EDIT: After experimenting with other devices on my network I was able to reproduce the issue so it was somehow related to my network. It turns out where I’d expanded my internal subnet size the firewall’s outbound NAT rules hadn’t changed, so it was only NATting the first /24.
Pretty new user to LXD here so I apologise if I’ve done something stupid. I’d like my containers to use static IPs I assign on
eth0 from a range outside of my DHCP pool, however it’s not quite behaving as I expect. My host has
eth0 bridged to
br0 with the following config:
$ ip a s dev br0 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether bc:ae:c5:11:9f:41 brd ff:ff:ff:ff:ff:ff inet 10.101.0.50/22 brd 10.101.3.255 scope global br0 valid_lft forever preferred_lft forever
I’m also attaching containers directly to this bridge:
devices: eth0: name: eth0 nictype: bridged parent: br0 type: nic $ brctl show br0 8000.bcaec5119f41 no eth0 vethS9Q44S
This works fine when I allow containers to obtain an IP via DHCP and also when I assign a static IP in the 10.101.0.0/24 range (I can ping 184.108.40.206 for example), however once I try to use the full range of the /22 subnet things get a bit strange. Below is a sample cloud-init config:
version: 1 config: - type: physical name: eth0 subnets: - type: static ipv4: true address: 10.101.1.211/22 gateway: 10.101.0.1 control: auto
With this I can ping my gateway just fine, but I cannot ping the outside world. I ran some traffic captures on my gateway’s WAN interface and saw very odd behaviour - packets going out onto the internet still have their RFC1918 address which obviously means Cloudflare’s DNS server is going to drop them as garbage traffic:
08:49:21.172012 IP 10.101.1.211 > 220.127.116.11: ICMP echo request, id 442, seq 1, length 64 08:49:22.171418 IP 10.101.1.211 > 18.104.22.168: ICMP echo request, id 442, seq 2, length 64 08:49:23.171289 IP 10.101.1.211 > 22.214.171.124: ICMP echo request, id 442, seq 3, length 64
Whereas if I ping from the host itself:
09:24:09.243287 IP 81.154.6.x > 126.96.36.199: ICMP echo request, id 57368, seq 1, length 64 09:24:09.247632 IP 188.8.131.52 > 81.154.6.x: ICMP echo reply, id 57368, seq 1, length 64 09:24:10.245032 IP 81.154.6.x > 184.108.40.206: ICMP echo request, id 57368, seq 2, length 64 09:24:10.249472 IP 220.127.116.11 > 81.154.6.x: ICMP echo reply, id 57368, seq 2, length 64 09:24:11.245538 IP 81.154.6.x > 18.104.22.168: ICMP echo request, id 57368, seq 3, length 64 09:24:11.249914 IP 22.214.171.124 > 81.154.6.x: ICMP echo reply, id 57368, seq 3, length 64
I’m rather scratching my head here - is this something wrong with my network setup or with my LXD setup? There are no iptables rules involved (the only rules are the auto-generated ones for lxcbr0). I could understand it if nothing worked at all, but a container with an IP from the first /24 can ping the outside world fine whether the IP is from DHCP or statically assigned.
Any suggestions welcome!