Networking - Debian 13 instances not getting IP from DHCP/SLAAC?

Chris78 · February 23, 2026, 10:01pm

Hi,

I’m using Incus with an un-managed bridge. The bridge (lxContBBR0) is configured on the host via NetPlan, where it gets IP details for the host via a DHCP server on the LAN.

That all works fine. I’m now trying to get Debian 13 LXC instances to pick up IPv4 and IPv6 off an existing server on the LAN. Unfortunately, they don’t seem to get an address, and I’m not sure if it’s a firewall issue, Incus host confg issue, or the config of the networking in the instances themselves.

I’ve passed the linux bridge (lxContBBR0) through to the default profile:

description: Default Incus profile
devices:
  eth0:
    nictype: bridged
    parent: lxContBBR0
    type: nic

The profile appears to have correctly associated it to the profile and instance that is using it:

incus network list
+------------+----------+---------+------+------+-------------+---------+-------+
|    NAME    |   TYPE   | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY | STATE |
+------------+----------+---------+------+------+-------------+---------+-------+
| docker0    | bridge   | NO      |      |      |             | 0       |       |
+------------+----------+---------+------+------+-------------+---------+-------+
| eno1       | physical | NO      |      |      |             | 0       |       |
+------------+----------+---------+------+------+-------------+---------+-------+
| enp5s0     | physical | NO      |      |      |             | 0       |       |
+------------+----------+---------+------+------+-------------+---------+-------+
| lo         | loopback | NO      |      |      |             | 0       |       |
+------------+----------+---------+------+------+-------------+---------+-------+
| lxContBBR0 | bridge   | NO      |      |      |             | 2       |       |
+------------+----------+---------+------+------+-------------+---------+-------+
| wlp6s0     | physical | NO      |      |      |             | 0       |       |
+------------+----------+---------+------+------+-------------+---------+-------+

(At this point in time there is just one other test instance running for me to work with: third)

incus network show lxContBBR0
config: {}
description: ""
name: lxContBBR0
type: bridge
used_by:
- /1.0/instances/third
- /1.0/profiles/default
managed: false
status: ""
locations: []
project: default

Config for ‘third’:

incus config show third
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian trixie amd64 (20260222_05:24)
  image.os: Debian
  image.release: trixie
  image.serial: "20260222_05:24"
  image.type: squashfs
  image.variant: default
  volatile.base_image: 818654532564845dbd056522a3fd953f094fdd4f9877facc9b84441e0768e2a7
  volatile.cloud-init.instance-id: b341474a-85ae-4fc7-9425-f835a2c6618e
  volatile.eth0.host_name: veth9e473f8b
  volatile.eth0.hwaddr: 10:66:6a:c6:b3:91
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.last_state.ready: "false"
  volatile.uuid: c7f89dd3-52b9-4d21-8c32-c9053bf89d77
  volatile.uuid.generation: c7f89dd3-52b9-4d21-8c32-c9053bf89d77
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""

Here’s the networkd config from inside the Deb 13 LXC instance called ‘third’:

[Match]
Name=eth0

[Network]
DHCP=true

[DHCPv4]
UseDomains=true
UseMTU=true

[DHCP]
ClientIdentifier=mac

Anyone able to suggest what might be going wrong?

Thanks

Chris78 · February 23, 2026, 10:16pm

More digging with wireshark on the host shows that restarting systemd-networkd in the Incus Deb 13 instance ‘third’, sends out a DHCP Discover over the bridge to the LAN, and the server on the LAN is responding with a DHCP Offer.

So, it seems like at least outbound traffic from the LXC instance works. I’m assuming now that it’s due to one or more of the following:

Firewall on host dropping the response
Firewall on the LXC instance dropping the response
Something wrong with the LXC instance’s networking config?

