Public IP in the CT

John · April 5, 2018, 8:55am

I followed this example exactly as well as the configs in your following and previous messages. Result is that I could ping and even ssh to the public IP (as well as the private IP set by LXD) from within the host. However, from outside of the server I was not able to connect to that IP. Using Xenial host & Xenial container.

Adding that IP to my server in /etc/network/interfaces on the host resulted in the host responding to that IP instead of the container when I connect remotely.

I’m guessing that I need to configure /etc/network/interfaces on the host in some way to pass the IPs to lxdbr0, but I think that’s where I’m stuck.

Any idea what part I have wrong?

ksaredfx · January 8, 2019, 7:10pm

This no longer works in 18.04

chansdad · January 22, 2019, 1:20am

On a vanilla LXD set up where i have where i have host and guest both at ubuntu 16_04 LTS
I managed to get the public ip assigned to the container and was able to successfully ping the Container’s public IP from my local desktop over public internet. - GREAT!
BUT , there seems to be something missing… this is what I am facing right now

H1 can ping the C1’s internal ip
H1 can ping the C1’s public ip

BUT C1’s public ip is not reachable from local desktop

So couple of things that i observed to finally get the C1’s public IP accessible over internet from my desktop

This command - lxc network set lxdbr0 ipv4.routes 149.56.148.6/32 which is supposed to route traffic to the bridge works fine from the host while referring to the containers public ip but does not result in a successful ping response from container if we ping the container’s ip from our desktop via public internet.
Had to remove the route manually and add it again on the host after the container is started to get this work .
order of when the step 1 performed and if the container’s public ip is set in the containers interfaces.d/c50xxxxx file made the difference

Here is some notes i took

List containers

root@ubuntu:~# lxc list
+-----------+---------+-------------------+------+------------+-----------+
|   NAME    |  STATE  |       IPV4        | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-------------------+------+------------+-----------+
| webserver | RUNNING | 10.0.8.100 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-------------------+------+------------+-----------+

Display lxc visible network interfaces and what is used by lxc

root@ubuntu:~# lxc network list
+--------+----------+---------+-------------+---------+
|  NAME  |   TYPE   | MANAGED | DESCRIPTION | USED BY |
+--------+----------+---------+-------------+---------+
| eno1   | physical | NO      |             | 0       |
+--------+----------+---------+-------------+---------+
| eno2   | physical | NO      |             | 0       |
+--------+----------+---------+-------------+---------+
| lxdbr0 | bridge   | YES     |             | 1       |
+--------+----------+---------+-------------+---------+

Display lxdbr01 as seen lxc sees

root@ubuntu:~# lxc network show lxdbr0
config:
  ipv4.address: 10.0.8.1/24
  ipv4.dhcp.ranges: 10.0.8.2-10.0.8.254
  ipv4.nat: "true"
  ipv6.address: fd42:614c:7ebe:916c::1/64
  ipv6.dhcp.stateful: "true"
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/containers/webserver
managed: true
status: Created
locations:
- none

Routes on Host 

root@ubuntu:~# ip route show
default via 2xx.1xx.151.49 dev eno1 onlink
10.0.8.0/24 dev lxdbr0  proto kernel  scope link  src 10.0.8.1
2xx.1xx.151.48/28 dev eno1  proto kernel  scope link  src 2xx.1xx.151.50

Iptables rules on HOst 

root@ubuntu:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps /* generated for LXD network lxdbr0 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */
ACCEPT     all  --  anywhere             anywhere             /* generated for LXD network lxdbr0 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps /* generated for LXD network lxdbr0 */

List containers.

root@ubuntu:~# lxc list
+-----------+---------+-------------------+------+------------+-----------+
|   NAME    |  STATE  |       IPV4        | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-------------------+------+------------+-----------+
| webserver | RUNNING | 10.0.8.100 (eth0) |      | PERSISTENT | 0         |
+-----------+---------+-------------------+------+------------+-----------+

Pinging public ip to be assigned to container.

root@ubuntu:~# ping 2xx.1xx.151.51
PING 2xx.1xx.151.51 (2xx.1xx.151.51) 56(84) bytes of data.
^C
--- 2xx.1xx.151.51 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

No response for ping . -> We will  use this Public ip to assign to this container.

