I have a cloud server running LXD 3.0 on Ubuntu 18.04 LTS and a (for me) complicated networking setup. The cloud server is connected to my local network via OpenVPN and my subnets are as follows:
10.1.0.0/24 = Home network
10.1.2.0/24 = OpenVPN clients
10.2.0.0/24 = lxdbr0 on cloud server
OpenVPN is happily routing 10.2.0.0/24 through to the cloud server and my containers are able to contact and ping the home network machines. The problem is in the NAT setting of lxcbr0, it’s enabled so the containers can access the internet, but the generated NAT rule is as follows:
-A POSTROUTING -s 10.2.0.0/24 ! -d 10.2.0.0/24 -m comment --comment “generated for LXD network lxdbr0” -j MASQUERADE
This causes traffic to everywhere that is not in 10.2.0.0/24 to be NAT’ed, which means that the machines in my local network see all traffic coming from the containers as 10.2.0.1 (lxdbr0’s host IPv4 address). In order to fix that, I removed that rule and replaced it with:
-A POSTROUTING -s 10.2.0.0/24 ! -d 10.0.0.0/8 -m comment --comment “generated for LXD network lxdbr0” -j MASQUERADE
This causes the containers and home network machines to be able to ping and create connections between all of them perfectly and the containers can still access the internet through the public IP of the cloud server. My questions are:
- How do I get LXD to generate the NAT rule this way? Is that even possible?
- Is what I did the right way to solve this problem?