Right well I would disable that firewall inside the container until you have it working.
Then you need to start looking at using tcpdump on the host listening to br0 interface and inside the containing listening on the eth0 interface and check if the packets are A) leaving the container’s interface and B) making it to the bridge.
I should note that this container was/is running fine with those exact iptables settings enabled but within a proxmox container so Ican safely say this is a LXD server (network profile) config error and disabling iptables will make no difference.
I’ve not been down the tcpdump route yet no. Do my LXD profile config settings above look correct?
I’m a bit unsure about the lxc-net service because I’ve successfully create a bridge with netplan and used it with LXD on my laptop before and I didn’t have to configure or run lxc-net.
Is it needed or only in certain cases? There is no DHCP server on my LXD servers LAN but that was also the case when I created a bridge on my laptop.
I’m pretty sure the problem is due to subnetting so I need to change the address of the bridge to match the address of the container. I created a test container where the first three octets of its IP were the same as the bridge address and it could access the net using my existing netplan bridge.
This got me thinking, would I be better off using macvlan? What are the advantages of using a bridge over macvlan? Can macvlan be used with bonds? Can macvlan profiles use different subnetting to that of the main connection?
I could do with some tips on creating a second bridge. I have had one bridge and one bond working with only one of each defined, but no containers attached to my second bridge/bond can access the net when I expand that config to 2 bonds and 2 bridges.
I have not been able to find any examples of creating a second bridge under netplan. I presume the second bridge doesn’t require defining a gateway or DNS - thats how it worked with ifupdown:
network:
version: 2
renderer: networkd
ethernets:
eno1:
dhcp4: no
dhcp6: no
eno2:
dhcp4: no
dhcp6: no
eno3:
dhcp4: no
dhcp6: no
eno4:
dhcp4: no
dhcp6: no
bonds:
bond0:
interfaces:
- eno1
- eno2
parameters:
lacp-rate: fast
mode: active-backup
transmit-hash-policy: layer2+3
bond1:
interfaces:
- eno3
- eno4
parameters:
lacp-rate: fast
mode: active-backup
transmit-hash-policy: layer2+3
bridges:
br0:
interfaces: [bond0]
dhcp4: no
dhcp6: no
addresses:
- 146.87.15.153/21
gateway4: 146.87.15.1
nameservers:
addresses:
- 146.87.174.121
- 146.87.174.122
br1:
interfaces: [bond1]
dhcp4: no
dhcp6: no
addresses:
- 146.87.119.19/21
I created a second lxd profile that uses br1 and assigned a couple of containers to it but I failed to get internet access working with them. I tried using both bridge addresses for the gateway values but neither worked.
$ ip r
default via 146.87.15.1 dev br0 proto static
146.87.8.0/21 dev br0 proto kernel scope link src 146.87.15.153
146.87.112.0/21 dev br1 proto kernel scope link src 146.87.119.19