**** this step should be performed after the container ip is assigned , container restarted. root@ubuntu:~# lxc network set lxdbr0 ipv4.routes 2xx.1xx.151.51/32   -------> This need to be set after the container ip is set in its config file.!!!!! Manually setting

Log in to the container
root@ubuntu:~# lxc exec webserver bash

Check the interfaces on container.
root@webserver:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:28:0f:17
          inet addr:10.0.8.100  Bcast:10.0.8.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe28:f17/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:138 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:398164 (398.1 KB)  TX bytes:9371 (9.3 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

First set the containers public ip to persist during reboot by placing the below line in "50-cloud-init.cfg" file at location "/etc/network/interfaces.d"
post-up ip -4 addr add dev eth0 2xx.1xx.151.51/32 preferred_lft 0


Pinging the local and public ip addresses from within container.

root@webserver:~# ping 10.0.8.100
PING 10.0.8.100 (10.0.8.100) 56(84) bytes of data.
64 bytes from 10.0.8.100: icmp_seq=1 ttl=64 time=0.055 ms
64 bytes from 10.0.8.100: icmp_seq=2 ttl=64 time=0.022 ms
^C
--- 10.0.8.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.022/0.038/0.055/0.017 ms


root@webserver:~# ping 2xx.1xx.151.51
PING 2xx.1xx.151.51 (2xx.1xx.151.51) 56(84) bytes of data.
64 bytes from 2xx.1xx.151.51: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from 2xx.1xx.151.51: icmp_seq=2 ttl=64 time=0.022 ms
^C
--- 2xx.1xx.151.51 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.022/0.035/0.048/0.013 ms

Confirming that the web pages are accessible via public and internal ip's from within Container.

root@webserver:~# cd
root@webserver:~# service apache2 restart
root@webserver:~# wget http://10.0.8.100
--2019-01-21 23:06:10--  http://10.0.8.100/
Connecting to 10.0.8.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.3’

index.html.3                            100%[============================================================================>]  11.06K  --.-KB/s    in 0s

2019-01-21 23:06:10 (105 MB/s) - ‘index.html.3’ saved [11321/11321]

root@webserver:~# wget 2xx.1xx.151.51
--2019-01-21 23:06:30--  http://2xx.1xx.151.51/
Connecting to 2xx.1xx.151.51:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.4’

index.html.4                            100%[============================================================================>]  11.06K  --.-KB/s    in 0s

2019-01-21 23:06:30 (118 MB/s) - ‘index.html.4’ saved [11321/11321]

Great

from the host Tried to ping the containers public and internal ip addresses

From Internal address successful 

From Public address was not successful - Understood.
Executed the command 

lxc network set lxdbr0 ipv4.routes 2xx.1xx.151.51/32

This resulted in successful response from the public ip 2xx.1xx.151.51  while run on the HOST.

WAIT - Container's Ip was not reachable from local desktop.

root@ubuntu:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         2xx.1xx.151.49  0.0.0.0         UG    0      0        0 eno1
10.0.8.0        0.0.0.0         255.255.255.0   U     0      0        0 lxdbr0
2xx.1xx.151.48  0.0.0.0         255.255.255.240 U     0      0        0 eno1
root@ubuntu:~# ip route show
default via 2xx.1xx.151.49 dev eno1 onlink
10.0.8.0/24 dev lxdbr0  proto kernel  scope link  src 10.0.8.1 linkdown
2xx.1xx.151.48/28 dev eno1  proto kernel  scope link  src 2xx.1xx.151.50
root@ubuntu:~# lxc start webserver
root@ubuntu:~# lxc list
+-----------+---------+-----------------------+------+------------+-----------+
|   NAME    |  STATE  |         IPV4          | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| webserver | RUNNING | 2xx.1xx.151.51 (eth0) |      | PERSISTENT | 0         |
|           |         | 10.0.8.100 (eth0)     |      |            |           |
+-----------+---------+-----------------------+------+------------+-----------+
root@ubuntu:~# ping 2xx.1xx.151.51
PING 2xx.1xx.151.51 (2xx.1xx.151.51) 56(84) bytes of data.
^C
--- 2xx.1xx.151.51 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

