[lxc-users] macvlan networking

Mon Sep 15 08:54:22 UTC 2014

On Mon, Sep 15, 2014 at 3:34 PM, Adam Gold <awg1 at gmx.com> wrote:
>> Just a wild guess, I'm assuming macvlan has problems with bridge interface.
>>
>> Have you tried using a physical interface (e.g. eth0) as
>> lxc.network.link? Or better yet, since you already create a bridge,
>> use lxc.network.type = veth?
>>
>
> I should give just a little bit more context.  I'm trying to set up a
> DMZ container which would service a private subnet of containers (as a
> choke firewall, reverse proxy etc).  The host's physical interface,
> bond0, has been attached to br0.  I initially tried creating a container
> (ct1) with two veth interfaces, one attached to br0 for external
> internet connectivity, the other attached to the default lxcbr0.  I
> created a second container (ct2) with a single veth interface attached
> to lxcbr0.  Ct1 was accessible from the outside world and was able to
> ping ct2.  However getting to ct2 from the outside world (e.g. to ssh in
> and modify configs - easier than using lxc console or doing a double ssh
> via ct1) has been problematic.
>
> I'm wondering whether this is an iptables issue.  On ct1, cat
> /proc/sys/net/ipv4/ip_forward gives me a result of 1 and I'm using
> fairly simple rules to forward from ct1 to ct2 as follows (eth0 =
> exernal; eth1 = internal)
>
> ## setup forwarding
> -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j
> ACCEPT
> -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
> -t nat -A POSTROUTING -s subnet_addresses -o eth0 -j MASQUERADE
> ## NAT for ssh
> -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d
> ct1_external_ip --dport 10088 -j DNAT --to ct2:22
> -A FORWARD -i eth0 -o $eth1 -p tcp --sport 1024:65535 -d ct2_ip --dport
> 22 -j ACCEPT
>

The "official" networking guide for lxc on Ubuntu :
https://help.ubuntu.com/14.04/serverguide/lxc.html#lxc-network

At first glance your config looks correct, but the most obvious
possible source of problem would be "-i eth0". You said that your
public IP is now on br0. I'd try to remove the "-i" part altogether,
to see if it is indeed the source of problem.

> Apologies, total noob mistake for not providing this additional
> background.  I've used these iptables rules with xen and kvm in a
> similar dmz style setup before with no problems but if there's something
> specific I need to know for lxc that would be great to hear about.
>
> Of course I'm still curious why the macvlan isn't working and would like
> to get that set up as well!

Good luck.

Personally I don't see a use for macvlan in my setup, since bridge
works fine. And I also have a
somewhat-complicated-direct-route-and-arp setup (which is in a way
similar to proxyarp, but use less IPs) if I can't use a bridge for
whatever reason (e.g. when provider only allows a single MAC).

-- 
Fajar