Not able to ping to outside from container

Sibin_M · October 14, 2021, 3:14pm

Hi,

I am using lxd 4.19 (compiled from source ) , the issue is not able to ping to outside from container


root@vm767800:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

below are the network configs




root@vm767800:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address X.X.X.X
    netmask 255.255.255.255
    gateway 10.0.160.1

    pre-up ip -4 route add dev eth0 10.0.160.1/32



root@vm767800:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.160.1      0.0.0.0         UG    0      0        0 eth0
10.0.160.1      0.0.0.0         255.255.255.255 UH    0      0        0 eth0
root@vm767800:~#

on the host


root@cpu-6251:~# ifconfig lxdbr0
lxdbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.160.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fd42:1f37:29a:db1::1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::216:3eff:fe45:9ed  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:45:09:ed  txqueuelen 1000  (Ethernet)
        RX packets 21602  bytes 1644821 (1.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13229  bytes 1563036 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



root@cpu-6251:~# ifconfig lxcbr0
lxcbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.0.3.1  netmask 255.255.255.0  broadcast 10.0.3.255
        ether 00:16:3e:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

could anyone help me on this ?

Sibin_M · October 14, 2021, 3:48pm

any help ? @stgraber

stgraber · October 14, 2021, 4:57pm

Are you using Docker on the host system too?

We’ve had some issues with Docker especially messing with system-wide firewalling and causing this kind of issue.

Sibin_M · October 14, 2021, 5:00pm

No I am not using docker on the host system ,

stgraber · October 14, 2021, 5:02pm

Can you show lxc info | grep firewall: and iptables -L -n -v ?

Sibin_M · October 14, 2021, 5:02pm

When I create a new container with dhcp I am able to ping outside, The issue is happening only for static Ip.

stgraber · October 14, 2021, 5:03pm

Ah, do you have any of the network security options enabled on the network interface for that container?

Sibin_M · October 14, 2021, 5:04pm

root@cpu-6251:~# lxc info | grep firewall:
  firewall: xtables


root@cpu-6251:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            icmptype 12 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            icmptype 11 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            icmptype 3 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     tcp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
    8  2624 ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
60236 5963K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    0     0 ACCEPT     tcp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 437K   40M ACCEPT     all  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            /* generated for LXD network lxdbr0 */
1160K  112M ACCEPT     all  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     all  --  *      lxcbr0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lxcbr0 *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            icmptype 12 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            icmptype 11 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     icmp --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            icmptype 3 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     tcp  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            tcp spt:53 /* generated for LXD network lxdbr0 */
    0     0 ACCEPT     udp  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            udp spt:53 /* generated for LXD network lxdbr0 */
    8  2656 ACCEPT     udp  --  *      lxdbr0  0.0.0.0/0            0.0.0.0/0            udp spt:67 /* generated for LXD network lxdbr0 */