Chris78 · February 23, 2026, 10:32pm

So, guessing it’s related to the Deb 13 LXC instance running unprivileged, as the systemd-networkd logs report a few non-permitted operations:
Feb 23 22:11:44 third systemd-networkd[217]: eth0: Configuring with /etc/systemd/network/eth0.network.
Feb 23 22:11:44 third systemd[1]: Started systemd-networkd.service - Network Configuration.
Feb 23 22:25:31 third systemd[1]: Stopping systemd-networkd.service - Network Configuration…
Feb 23 22:25:31 third systemd[1]: systemd-networkd.service: Deactivated successfully.
Feb 23 22:25:31 third systemd[1]: Stopped systemd-networkd.service - Network Configuration.
Feb 23 22:25:31 third systemd[1]: Starting systemd-networkd.service - Network Configuration…
Feb 23 22:25:31 third systemd-networkd[250]: Failed to increase receive buffer size for general netlink socket, ignoring: Operation not permitted
Feb 23 22:25:31 third systemd-networkd[250]: lo: Link UP
Feb 23 22:25:31 third systemd-networkd[250]: lo: Gained carrier
Feb 23 22:25:31 third systemd-networkd[250]: eth0: Link UP
Feb 23 22:25:31 third systemd-networkd[250]: eth0: Gained carrier
Feb 23 22:25:31 third systemd-networkd[250]: eth0: Gained IPv6LL
Feb 23 22:25:31 third systemd-networkd[250]: Unable to load sysctl monitor BPF program, ignoring: Operation not permitted.

Seems like this person ran into a similar issue, but not sure if/how they solved it:

EDIT: Seems to be a common issue, will have to keep reading:

