  bridge.mtu: "1442"
  ipv4.address: 10.1.223.1/24
  ipv4.nat: "true"
  ipv4.nat.address: 175.x.x.149
  ipv6.address: fd42:9973:9fc8:7968::1/64
  ipv6.nat: "true"
  network: UPLINK
  volatile.network.ipv4.address: 192.168.8.100
description: ""
name: my-ovn
type: ovn
used_by:
- /1.0/instances/c1
- /1.0/instances/c2
managed: true
status: Created
locations:
- node1
- node3
- node2


ubuntu@node1:~$ lxc config show c1 --expanded 
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20230128_07:44)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20230128_07:44"
  image.type: squashfs
  image.variant: default
  volatile.base_image: 0c5984e1442089ce57ad3ed5d24fbb71fba53bce1ec94c211be3c33519e7cd6d
  volatile.cloud-init.instance-id: 654a1fce-21e4-4444-b3e1-9d0a6ceba253
  volatile.eth0.host_name: vethba09de93
  volatile.eth0.hwaddr: 00:16:3e:8c:56:58
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: cd3eb73a-bd1a-48c0-a46d-0a75e498e4aa
devices:
  eth0:
    name: eth0
    network: my-ovn
    type: nic
  root:
    path: /
    pool: local
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

tomp · February 15, 2023, 8:13am

And the example please? What is seeing what in the same l2? I’m confused