Join Log in
Score:0
avatar Server

Why do I routes to containers locally and how can I do better?

fr flag
Lars Hanke

I'm setting up a new server at a new site. The server is placed behind a router / firewall. The server shall run several LXC containers for various services. The LXC containers are connected to a bridge brlxc. The server furthermore connects to another site using OpenVPN in yet another LXC container bridged to the NIC of the server. Due to issues with the old setup the aim is to put the routing and firewalling functionality into the dedicated external router.

We end up with something like this:

Router:    10.1.1.1
Server:    10.1.1.2
OpenVPN:   10.1.2.2 (bridged with 10.1.1.2 NIC and connected to router)
brlxc:     10.1.3.1 (on server)
Container: 10.1.3.2 (on brlxc)
Ext-Site:  10.2.0.0/16 (via 10.1.2.2)

Physically the router box connected by a single cable to the Server.

The Server and the OpenVPN client receive 10.1.1.1 as default route; the container 10.1.3.1 on the server. The router, 10.1.1.1, has a route to send 10.2.0.0/16 via 10.1.2.2, a route to send 10.1.3.0/24 via 10.1.1.2, and for now has 10.1.0.0/16 as LAN.

The first puzzeling thing I noticed was that I needed 10.2.0.0/16 via 10.1.2.2 as a static route on the Server. Otherwise, the router would send an ICMP redirect and the connection broke down.

After adding the first LXC container I needed to add 10.1.3.0/24 via 10.1.1.2 to the OpenVPN client.

While it's not exactly difficult to set-up all these routes and eventually define even firewall rules on the server, this does not meet my design goal to have the router to route and firewall, and the server to run the services.

I guess there's a better way to do it and I seem to miss some essentials. I'd appreciate some guidance with this.

41
0 + 0
lxc
djdomi avatar
za flag
djdomi
you have imho a thinking issue, how should the server know, which packet has to be dropped somewhere? i think you should consider one times more the OSI model ;)
0
Reply
fr flag
Lars Hanke
I assume that I'm missing something and my knowledge of lower OSI layers absolutely has room for improvement. A naive idea was that the server simply sends everything to the router and lets it decide. It might then return the package using the same physical cable it received it. But I'd probably have to separate them using VLAN - just musing ...
0
Reply
Score:0
avatar Server
fr flag
Lars Hanke

I found a solution for the posted issue. I now use a tagged ethernet interface to the router and distribute the VLANs using the eth0.VLAN interface to bridges with no address to the host.

auto brvlanX
iface brvlanX inet static
  bridge_ports eth0.vlanX
  bridge_fd 0
  bridge_nowait 0
  address 0.0.0.0

And the host itself can use his VLAN interface immediately.

This routes all traffic of the virtual machines / containers of the host via the router, which in turn can enforce firewall rules.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.