root@ubuntu:~# ping 10.0.8.100
PING 10.0.8.100 (10.0.8.100) 56(84) bytes of data.
64 bytes from 10.0.8.100: icmp_seq=1 ttl=64 time=0.069 ms
64 bytes from 10.0.8.100: icmp_seq=2 ttl=64 time=0.029 ms
^C
--- 10.0.8.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.029/0.049/0.069/0.020 ms
root@ubuntu:~# lxc network set lxdbr0 ipv4.routes 2xx.1xx.151.51/32
root@ubuntu:~# ping 2xx.1xx.151.51
PING 2xx.1xx.151.51 (2xx.1xx.151.51) 56(84) bytes of data.
64 bytes from 2xx.1xx.151.51: icmp_seq=1 ttl=64 time=0.103 ms
64 bytes from 2xx.1xx.151.51: icmp_seq=2 ttl=64 time=0.030 ms
^C
--- 2xx.1xx.151.51 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.030/0.066/0.103/0.037 ms


root@ubuntu:~# wget http://10.0.8.100
--2019-01-21 19:02:06--  http://10.0.8.100/
Connecting to 10.0.8.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.13’

index.html.13                           100%[============================================================================>]  11.06K  --.-KB/s    in 0.002s

2019-01-21 19:02:06 (6.49 MB/s) - ‘index.html.13’ saved [11321/11321]

root@ubuntu:~# wget http://2xx.1xx.151.51
--2019-01-21 19:02:18--  http://2xx.1xx.151.51/
Connecting to 2xx.1xx.151.51:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.14’

index.html.14                           100%[============================================================================>]  11.06K  --.-KB/s    in 0s

2019-01-21 19:02:18 (195 MB/s) - ‘index.html.14’ saved [11321/11321]

At this point Cannot ping public ip from local container *******

So added this route on HOST - this resulted in the container being visible from Local desktop

root@ubuntu:~# ip address add 2xx.1xx.151.51/32 dev lxdbr0
root@ubuntu:~# lxc list
+-----------+---------+-----------------------+------+------------+-----------+
|   NAME    |  STATE  |         IPV4          | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| webserver | RUNNING | 2xx.1xx.151.51 (eth0) |      | PERSISTENT | 0         |
|           |         | 10.0.8.100 (eth0)     |      |            |           |
+-----------+---------+-----------------------+------+------------+-----------+
root@ubuntu:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         2xx.1xx.151.49  0.0.0.0         UG    0      0        0 eno1
10.0.8.0        0.0.0.0         255.255.255.0   U     0      0        0 lxdbr0
2xx.1xx.151.48  0.0.0.0         255.255.255.240 U     0      0        0 eno1
2xx.1xx.151.51  0.0.0.0         255.255.255.255 UH    0      0        0 lxdbr0
root@ubuntu:~# ip route show
default via 2xx.1xx.151.49 dev eno1 onlink
10.0.8.0/24 dev lxdbr0  proto kernel  scope link  src 10.0.8.1
2xx.1xx.151.48/28 dev eno1  proto kernel  scope link  src 2xx.1xx.151.50
2xx.1xx.151.51 dev lxdbr0  proto static  scope link
root@ubuntu:~# wget http://2xx.1xx.151.51
--2019-01-21 19:04:15--  http://2xx.1xx.151.51/
Connecting to 2xx.1xx.151.51:80... failed: Connection refused. -**------> ISSUE HERE!!!**
root@ubuntu:~# wget http://10.0.8.100
--2019-01-21 19:06:19--  http://10.0.8.100/
Connecting to 10.0.8.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.15’

index.html.15                           100%[============================================================================>]  11.06K  --.-KB/s    in 0s

2019-01-21 19:06:19 (232 MB/s) - ‘index.html.15’ saved [11321/11321]



At this point, container is visible from local desktop , we cannot get the pages being served by the public ip of container from the HOST .

