Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread Fajar A. Nugraha 
Depends on how your provider set it up.

If it WERE intended to work that way, they would've given you full
instructions (e.g. "use this IP, this netmask, and this gateway") instead
of just giving the IP (and probably say "add this as a secondary IP on your
server).

The fact that you say it works when you use it as br0:0 (and br0 has
81.7.15.233) means that at that point you're NOT using bridge, but instead
use your host's primary IP as the gateway. And your provider has route that
IP thru your primary IP.

Again, it is important to know how your provider works. Asking them BEFORE
asking questions here would've lead to a more productive discussion.

FWIW, on server4you I use something like this:

On the host's /etc/network/interfaces:
#==
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 209.126.X.Y
  netmask 255.255.255.192
  gateway 209.126.X.1

auto br0
iface br0 inet static
address 192.168.124.1
netmask 255.255.255.0
bridge_ports none
up ip route add A.B.C.D/32 dev br0 || true



... where A.B.C.D is the one additional IP that they gave me.


On the container lxc config:
#===
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:16:3E:04:A8:65
lxc.network.veth.pair=veth-C1-0


On the container's /etc/network/interfaces:
#==
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address A.B.C.D
netmask 255.255.255.255
up ip route add 192.168.124.1 dev eth0
up ip route add default via 192.168.124.1



Basically it uses some static routes to force communication between the
hosts's br0 and the container's eth0, even though they're on different
logical subnet (br0 192.168.124.1/24, container is A.B.C.D/32). And
container's traffic is routed thru the host's br0, which in turn goes to
the provider's routing thru the host's main IP. Pure routing setup, no NAT
involved.

-- 
Fajar



On Thu, Sep 11, 2014 at 8:19 PM, othiman  wrote:

> 91.143.88.1 actually is the providers gateway for the subnet.
>
> The whole IP configuration for the container looks like this:
> IP address: 91.143.88.119
> netmask: 255.255.255.0
> broadcast: 91.143.88.255
> gateway: 91.143.88.1
>
> So the container is on a totally different subnet, but shouldn't that work
> anyway with a bridged device?
>
> Best regards,
> Thomas
>
>
> On 11.09.2014 15:11, brian mullan wrote:
>
>> In your container config you set the IP gateway as:
>>
>>  lxc.network.ipv4.gateway=91.143.88.1
>>
>> But I didn't see that IP addr anywhere else in your email. Where is 88.1 ?
>>
>> Brian
>>
>>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread othiman 

91.143.88.1 actually is the providers gateway for the subnet.

The whole IP configuration for the container looks like this:
IP address: 91.143.88.119
netmask: 255.255.255.0
broadcast: 91.143.88.255
gateway: 91.143.88.1

So the container is on a totally different subnet, but shouldn't that 
work anyway with a bridged device?


Best regards,
Thomas

On 11.09.2014 15:11, brian mullan wrote:

In your container config you set the IP gateway as:

 lxc.network.ipv4.gateway=91.143.88.1

But I didn't see that IP addr anywhere else in your email. Where is 88.1 ?

Brian



___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread brian mullan 
In your container config you set the IP gateway as:

 lxc.network.ipv4.gateway=91.143.88.1

But I didn't see that IP addr anywhere else in your email.   Where is 88.1 ?

Brian
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread othiman 
I'm still confused that is working at the old server, but not at the new 
one. I wrote an email to my provider asking if they use a kind if MAC 
filter. I will let you know if this is the solution.


Thanks for all your help,
Thomas

On 11.09.2014 13:08, Tamas Papp wrote:


On 09/11/2014 01:06 PM, othiman wrote:

Hi,

binding the 91.143.88.119 address to an aliasing interface of the 
host (br0:0) directly, pinging inside and outside to the host is 
working correctly.


Yes, but as it was mentioned, you're trying with a different mac address.

What you need is I think using an alias and iptables DNAT/SNAT.


Cheers,
tamas
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread othiman 
Hmm. The old server is also at the same provider and there it is working 
without a problem (ubuntu 12.04 and lxc 0.7.5). In addition binding the 
91.143.88.119 address to the old server in the same way, the setup works 
without a hassle.
Binding the 91.143.88.119 to an aliasing interface (br0:0) on the new 
host is working, too...


