Hi All,
I am new to Linux world and I tried everything I can think off to solve this problem but stuck since so many days. My LXD container is not able to accessible from my LAN.
but no help !
Something is wrong and I am not able to make it correct.
Any help would be appreciated !!
if I use only bridged profile somehow my container don’t even get the IP, when I do lxc list ipv4 and ipv6 column are blank.
I tried to change the container netplan configuration with below and container takes the IP but not able to ping 8.8.8.8 or accessible from host machine.
If so, check that your Windows 10 VM is allowing multiple MAC addresses on its own bridged interface and that the VM’s nic device is set to promiscuous mode to allow it to receive packets that are not for its own MAC address. Otherwise they will not get into the VM to be accessible to LXD.
This might be another benefit of using the ipvlan nic type I mentioned in the other thread, as it will share the host’s MAC address.
@tomp I think my container routing table is not correct. my host VM gateway is 10.91.47.254 and 10.91.47.98 is my host ip4 address on eth0 which got transferred to bridged interface.
@girish.meena unless you’re wanting the host to be a router (which is unlikely seeing as you’ve been asking about bridging up until this point), then the default gateway in the container should be the same IP as on the host, i.e 10.91.47.254. Remember bridging behaves like a switch, so it operated at layer 2, so effectively your container is now on the same network as your host, and so doesn’t need to use your host’s IP to get to the rest of the network.
Can you ping the host from your container and vice versa? - No, I can’t ping Host WS 2012 and vice versa.
Have you checked your HyperV nic allows multiple MACs? - Hyper V showing different different MAC addr. to all the VMs
I’m not sure as haven’t used LXD on HyperV before, but it is quite a common issue when running on a virtual machine and using bridging inside the VM, that the nic provided by the VM is filtering multiple MACs and/or not forwarding packets for MACs other than itself.
@girish.meena you will need to have the mac spoofing option enabled.
Nothing you change inside the VM itself will make a difference until that is changed (the physical host is likely stopping any traffic from your container’s MAC because it is different than that of the VM).
Hey @tomp, I enabled mac spoofing and now
my Windows Host(10.91.41.118) can access the LXD container(10.91.47.65). and vice versa.
I can ping 8.8.8.8 from my LXD container.
I can ping LXD container from my laptop (10.91.68.254) and vice versa.
I can ping Ubuntu 18.04 machine(10.91.47.98, on which we created bridged bridge0) on which LXD container resides. and vice versa.
Does allowing MAC spoofing is security threat? Is it secure to allow it? and Can we run Production system allowing this setting?
Thanks a lot for so much help you provided again and again. Can not believe it got fixed.
Its not a security issue to allow mac spoofing in your VM as long as you trust the workloads running inside your container.
If you were running an untrusted workload then there is the possibility of a container spoofing a MAC of another machine in your network to divert traffic to it, or acting as a rogue DHCP server.
LXD does have some protection for this too in the form of the security filtering modes:
security.mac_filtering
boolean
false
no
network
Prevent the container from spoofing another’s MAC address
security.ipv4_filtering
boolean
false
no
container_nic_ipfilter
Prevent the container from spoofing another’s IPv4 address (enables mac_filtering)
security.ipv6_filtering
boolean
false
no
container_nic_ipfilter
Prevent the container from spoofing another’s IPv6 address (enables mac_filtering)