Back to deleting and adding the route .

root@ubuntu:~# lxc list
+-----------+---------+-----------------------+------+------------+-----------+
|   NAME    |  STATE  |         IPV4          | IPV6 |    TYPE    | SNAPSHOTS |
+-----------+---------+-----------------------+------+------------+-----------+
| webserver | RUNNING | 2xx.1xx.151.51 (eth0) |      | PERSISTENT | 0         |
|           |         | 10.0.8.100 (eth0)     |      |            |           |
+-----------+---------+-----------------------+------+------------+-----------+
root@ubuntu:~# cd
root@ubuntu:~# wget http://2xx.1xx.151.51
--2019-01-21 19:09:23--  http://2xx.1xx.151.51/
Connecting to 2xx.1xx.151.51:80... failed: Connection refused.
root@ubuntu:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         2xx.1xx.151.49  0.0.0.0         UG    0      0        0 eno1
10.0.8.0        0.0.0.0         255.255.255.0   U     0      0        0 lxdbr0
2xx.1xx.151.48  0.0.0.0         255.255.255.240 U     0      0        0 eno1
2xx.1xx.151.51  0.0.0.0         255.255.255.255 UH    0      0        0 lxdbr0
root@ubuntu:~# ip route show
default via 2xx.1xx.151.49 dev eno1 onlink
10.0.8.0/24 dev lxdbr0  proto kernel  scope link  src 10.0.8.1
2xx.1xx.151.48/28 dev eno1  proto kernel  scope link  src 2xx.1xx.151.50
2xx.1xx.151.51 dev lxdbr0  proto static  scope link
root@ubuntu:~# route del -net 2xx.1xx.151.51 gw 0.0.0.0 netmask 255.255.255.255 dev lxdbr0
root@ubuntu:~# ip address del 2xx.1xx.151.51/32 dev lxdbr0
root@ubuntu:~# ping 2xx.1xx.151.51
PING 2xx.1xx.151.51 (2xx.1xx.151.51) 56(84) bytes of data.
^C
--- 2xx.1xx.151.51 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

root@ubuntu:~# lxc network set lxdbr0 ipv4.routes 2xx.1xx.151.51/32
root@ubuntu:~# wget http://2xx.1xx.151.51
--2019-01-21 19:11:10--  http://2xx.1xx.151.51/
Connecting to 2xx.1xx.151.51:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11321 (11K) [text/html]
Saving to: ‘index.html.16’

index.html.16                           100%[============================================================================>]  11.06K  --.-KB/s    in 0s

2019-01-21 19:11:10 (237 MB/s) - ‘index.html.16’ saved [11321/11321]

root@ubuntu:~#

At his point ,it is all as expected. Containers public ip is visible from local desktop , from host, containers apache web pages are accessible from HOST , and from the local desktop.

********* IF the host is restarted , had to remove and re add the routes.

Gabriel-Adrian_Samfi · July 9, 2019, 10:40pm

For what it’s worth, I also had to:

sysctl -w net.ipv4.conf.all.proxy_arp=1

I was seeing ARP requests, but no replies were sent out by the host. You can probably get away with adding this to just one interface.

tkasidakis · July 12, 2020, 9:30am

I am searching the issue of giving to the containers an ip from the access point.
I have read many ways to do this but i am a little bit confused.
Which is the easiest way to do something like this ?

I followed this guide https://blog.simos.info/how-to-get-lxd-containers-get-ip-from-the-lan-with-routed-network/
but it seems that something i am doing wrong. I can’t understand which fields i should change. For example, where i should place my public ip ?
Should I place somewhere my wirelles interface ? ( wlo1 )

I am using Wi-Fi and i want to work with Wi-Fi.

Thanks in advance for any help

tomp · July 13, 2020, 7:41am

Please can you describe your network setup? There are various options, as you say, depending on the setup you have.

How is the public IP router to your LXD host?

tkasidakis · July 13, 2020, 8:01am

I am connected to a wlan and i have 192.168.2.4 as an ip.
I have also the lxd bridge for the containers at 10.237.243.1.

My public ip is 89.210.18.168.

Tell me what else do you need from me about my network.

Thanks a lot for the help

tomp · July 13, 2020, 8:03am

Well LXD can only help with getting the public IP into your container if the public IP is already routed to your LXD host. If you only have a single IP and it is bound on your externally facing router then you cannot have it also inside your container.

