Running OpenWrt (as a firewall/router) on a LXD host

LXD
, , ,
12

Hi @wikiwheeler,
To be honest It’s been a while and I haven’t unpacked my little home server since moving houses few months back but I did get everything working back then except for WiFi (which should be doable as well albeit a little hacky), best thing to do would be to hook up a couple of separate access points to the box and mesh them using 802.11r fast roaming.
Basically you wanna create a container as a firewall (whatever image you’d like to use, be it openwrt or anything else) and pass your physical interface to the container (it’s best to have at least 3 physical ports though you can do with just 2 in which you won’t have out-of-band management).
here’s what you need to do in its simplest form:

  1. Create a bridge (a network switch in software) on the host (I do this with systemd-networkd), bare in mind the bridge can be made on top of a bond (link aggregation for extra bandwidth or simple failover)
/etc/systemd/network/br0.netdev

[NetDev]
Name=br0
Kind=bridge

/etc/systemd/network/br0.network

[Match]
Name=br0

[Network]
DHCP=ipv4

systemctl restart systemd-networkd
  1. Make a new profile and remove the default interface
lxc profile cp default firewall
lxc profile device remove firewall eth0
  1. initialise a new (openwrt) container and add the physical interface and bridge to it and then start it. (bare in mind the physical interface will no longer be available on the host)
lxc init images:openwrt/22.03 -p firewall openwrt
lxc config device add openwrt eth0 nic nictype=physical parent=eno1 name=eth0
#note that here LXD is taking care of creating a virtual interface that acts as a link between your container and the software switch aka bridge that we previously created
lxc config device add openwrt eth1 nic nictype=bridged parent=br0 name=eth1
lxc start openwrt
  1. Create a LAN interface in openwrt so that you can connect to it
lxc exec openwrt -- busybox sh

/etc/config/network

...

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'br-lan'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

service network restart
  1. connect to the web interface and make sure everything works