SNAT network setup with OVS bridge

noah · June 23, 2021, 2:23pm

Looking for guidance on how to setup SNAT’ing so containers can reach the outside world to do DNS lookups, OS updates etc, but they do not need to be accessible by the internet directly. We’re handling that at another proxy layer to it’s private IP. I don’t need DHCP either. Everything is statically assigned (mac and ip addresses).

Here’s my current setup:

Physical host with 2 eth ports, one for public traffic (host_eth0), one for private (host_eth1).
OpenVSwitch is running on the host with two bridges: br0pub (public traffic) br0pri (private traffic)
host_eth* have both been attached the OVS bridge and their IP was moved from host_eth* interface to the bridge.
Containers on the host are also attached to the OVS bridge. Each container is given a eth0 (public) and eth1 (private) nic.
Static public and private IP addresses are assigned to each container. So far this is working great!

Here’s what I’d like to do now:
I’d like to spin up containers that do not have a dedicated public IP, but can still access the internet to do DNS, OS updates etc.

Trying to have two container networking types:

Current: containers with eth0 (public) and eth1 (private) with statically assigned dedicated public and private IPs
Want to add container with just eth1 (private network IP) but access the internet via Host’s IP somehow

What’s the best way to achieve a NAT setup given the above host/OVS setup (preferably without using the standard linux bridge in the mix if possible)?

Thank you in advance for any help or direction!

tomp · June 23, 2021, 2:37pm

You can use a LXD managed bridge network for that:

If lxdbr0 already exists you may want to remove it and replace with an OVS managed lxdbr0:

lxc network create lxdbr0 bridge.driver=ovs

Then you can connect your containers to it using eth0 (in place of the public bridge) for NAT internet access.

lxc config device add <instance> eth0 nic network=lxdbr0

This way all instances will have 2 NICs, with eth0 always providing internet access (either with public IPs or with NAT) and eth1 connected to the private network.

noah · June 23, 2021, 2:47pm

Thank you for the fast response!

So I would replace br0pub (current public bridge) with lxdbr0

Current container network devices:

devices:
  eth0:
    host_name: db01pub
    hwaddr: 00:16:3e:40:20:d5
    name: eth0
    nictype: bridged
    parent: br0pub
    type: nic
  eth1:
    host_name: db01pri
    hwaddr: 00:16:3e:40:20:d6
    name: eth1
    nictype: bridged
    parent: br0pri
    type: nic

Few extra questions:

Would I just replace the parent name in the network devices to be lxdbr0?
Does nictype bridged stay the same?
Would DHCP be disabled or do I need to explicitly state that somewhere?
I use host_name to specific the port name in OVS, this should still work since it’s still an OVS bridge, but now managed by LXD?

Thanks Thomas for your help, I greatly appreciate it!

tomp · June 23, 2021, 3:02pm

Only for the containers you don’t want to have public IPs.

tomp · June 23, 2021, 3:03pm

Would I just replace the parent name in the network devices to be lxdbr0? - yes you can do that.
Does nictype bridged stay the same? - yes
Would DHCP be disabled or do I need to explicitly state that somewhere? - it would be enabled on the lxdbr0 network by default, use lxc network set lxdbr0 ipv4.dhcp=false ipv6.dhcp=false to disable.
I use host_name to specific the port name in OVS, this should still work since it’s still an OVS bridge, but now managed by LXD? - you can still use that.

noah · June 23, 2021, 3:04pm

Thank you! I’ll start to implement and test this out. Thank you again for the super fast responses

Cheers!