[lxc-users] macvlan networking
Fajar A. Nugraha
list at fajar.net
Mon Sep 15 08:54:22 UTC 2014
On Mon, Sep 15, 2014 at 3:34 PM, Adam Gold <awg1 at gmx.com> wrote:
>> Just a wild guess, I'm assuming macvlan has problems with bridge interface.
>> Have you tried using a physical interface (e.g. eth0) as
>> lxc.network.link? Or better yet, since you already create a bridge,
>> use lxc.network.type = veth?
> I should give just a little bit more context. I'm trying to set up a
> DMZ container which would service a private subnet of containers (as a
> choke firewall, reverse proxy etc). The host's physical interface,
> bond0, has been attached to br0. I initially tried creating a container
> (ct1) with two veth interfaces, one attached to br0 for external
> internet connectivity, the other attached to the default lxcbr0. I
> created a second container (ct2) with a single veth interface attached
> to lxcbr0. Ct1 was accessible from the outside world and was able to
> ping ct2. However getting to ct2 from the outside world (e.g. to ssh in
> and modify configs - easier than using lxc console or doing a double ssh
> via ct1) has been problematic.
> I'm wondering whether this is an iptables issue. On ct1, cat
> /proc/sys/net/ipv4/ip_forward gives me a result of 1 and I'm using
> fairly simple rules to forward from ct1 to ct2 as follows (eth0 =
> exernal; eth1 = internal)
> ## setup forwarding
> -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j
> -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
> -t nat -A POSTROUTING -s subnet_addresses -o eth0 -j MASQUERADE
> ## NAT for ssh
> -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d
> ct1_external_ip --dport 10088 -j DNAT --to ct2:22
> -A FORWARD -i eth0 -o $eth1 -p tcp --sport 1024:65535 -d ct2_ip --dport
> 22 -j ACCEPT
The "official" networking guide for lxc on Ubuntu :
At first glance your config looks correct, but the most obvious
possible source of problem would be "-i eth0". You said that your
public IP is now on br0. I'd try to remove the "-i" part altogether,
to see if it is indeed the source of problem.
> Apologies, total noob mistake for not providing this additional
> background. I've used these iptables rules with xen and kvm in a
> similar dmz style setup before with no problems but if there's something
> specific I need to know for lxc that would be great to hear about.
> Of course I'm still curious why the macvlan isn't working and would like
> to get that set up as well!
Personally I don't see a use for macvlan in my setup, since bridge
works fine. And I also have a
somewhat-complicated-direct-route-and-arp setup (which is in a way
similar to proxyarp, but use less IPs) if I can't use a bridge for
whatever reason (e.g. when provider only allows a single MAC).
More information about the lxc-users