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       162.142.125.196      0.0.0.0/0            reject-with icmp-port-unreachable
   58  2680 REJECT     all  --  *      *       107.189.14.230       0.0.0.0/0            reject-with icmp-port-unreachable
   11   645 REJECT     all  --  *      *       221.181.185.159      0.0.0.0/0            reject-with icmp-port-unreachable
   68  3554 REJECT     all  --  *      *       222.186.42.213       0.0.0.0/0            reject-with icmp-port-unreachable
 2940  175K REJECT     all  --  *      *       112.125.95.36        0.0.0.0/0            reject-with icmp-port-unreachable
   11   652 REJECT     all  --  *      *       152.32.209.58        0.0.0.0/0            reject-with icmp-port-unreachable
   88  4640 REJECT     all  --  *      *       107.189.13.104       0.0.0.0/0            reject-with icmp-port-unreachable
   45  2668 REJECT     all  --  *      *       167.99.1.98          0.0.0.0/0            reject-with icmp-port-unreachable
   21  1208 REJECT     all  --  *      *       205.185.209.34       0.0.0.0/0            reject-with icmp-port-unreachable
   17   976 REJECT     all  --  *      *       144.48.38.22         0.0.0.0/0            reject-with icmp-port-unreachable
   25  1448 REJECT     all  --  *      *       193.118.55.170       0.0.0.0/0            reject-with icmp-port-unreachable
  141  6308 REJECT     all  --  *      *       178.73.215.171       0.0.0.0/0            reject-with icmp-port-unreachable
   30  6780 REJECT     all  --  *      *       80.82.70.228         0.0.0.0/0            reject-with icmp-port-unreachable
   23  1380 REJECT     all  --  *      *       185.180.143.13       0.0.0.0/0            reject-with icmp-port-unreachable
    3   180 REJECT     all  --  *      *       167.248.133.43       0.0.0.0/0            reject-with icmp-port-unreachable
   50  2776 REJECT     all  --  *      *       119.159.226.150      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       89.248.174.3         0.0.0.0/0            reject-with icmp-port-unreachable
   20   800 REJECT     all  --  *      *       80.82.65.65          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       69.163.46.109        0.0.0.0/0            reject-with icmp-port-unreachable
   12   480 REJECT     all  --  *      *       68.183.180.46        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       45.61.184.115        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       31.184.198.71        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       23.90.160.138        0.0.0.0/0            reject-with icmp-port-unreachable
  112  6720 REJECT     all  --  *      *       221.181.185.94       0.0.0.0/0            reject-with icmp-port-unreachable
   61  3660 REJECT     all  --  *      *       221.181.185.140      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       221.131.165.50       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       221.131.165.33       0.0.0.0/0            reject-with icmp-port-unreachable
   11   440 REJECT     all  --  *      *       212.95.155.220       0.0.0.0/0            reject-with icmp-port-unreachable
  127  7620 REJECT     all  --  *      *       212.193.30.84        0.0.0.0/0            reject-with icmp-port-unreachable
   26  1040 REJECT     all  --  *      *       212.193.30.64        0.0.0.0/0            reject-with icmp-port-unreachable
   31  1240 REJECT     all  --  *      *       212.193.30.32        0.0.0.0/0            reject-with icmp-port-unreachable
   16   640 REJECT     all  --  *      *       212.193.30.101       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       212.192.246.96       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       209.216.92.221       0.0.0.0/0            reject-with icmp-port-unreachable
   14   840 REJECT     all  --  *      *       209.141.57.74        0.0.0.0/0            reject-with icmp-port-unreachable
    2    96 REJECT     all  --  *      *       209.141.55.247       0.0.0.0/0            reject-with icmp-port-unreachable
   23  1012 REJECT     all  --  *      *       209.141.55.232       0.0.0.0/0            reject-with icmp-port-unreachable
   26  1144 REJECT     all  --  *      *       209.141.54.35        0.0.0.0/0            reject-with icmp-port-unreachable
   43  1892 REJECT     all  --  *      *       209.141.53.99        0.0.0.0/0            reject-with icmp-port-unreachable
    4   192 REJECT     all  --  *      *       209.141.51.168       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       209.141.42.170       0.0.0.0/0            reject-with icmp-port-unreachable
   14   840 REJECT     all  --  *      *       209.141.36.75        0.0.0.0/0            reject-with icmp-port-unreachable
   20  1200 REJECT     all  --  *      *       209.141.34.165       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       209.107.196.226      0.0.0.0/0            reject-with icmp-port-unreachable
   16   640 REJECT     all  --  *      *       206.189.32.125       0.0.0.0/0            reject-with icmp-port-unreachable
   40  1600 REJECT     all  --  *      *       205.185.126.99       0.0.0.0/0            reject-with icmp-port-unreachable
   20  1200 REJECT     all  --  *      *       205.185.124.131      0.0.0.0/0            reject-with icmp-port-unreachable
   75  4500 REJECT     all  --  *      *       205.185.123.33       0.0.0.0/0            reject-with icmp-port-unreachable
   50  2000 REJECT     all  --  *      *       205.185.121.149      0.0.0.0/0            reject-with icmp-port-unreachable
   13   624 REJECT     all  --  *      *       205.185.116.226      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       205.185.113.224      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       199.195.253.199      0.0.0.0/0            reject-with icmp-port-unreachable
    4   192 REJECT     all  --  *      *       199.195.252.242      0.0.0.0/0            reject-with icmp-port-unreachable