github.com/lxc/distrobuilder

Global systemd overrides needed to accomodate namespacing

opened 09:17AM - 20 Apr 21 UTC

closed 03:06PM - 26 Apr 21 UTC

tim-seoss

# Required information * Distribution: Debian * Distribution version: test…ing (11 pre) * The output of "lxc info" or if that fails: ``` config: core.https_address: '[::]:8443' core.trust_password: true api_extensions: - storage_zfs_remove_snapshots - container_host_shutdown_timeout - container_stop_priority - container_syscall_filtering - auth_pki - container_last_used_at - etag - patch - usb_devices - https_allowed_credentials - image_compression_algorithm - directory_manipulation - container_cpu_time - storage_zfs_use_refquota - storage_lvm_mount_options - network - profile_usedby - container_push - container_exec_recording - certificate_update - container_exec_signal_handling - gpu_devices - container_image_properties - migration_progress - id_map - network_firewall_filtering - network_routes - storage - file_delete - file_append - network_dhcp_expiry - storage_lvm_vg_rename - storage_lvm_thinpool_rename - network_vlan - image_create_aliases - container_stateless_copy - container_only_migration - storage_zfs_clone_copy - unix_device_rename - storage_lvm_use_thinpool - storage_rsync_bwlimit - network_vxlan_interface - storage_btrfs_mount_options - entity_description - image_force_refresh - storage_lvm_lv_resizing - id_map_base - file_symlinks - container_push_target - network_vlan_physical - storage_images_delete - container_edit_metadata - container_snapshot_stateful_migration - storage_driver_ceph - storage_ceph_user_name - resource_limits - storage_volatile_initial_source - storage_ceph_force_osd_reuse - storage_block_filesystem_btrfs - resources - kernel_limits - storage_api_volume_rename - macaroon_authentication - network_sriov - console - restrict_devlxd - migration_pre_copy - infiniband - maas_network - devlxd_events - proxy - network_dhcp_gateway - file_get_symlink - network_leases - unix_device_hotplug - storage_api_local_volume_handling - operation_description - clustering - event_lifecycle - storage_api_remote_volume_handling - nvidia_runtime - container_mount_propagation - container_backup - devlxd_images - container_local_cross_pool_handling - proxy_unix - proxy_udp - clustering_join - proxy_tcp_udp_multi_port_handling - network_state - proxy_unix_dac_properties - container_protection_delete - unix_priv_drop - pprof_http - proxy_haproxy_protocol - network_hwaddr - proxy_nat - network_nat_order - container_full - candid_authentication - backup_compression - candid_config - nvidia_runtime_config - storage_api_volume_snapshots - storage_unmapped - projects - candid_config_key - network_vxlan_ttl - container_incremental_copy - usb_optional_vendorid - snapshot_scheduling - snapshot_schedule_aliases - container_copy_project - clustering_server_address - clustering_image_replication - container_protection_shift - snapshot_expiry - container_backup_override_pool - snapshot_expiry_creation - network_leases_location - resources_cpu_socket - resources_gpu - resources_numa - kernel_features - id_map_current - event_location - storage_api_remote_volume_snapshots - network_nat_address - container_nic_routes - rbac - cluster_internal_copy - seccomp_notify - lxc_features - container_nic_ipvlan - network_vlan_sriov - storage_cephfs - container_nic_ipfilter - resources_v2 - container_exec_user_group_cwd - container_syscall_intercept - container_disk_shift - storage_shifted - resources_infiniband - daemon_storage - instances - image_types - resources_disk_sata - clustering_roles - images_expiry - resources_network_firmware - backup_compression_algorithm - ceph_data_pool_name - container_syscall_intercept_mount - compression_squashfs - container_raw_mount - container_nic_routed - container_syscall_intercept_mount_fuse - container_disk_ceph - virtual-machines - image_profiles - clustering_architecture - resources_disk_id - storage_lvm_stripes - vm_boot_priority - unix_hotplug_devices - api_filtering - instance_nic_network - clustering_sizing - firewall_driver - projects_limits - container_syscall_intercept_hugetlbfs - limits_hugepages - container_nic_routed_gateway - projects_restrictions - custom_volume_snapshot_expiry - volume_snapshot_scheduling - trust_ca_certificates - snapshot_disk_usage - clustering_edit_roles - container_nic_routed_host_address - container_nic_ipvlan_gateway - resources_usb_pci - resources_cpu_threads_numa - resources_cpu_core_die - api_os - container_nic_routed_host_table - container_nic_ipvlan_host_table - container_nic_ipvlan_mode - resources_system - images_push_relay - network_dns_search - container_nic_routed_limits - instance_nic_bridged_vlan - network_state_bond_bridge - usedby_consistency - custom_block_volumes - clustering_failure_domains - resources_gpu_mdev - console_vga_type - projects_limits_disk - network_type_macvlan - network_type_sriov - container_syscall_intercept_bpf_devices - network_type_ovn - projects_networks - projects_networks_restricted_uplinks - custom_volume_backup - backup_override_name - storage_rsync_compression - network_type_physical - network_ovn_external_subnets - network_ovn_nat - network_ovn_external_routes_remove - tpm_device_type - storage_zfs_clone_copy_rebase - gpu_mdev - resources_pci_iommu - resources_network_usb - resources_disk_address - network_physical_ovn_ingress_mode - network_ovn_dhcp - network_physical_routes_anycast - projects_limits_instances - network_state_vlan - instance_nic_bridged_port_isolation - instance_bulk_state_change - network_gvrp - instance_pool_move - gpu_sriov - pci_device_type - storage_volume_state - network_acl - migration_stateful - disk_state_quota - storage_ceph_features - projects_compression - projects_images_remote_cache_expiry - certificate_project - network_ovn_acl - projects_images_auto_update - projects_restricted_cluster_target - images_default_architecture - network_ovn_acl_defaults - gpu_mig - project_usage - network_bridge_acl api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: - tls environment: addresses: - 172.18.18.18:8443 - '[2001:aaaa:bbbb:cccc::abcd]:8443' architectures: - x86_64 - i686 driver: lxc | qemu driver_version: 4.0.0 (devel) | 5.2.0 firewall: nftables kernel: Linux kernel_architecture: x86_64 kernel_features: netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 5.10.0-6-amd64 lxc_features: cgroup2: "true" devpts_fd: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Debian GNU/Linux os_version: "" project: default server: lxd server_clustered: false server_name: roundabout server_pid: 3595 server_version: "4.13" storage: dir storage_version: "1" ``` # Issue description Unprivileged container (Debian 11 bullseye/testing) fails to obtain an IPv4 address. Works when same container is set to privileged. # Steps to reproduce Unpriv (failing) `journalctl -b -u systemd-networkd.service`: ``` Apr 20 08:27:38 ctest systemd-networkd[52]: SELinux enabled state cached to: disabled Apr 20 08:27:38 ctest systemd-networkd[52]: Failed to increase receive buffer size for general netlink socket, ignoring: Operation not permitted Apr 20 08:27:38 ctest systemd-networkd[52]: sd-device-monitor: The udev service seems not to be active, disabling the monitor Apr 20 08:27:38 ctest systemd-networkd[52]: sd-device-monitor: Failed to stat PID1's netns: No such file or directory Apr 20 08:27:38 ctest systemd-networkd[52]: Failed to increase buffer size for device monitor, ignoring: Operation not permitted Apr 20 08:27:38 ctest systemd-networkd[52]: Bus bus-api-network: changing state UNSET → OPENING Apr 20 08:27:38 ctest systemd-networkd[52]: sd-bus: starting bus bus-api-network by connecting to /run/dbus/system_bus_socket... Apr 20 08:27:38 ctest systemd-networkd[52]: Added inotify watch for /run on bus bus-api-network: 2 Apr 20 08:27:38 ctest systemd-networkd[52]: Added inotify watch for /run/dbus on bus bus-api-network: -1 Apr 20 08:27:38 ctest systemd-networkd[52]: sd-bus: starting bus bus-api-network by connecting to /run/dbus/system_bus_socket... Apr 20 08:27:38 ctest systemd-networkd[52]: Bus bus-api-network: changing state OPENING → WATCH_BIND Apr 20 08:27:38 ctest systemd-networkd[52]: Registering bus object implementation for path=/org/freedesktop/LogControl1 iface=org.freedesktop.LogContro> Apr 20 08:27:38 ctest systemd-networkd[52]: timestamp of '/etc/systemd/network' changed Apr 20 08:27:38 ctest systemd-networkd[52]: eth0: New device has no master, continuing without Apr 20 08:27:38 ctest systemd-networkd[52]: eth0: Flags change: +UP +LOWER_UP +RUNNING +MULTICAST +BROADCAST Apr 20 08:27:38 ctest systemd-networkd[52]: eth0: Link 45 added Apr 20 08:27:38 ctest systemd-networkd[52]: eth0: link pending udev initialization... Apr 20 08:27:38 ctest systemd-networkd[52]: eth0: Saved original MTU: 1500 ``` Priv (working) `journalctl -b -u systemd-networkd.service`: ``` Apr 20 08:35:53 ctest systemd-networkd[51]: SELinux enabled state cached to: disabled Apr 20 08:35:53 ctest systemd-networkd[51]: Bus bus-api-network: changing state UNSET → OPENING Apr 20 08:35:53 ctest systemd-networkd[51]: sd-bus: starting bus