Perhaps what you’re looking for instead is to have one or more ports on your external router (and thus your public IP) forwarded into your container?

What is it that you’re trying to achieve, beyond getting the public IP into the container that is?

tkasidakis · July 13, 2020, 8:10am

I want for example my containers to have IPs like , for example , a new device which has connected to my home wlan. Meaning an IP like 192.168.2.X . I want the containers to be servers. In fact it doesn’t bother me to ping google for example . I want if for example i have a desktopA with 192.168.2.20 and desktopB with 192.168.2.15 , the i want to create at desktopB a container with name ImageSvc and ip 192.168.2.X so i can directly communicate with desktopA with anything else ( i have used proxy device which matches the ports and forwards the request).

tomp · July 13, 2020, 8:13am

Ah, so you don’t want your public IP in your container, but you want to bridge your containers onto your internal LAN.

(192.168.2.0/24 is a non-routable private IP range, not a public range, hence the confusion).

In that case you could either use the routed NIC type as per the link you originally sent, or you could setup a new bridge on your LXD host and use that as the parent device with the bridged NIC type.

tkasidakis · July 13, 2020, 8:15am

Yes, I am sorry.
Any help/guide about how i am supposed to doing that ?

tomp · July 13, 2020, 8:23am

So first you would want to convert your LAN interface on your laptop to a bridge:

See https://netplan.io/examples#configuring-network-bridges

Then once you have a network bridge, you can replace the existing NIC in your container with one connected to your bridge using:

lxc config device add <container> eth0 nic nictype=bridged parent=<bridge interface name>

Note: You said you were on wifi, I am not certain, but there may be issues with bridging onto a wifi network due to the way wifi uses additional MAC addresses. If that doesn’t work then try using the routed network as per the guide you originally linked to.

tkasidakis · July 13, 2020, 8:28am

Yes that may be an issue with the mac addresses.

My first problem with routed was that i didn’t know what i changes should make to the routed profile that i was creating.

tomp · July 13, 2020, 8:30am

You don’t have to use a profile you can just do:

lxc config device add <container> eth0 nic nictype=routed parent=<lan interface> ipv4.address=<static lan address>

Then ensure that inside your container you remove the netplan config file in /etc/netplan to prevent eth0 from being reconfigured for DHCP, and restart your container.

tkasidakis · July 13, 2020, 8:41am

If your solution doesn’t work with WiFi i am going to use routed from simos guide.

I understand everything simos has at his blog except from what changes i should make to the routed profile.

========================================================
You can create an empty profile, then edit it and replace the existing content with the following (lxc profile create routed, lxc profile edit routed).

config:
user.network-config: |
version: 2
ethernets:
eth0:
addresses:

192.168.1.200/32
nameservers:
addresses:
8.8.8.8
search: []
routes:
to: 0.0.0.0/0
via: 169.254.0.1
description: Default LXD profile
devices:
eth0:
ipv4.address: 192.168.1.200
nictype: routed
parent: enp6s0
type: nic
name: routed_192.168.1.200
used_by:

==============================================================

Simos says this.

Which fields i should change so it can work to my computer .?

tomp · July 13, 2020, 8:46am

Any references to 192.168.1... should be your LAN subnet instead.

tkasidakis · July 13, 2020, 8:48am

So i leave everything else as it is ?
to: 0.0.0.0/0
via: 169.254.0.1 (what about this ?)

----> parent: enp6s0 (should i change this with my wirelles interface ? )

tomp · July 13, 2020, 9:13am

Ah yes change parent too. Everything else leave as is.

tkasidakis · July 13, 2020, 9:15am

Ok ok . Thanks a lot Thomas.

I would try both of them and i will post here for the results.

Again many thanks to all who help

tkasidakis · July 23, 2020, 10:16am

It worked. As Thomas mentioned following simos guide (https://blog.simos.info/how-to-get-lxd-containers-get-ip-from-the-lan-with-routed-network/) you can do exactly what simos is saying except for making some changes to the configuration file of the routed profile.

Change parent and put there the name of the interface which has the ip of your lan.
For example, I put wlo1 because i am connected to a wlan
Instead of 192.168.1.200 , put your lan subnet instead.

Ping www.google.com and all the other devices in wlan worked perfectly