Not connection with external networks via bridge

1work1.1job1 · March 30, 2023, 4:47am

Hello everyone!

I have problem with connection to Internet from instance. I have just installed latest lxd 5.12-c63881f, executed lxd init, created default bridge and launched instance ubuntu 22. Nothing special. But instance doesn’t have connection with external network. 100% packets lost while ping 8.8.8.8 from instance. I don’t understand what problem is. Could anyone help me?

Configuration netplan on the host:

cat /etc/netplan/net-config.yaml
network:
  ethernets:
    enp2s0:
      dhcp4: no
      addresses:
      - 192.168.50.2/24
      routes:
      - to: 192.168.254.0/24
        via: 192.168.50.11
    enp4s0:
      dhcp4: no
      addresses: [10.24.64.68/24]
      routes:
      - to: default
        via: 10.24.64.1
      nameservers:
        addresses: [172.16.0.250]



  vlans:
    vlan96:
      id: 96
      link: enp4s0
      dhcp4: no
      addresses: [192.168.96.2/24]
      routes:
        - to: 192.168.32.0/24
          via: 192.168.96.1
    vlan192:
      id: 192
      link: enp4s0
      dhcp4: yes
      dhcp4-overrides:
        use-routes: false

  version: 2

ip route on the host:

ip route
default via 10.24.64.1 dev enp4s0 proto static 
10.24.64.0/24 dev enp4s0 proto kernel scope link src 10.24.64.68 
10.146.92.0/24 dev lxdbr0 proto kernel scope link src 10.146.92.1 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-63710f7d7f13 proto kernel scope link src 172.18.0.1 
192.168.0.0/24 dev vlan192 proto kernel scope link src 192.168.0.156 metric 100 
192.168.0.71 dev vlan192 proto dhcp scope link src 192.168.0.156 metric 100 
192.168.32.0/24 via 192.168.96.1 dev vlan96 proto static 
192.168.50.0/24 dev enp2s0 proto kernel scope link src 192.168.50.2 
192.168.96.0/24 dev vlan96 proto kernel scope link src 192.168.96.2 
192.168.254.0/24 via 192.168.50.11 dev enp2s0 proto static

sudo iptables -L on the host:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

ip a on the instance:

ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: enp5s0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:93:06:df brd ff:ff:ff:ff:ff:ff
    inet 10.146.92.161/24 metric 100 brd 10.146.92.255 scope global dynamic enp5s0
       valid_lft 3500sec preferred_lft 3500sec
    inet6 fd42:336b:85e2:de83:216:3eff:fe93:6df/64 scope global mngtmpaddr noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe93:6df/64 scope link 
       valid_lft forever preferred_lft forever

ip route on the instance:

ip route
default via 10.146.92.1 dev enp5s0 proto dhcp src 10.146.92.161 metric 100 
10.146.92.0/24 dev enp5s0 proto kernel scope link src 10.146.92.161 metric 100 
10.146.92.1 dev enp5s0 proto dhcp scope link src 10.146.92.161 metric 100

Also I have additional question. Can I create macvlan with static ip? How can i do it right?

sdeziel · March 30, 2023, 2:34pm

Looks like a bad interaction with how Docker sets up the firewall, please check https://linuxcontainers.org/lxd/docs/latest/howto/network_bridge_firewalld/#prevent-issues-with-lxd-and-docker

1work1.1job1 · March 31, 2023, 6:12am

I thought so too. I tried to implement the recomedations. But nothing changed.

sudo ufw status
Status: inactive

firewall-cmd
Command ‘firewall-cmd’ not found, but can be installed with:

sudo iptables -L

Warning: iptables-legacy tables present, use iptables-legacy to see them

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.19.0.2 tcp dpt:19999

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

On another pc lxd’s bridge works fine. OS is same - Ubuntu 22.04. There is docker too.
But there are more rules in iptables:

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain /* generated for Multipass network mpqemubr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain /* generated for Multipass network mpqemubr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps /* generated for Multipass network mpqemubr0 */
LIBVIRT_INP  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             /* generated for Multipass network mpqemubr0 */
ACCEPT     all  --  10.252.55.0/24       anywhere             /* generated for Multipass network mpqemubr0 */
ACCEPT     all  --  anywhere             10.252.55.0/24       ctstate RELATED,ESTABLISHED /* generated for Multipass network mpqemubr0 */
LIBVIRT_FWX  all  --  anywhere             anywhere            
LIBVIRT_FWI  all  --  anywhere             anywhere            
LIBVIRT_FWO  all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain /* generated for Multipass network mpqemubr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain /* generated for Multipass network mpqemubr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps /* generated for Multipass network mpqemubr0 */
LIBVIRT_OUT  all  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:68

I don’t know how it happened. I did nothing special.

sdeziel · March 31, 2023, 12:43pm

In the rules you shared, I don’t see the rules we suggest adding in the page I referred you to.

1work1.1job1 · April 3, 2023, 2:06am

I added additional iptables rules and bridge has worked.
Thanks for your help.