   38  1520 REJECT     all  --  *      *       199.195.251.49       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       199.19.226.4         0.0.0.0/0            reject-with icmp-port-unreachable
    8   320 REJECT     all  --  *      *       199.19.225.248       0.0.0.0/0            reject-with icmp-port-unreachable
   46  2024 REJECT     all  --  *      *       199.19.224.76        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       196.11.184.2         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       188.166.74.91        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       188.166.111.236      0.0.0.0/0            reject-with icmp-port-unreachable
   15   900 REJECT     all  --  *      *       185.73.124.253       0.0.0.0/0            reject-with icmp-port-unreachable
   10   600 REJECT     all  --  *      *       185.73.124.100       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       185.180.143.77       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       185.180.143.142      0.0.0.0/0            reject-with icmp-port-unreachable
  133  5320 REJECT     all  --  *      *       185.107.69.62        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       182.42.75.1          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       178.62.232.188       0.0.0.0/0            reject-with icmp-port-unreachable
    6   288 REJECT     all  --  *      *       178.62.212.82        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       178.239.173.50       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       176.67.86.156        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       174.66.4.84          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       172.104.131.24       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       171.245.46.121       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       171.240.203.41       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       167.94.138.60        0.0.0.0/0            reject-with icmp-port-unreachable
    4   240 REJECT     all  --  *      *       167.94.138.58        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       167.94.138.42        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       167.94.138.115       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       167.248.133.113      0.0.0.0/0            reject-with icmp-port-unreachable
    1    44 REJECT     all  --  *      *       164.52.24.164        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       162.142.125.43       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       162.142.125.42       0.0.0.0/0            reject-with icmp-port-unreachable
  149  8940 REJECT     all  --  *      *       141.98.10.84         0.0.0.0/0            reject-with icmp-port-unreachable
   71  2840 REJECT     all  --  *      *       141.98.10.82         0.0.0.0/0            reject-with icmp-port-unreachable
   88  3520 REJECT     all  --  *      *       141.98.10.81         0.0.0.0/0            reject-with icmp-port-unreachable
   64  2560 REJECT     all  --  *      *       141.98.10.60         0.0.0.0/0            reject-with icmp-port-unreachable
   33  1320 REJECT     all  --  *      *       141.98.10.121        0.0.0.0/0            reject-with icmp-port-unreachable
    7   280 REJECT     all  --  *      *       139.59.144.149       0.0.0.0/0            reject-with icmp-port-unreachable
   13   520 REJECT     all  --  *      *       136.144.41.253       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       134.236.247.145      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       134.209.94.207       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       128.1.42.209         0.0.0.0/0            reject-with icmp-port-unreachable
    7   280 REJECT     all  --  *      *       117.68.2.55          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       116.98.168.134       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       116.110.85.5         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       116.110.124.53       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       116.103.20.220       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.8.233        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.4.174        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.31.248       0.0.0.0/0            reject-with icmp-port-unreachable
   10   600 REJECT     all  --  *      *       107.189.31.223       0.0.0.0/0            reject-with icmp-port-unreachable
   10   600 REJECT     all  --  *      *       107.189.14.41        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.14.174       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.14.141       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.14.140       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.13.219       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       107.189.13.190       0.0.0.0/0            reject-with icmp-port-unreachable
   39  2340 REJECT     all  --  *      *       107.189.12.163       0.0.0.0/0            reject-with icmp-port-unreachable
   10   600 REJECT     all  --  *      *       107.189.12.146       0.0.0.0/0            reject-with icmp-port-unreachable
    3   144 REJECT     all  --  *      *       107.189.12.107       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       105.203.195.68       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.244.79.211       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.244.77.37        0.0.0.0/0            reject-with icmp-port-unreachable
   29  1740 REJECT     all  --  *      *       104.244.76.64        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.236.118.6        0.0.0.0/0            reject-with icmp-port-unreachable
    9   360 REJECT     all  --  *      *       103.161.16.161       0.0.0.0/0            reject-with icmp-port-unreachable
55122 5674K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Sibin_M · October 14, 2021, 5:06pm