bus-api-network by connecting to /run/dbus/system_bus_socket... Apr 20 08:35:53 ctest systemd-networkd[51]: Bus bus-api-network: changing state OPENING → AUTHENTICATING Apr 20 08:35:53 ctest systemd-networkd[51]: Registering bus object implementation for path=/org/freedesktop/LogControl1 iface=org.freedesktop.LogContro> Apr 20 08:35:53 ctest systemd-networkd[51]: timestamp of '/etc/systemd/network' changed Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: New device has no master, continuing without Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Flags change: +UP +LOWER_UP +RUNNING +MULTICAST +BROADCAST Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Link 47 added Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Link state is up-to-date Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: State changed: pending -> initialized Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: found matching network '/etc/systemd/network/eth0.network' Apr 20 08:35:54 ctest systemd-networkd[51]: Setting '/proc/sys/net/ipv6/conf/eth0/disable_ipv6' to '0' Apr 20 08:35:54 ctest systemd-networkd[51]: Setting '/proc/sys/net/ipv6/conf/eth0/use_tempaddr' to '0' Apr 20 08:35:54 ctest systemd-networkd[51]: Setting '/proc/sys/net/ipv6/conf/eth0/accept_ra' to '0' Apr 20 08:35:54 ctest systemd-networkd[51]: Setting '/proc/sys/net/ipv6/conf/eth0/proxy_ndp' to '0' Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Setting nomaster Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: promote_secondaries is unset, setting it Apr 20 08:35:54 ctest systemd-networkd[51]: Setting 'net/ipv4/conf/eth0/promote_secondaries' to '1'. Apr 20 08:35:54 ctest systemd-networkd[51]: LLDP: Started LLDP client Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Started LLDP. Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Setting address genmode for link Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Failed to read sysctl property stable_secret: Input/output error Apr 20 08:35:54 ctest systemd-networkd[51]: eth0: Saved original MTU: 1500 ``` # Information to attach Probably: https://discuss.linuxcontainers.org/t/systemd-247-with-lxd-4-04-breaks-systemd-networkd/9627 ... but couldn't find a bug for that. Container systemd debian package version is `247.3-3` `lxc config show NAME --expanded`: ``` architecture: x86_64 config: boot.autostart: "true" image.architecture: amd64 image.description: Debian bullseye amd64 (20210320_05:24) image.os: Debian image.release: bullseye image.serial: "20210320_05:24" image.type: squashfs image.variant: default security.nesting: "true" security.privileged: "false" volatile.base_image: 4d20a3018f1879cd303cb045de56dc38dfd9c7a5c6a5ff416e3c7e8b42b5dfe7 volatile.eth0.host_name: vethcdf57d7e volatile.eth0.hwaddr: 00:16:3e:a4:12:7e volatile.idmap.base: "0" volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]' volatile.last_state.power: RUNNING volatile.uuid: 594e8f27-5fb9-4fd4-b32d-6a5b363ef915 devices: eth0: name: eth0 nictype: bridged parent: br0 security.mac_filtering: "true" type: nic localctest: path: /srv/ctest source: /srv/ctest type: disk root: path: / pool: new type: disk sndcontrolC0: gid: "29" path: /dev/snd/controlC0 type: unix-char sndhwC0D0: gid: "29" path: /dev/snd/hwC0D0 type: unix-char sndpcmC0D0c: gid: "29" path: /dev/snd/pcmC0D0c type: unix-char sndpcmC0D0p: gid: "29" path: /dev/snd/pcmC0D0p type: unix-char sndpcmC0D1p: gid: "29" path: /dev/snd/pcmC0D1p type: unix-char sndpcmC0D2c: gid: "29" path: /dev/snd/pcmC0D2c type: unix-char sndseq: gid: "29" path: /dev/snd/seq type: unix-char sndtimer: gid: "29" path: /dev/snd/timer type: unix-char ephemeral: false profiles: - default - internalnet stateful: false description: "" ```

Chris78 · February 23, 2026, 10:41pm

Not the firewall on the host, that is now disabled.

Doesn’t seem to be any firewall in the container as neither ufw or firewalld services are running.

I’m starting to run out of ideas, other than trying a privileged container?

This host does have Docker installed, possible that is part of the issue?

Chris78 · February 24, 2026, 1:58am

Dear god, this turned out to be because the port on the network switch that the host is connected to was configured as a monitor destination for a SPAN. In Cisco SG land, that has an optional ‘network’ setting on the span destination port, which also allows the port to function as a normal switch port……The caveat to that being:

“mostly, enough that the host on the end works with it, but not a host on the end of it with LXC containers using a linux bridge to the host nic.”

FML.