<div dir="ltr">For those googling later , if you are using macvlan the IP has to be on the same subnet as the "host device" which was not the case. I ended up using a bridge with an non public IP as suggested and that worked fine. I never could fine anything on a bridgeless veth setup and I would be curious to read about this. If someone could point me to the link that would be great. <br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, May 30, 2015 at 7:27 PM, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sun, May 31, 2015 at 3:22 AM, Dave Smith <<a href="mailto:dave.smith@candata.com">dave.smith@candata.com</a>> wrote:<br>
> I am trying to setup a public IP via macvlan to a container. The host has a<br>
> public IP and then 2 extra static public IP's on one physical interface<br>
> (bond1) that is assigned to it by my upstream vendor. In my config I have<br>
<br>
</span>Did your upstream provider allow additional mac address on your switch port?<br>
<span class=""><br>
><br>
> lxc.network.type = macvlan<br>
> lxc.network.flags = up<br>
> lxc.network.link = bond1<br>
> <a href="http://lxc.network.name" target="_blank">lxc.network.name</a> = eth0<br>
> lxc.network.ipv4 = x.x.x.x/32 x.x.x.x<br>
> lxc.network.ipv4.gateway = x.x.x.x<br>
><br>
> where x.x.x.x is the public static IP I want to use<br>
<br>
<br>
</span>Assuming you have lxcbr0 (should be automatically created), try this<br>
<br>
lxc.network.type = veth<br>
lxc.network.flags = up<br>
lxc.network.link = lxcbr0<br>
lxc.network.ipv4 = x.x.x.x/32<br>
lxc.network.ipv4.gateway = 10.0.3.1<br>
<br>
... where 10.0.3.1 is lxcbr0's IP address. This will work if:<br>
- your provider route the additional IP thru your main IP. Should be<br>
the case if your main IP and additional IP is on different subnet<br>
- you disable any networking setup on the container's OS side, since<br>
you already set it up on lxc config file.<br>
- on the host side, you run "ip route add x.x.x.x/32 dev lxcbr0" (or<br>
something similar) to tell the host that container's IP is reachable<br>
thru lxcbr0<br>
<span class=""><br>
> netstat -nr<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags MSS Window irtt<br>
> Iface<br>
> 0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0 eth0<br>
<br>
</span>There should be an additional entry, saying how to reach the gateway<br>
from the container. Something like this<br>
<br>
# netstat -nr<br>
<span class="">Kernel IP routing table<br>
Destination Gateway Genmask Flags MSS Window irtt Iface<br>
</span>0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0<br>
10.0.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0<br>
<span class=""><br>
<br>
><br>
> ip -d link show eth0<br>
> 56: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc<br>
> noqueue state UNKNOWN<br>
> link/ether e6:9d:bf:fb:95:c7 brd ff:ff:ff:ff:ff:ff<br>
> macvlan mode private<br>
><br>
><br>
> Now when I ping out from my container ( to <a href="http://google.ca" target="_blank">google.ca</a>) I see the packet going<br>
> out and coming back (using tcpdump -e ) on the bond1 interface but my<br>
> container never receives it. There are no iptables rules on either the host<br>
> or in the container.<br>
><br>
<br>
<br>
</span>If you use macvlan or bridge the hosts's public interface (eth0,<br>
bond0, etc), then you wouldn't use /32. You'd use the same netmask and<br>
gateway as you do on the host, and your provider will need to allow<br>
more than 1 mac on your port. This way the container will be just like<br>
any other physical host on the same broadcast network as the host<br>
(e.g. /24).<br>
<br>
If you CAN'T use the same netmask and gateway as the host (e.g. when<br>
your provider gives additional IPs that are on different subnet), then<br>
you CAN'T use macvlan (or bridge the host's public interface). Use<br>
routed setup like my example instead. You can either use lxcbr0,<br>
create your own bridge, or use a bridgeless veth setup (not covered<br>
here, search the archives for details).<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Fajar<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></font></span></blockquote></div><br></div>