actually this is happening for all containers which have static Ip.

stgraber · October 14, 2021, 5:11pm

So it may just be a routing issue, firewall looks good.

Sounds like you’re putting a static address which is outside of the subnet of lxdbr0, you can do that, but you then need to make sure that those addresses are correctly routed to your server by your router and you’ll also need to make sure that they are set as a ipv4.routes entry in the container’s NIC config.

What I think is happening right now is your container sends traffic from the correct address, this gets routed by your host but then the traffic never comes back as either your router doesn’t know what host to send it to or your host doesn’t know what container to send it to.

Sibin_M · October 14, 2021, 5:17pm

it was working fine ,today suddenly stopped working. how do I check the routing ? could you help ?

stgraber · October 14, 2021, 5:19pm

The following may help:

lxc config show --expanded NAME
lxc network show lxdbr0
ip -4 route show

All on the host system.

Sibin_M · October 14, 2021, 5:26pm

root@cpu-6251:~# lxc config show --expanded vm767800
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian buster amd64 (20210602_05:24)
  image.os: Debian
  image.release: buster
  image.serial: "20210602_05:24"
  image.type: squashfs
  image.variant: default
  limits.cpu: "4"
  limits.cpu.allowance: 100%
  limits.cpu.priority: "10"
  limits.memory: 10GB
  limits.memory.swap: "false"
  limits.processes: "5000"
  volatile.base_image: 436d7f1bb0ce75f38787836d5a8c22e5d67346adc62b5a3f2dd1a8c0bfaf8581
  volatile.eth0.host_name: veth5074dc8a
  volatile.eth0.hwaddr: 00:16:3e:90:78:be
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid ":1000000,"Nsid":0,"Maprange":65536}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":1 000000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hos tid":1000000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: f6f6d594-1caa-474a-9d65-d0cdbbc479f7
devices:
  eth0:
    nictype: bridged
    parent: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    size: 10GB
    type: disk
  vm767800:
    path: /data
    pool: default
    source: vm767800
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""


root@cpu-6251:~# lxc network show lxdbr0 | grep  5.196.243.8
  ipv4.routes: 5.196.185.104/29,5.196.185.64/29,5.135.37.160/29,5.196.190.192/29,5.196.243.80/29,5.135.92.40/29,149.202.133.192/29,151.80.223.72/29,37.59.195.192/29,178.33.181.0/29,151.80.172.80/29,5.196.215.0/29,51.254.49.0/29,51.254.54.48/29,51.254.169.72/29,51.254.185.8/29,51.254.186.176/29,5.196.182.72/29,5.196.182.64/29,178.32.23.96/29,46.105.234.152/29,51.254.190.72/29,46.105.82.32/29,92.222.214.216/29,164.132.29.40/29,164.132.31.24/29,164.132.222.204/30,37.187.206.88/30,164.132.67.8/30,51.255.20.196/30,213.32.102.220/30,213.32.109.116/30,213.32.110.232/30,51.255.208.4/30,46.105.139.208/30,37.59.145.124/30,51.75.227.228/30

root@cpu-6251:~# ip -4 route show | grep 5.196.243.8
5.196.243.80/29 dev lxdbr0 proto static scope link

above are the results for the Ip range

stgraber · October 14, 2021, 5:36pm

Ok, so looks like something cleared the routes from your host system…
This can happen with some network managers getting confused and flushing everything they don’t understand…

You could do:

lxc network set lxdbr0 ipv4.nat=false
lxc network set lxdbr0 ipv4.nat=true

This will force LXD to restart most of the network logic, including re-adding all routes.

Sibin_M · October 14, 2021, 5:40pm

I executed but still having the issue , do I need to restart lxd ?

stgraber · October 14, 2021, 5:53pm

Hmm, no, I actually misread the earlier output, it does show a route to your container in the host routing table, so that part all looks reasonable.

So I’d start by having the container try to ping 10.0.160.1 if that doesn’t work, then run tcpdump -ni lxdbr0 icmp to make sure it’s reaching the host and has the right source address and check if the host is reponding.

if that looks good, then run ip -4 route get ADDRESS from the host to make sure that the host would indeed use the right interface and source address.

Sibin_M · October 14, 2021, 6:00pm

root@cpu-6251:~# tcpdump -ni lxdbr0 icmp | grep  10.0.160.1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lxdbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:22:09.048644 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 60, length 64
20:22:09.403873 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 61, length 64
20:22:10.423889 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 62, length 64
20:22:11.451913 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 63, length 64
20:22:12.471954 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 64, length 64
20:22:13.499885 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 65, length 64
20:22:14.519880 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 66, length 64
20:22:15.547885 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 67, length 64
20:22:16.567897 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 68, length 64
20:22:17.595195 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 69, length 64
20:22:18.619880 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 70, length 64
20:22:19.643861 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 71, length 64
20:22:20.663862 IP 5.196.243.84 > 10.0.160.1: ICMP echo request, id 892, seq 72, length 64

root@cpu-6251:~#  ip -4 route get 5.196.243.84
local 5.196.243.84 dev lo src 5.196.243.84 uid 0
    cache <local>

I got above result

stgraber · October 14, 2021, 6:34pm

Okay so for some reason your host is sending the traffic to the loopback device instead of lxdbr0.

Sibin_M · October 14, 2021, 6:53pm

Thank you for your Help

stgraber · October 14, 2021, 7:29pm

Did you figure it out?

Your route show from earlier showed the right thing, indicating it’s sending the traffic towards lxdbr0, so it’s a bit odd to then see it go for the host’s loopback.

Unless you somehow have those IPs directly on the host loopback?