Thomas

On 11.09.2014 13:02, Fajar A. Nugraha wrote:
On Thu, Sep 11, 2014 at 4:05 PM, othiman > wrote:


Hi everyone,

I already posted this to askubuntu.com 

(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address),
but I think this might be a better place to find help.

I try to setup a LXC container with bridged network on ubuntu
14.04.1, but the outgoing traffic seems to be blocked. Ping
another IP than the container's one is not working. Actually I
tried this with a working container of a ubuntu 12.04 host moved
to new hardware and a recent ubuntu 14.04, but the problem also
applies to a new created ubuntu 14.04 container.

I should mention that if I bind the IP address to an aliasing
interface of the host directly, pinging inside and outside to the
host is working correctly.

I hope someone has an idea what I am doing wrong.


Sounds suspiciously similar to a dedicated server/colo setup where 
your provider only allows one MAC on each port. Is that the case for 
you? If yes, then short answer is you can't use bridge.


SInce your container IP (91.143.88.119) and host IP (81.7.15.233) is 
on a different subnet mask, I suspect that your provider routes the 
additional IP to your main IP. In which case you should use routed setup.


--
Fajar


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users


___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread Tamas Papp 


On 09/11/2014 01:06 PM, othiman wrote:

Hi,

binding the 91.143.88.119 address to an aliasing interface of the host 
(br0:0) directly, pinging inside and outside to the host is working 
correctly.


Yes, but as it was mentioned, you're trying with a different mac address.

What you need is I think using an alias and iptables DNAT/SNAT.


Cheers,
tamas
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread othiman 

Hi,

binding the 91.143.88.119 address to an aliasing interface of the host 
(br0:0) directly, pinging inside and outside to the host is working 
correctly.


Thomas


On 11.09.2014 13:01, Tamas Papp wrote:

hi,

Is it allowed by your provider?

tamas

On 09/11/2014 12:46 PM, othiman wrote:

Hi Andreas, hi tamas,

thanks for your fast answers. I removed the IP settings from the 
config, but that was obviously not the problem.


I cannot ping the gateway from inside of the container:
ubuntu@ubuntu-test:~$ ping 91.143.88.1
PING 91.143.88.1 (91.143.88.1) 56(84) bytes of data.
^C
--- 91.143.88.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

Meanwhile I used "tcpdump -i eth0 -v icmp -n" on the host to look at 
the ICMP packets (because there is a lot of other traffic on that 
device).


tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
65535 bytes
11:46:27.181917 IP (tos 0x0, ttl 244, id 28226, offset 0, flags 
[none], proto ICMP (1), length 84)
176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq 
31682, length 64
11:46:27.401801 IP (tos 0x0, ttl 64, id 48628, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 1, 
length 64
11:46:28.409373 IP (tos 0x0, ttl 64, id 48629, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 2, 
length 64
11:46:29.417370 IP (tos 0x0, ttl 64, id 48630, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 3, 
length 64
11:46:30.425366 IP (tos 0x0, ttl 64, id 48631, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 4, 
length 64
11:46:31.383279 IP (tos 0x0, ttl 244, id 29380, offset 0, flags 
[none], proto ICMP (1), length 84)
176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq 
32673, length 64

^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel


So it looks like the packets are going out, but there is no answer 
coming back. So I tried Andreas hint. I called (in the container)


ubuntu@ubuntu-test:~$ sudo ./arping -I eth0 -u 91.143.88.119 -c4
ARPING 91.143.88.119

--- 91.143.88.119 statistics ---
4 packets transmitted, 0 packets received, 100% unanswered (0 extra)

But still no answers from the gateway :-(

Best regards,
Thomas

On 11.09.2014 11:20, Andreas Laut wrote:

We face this problem very often.

You can try to ping the Host IP and after that the gateway IP from
inside the container.
If that doesn't work you'll have to send arpings from inside the 
conainter:
arping -I [lxc-interfacename]  -U 91.143.88.119 -c4 (arping from 
iputils

package)

After that you'll get the following output:
Sent 4 probes (4 broadcast(s))
Received 0 response(s)

0 responses are ok. Try to ping again.
Hope that helps.

Best Regards



Am 11.09.2014 um 11:05 schrieb othiman:

Hi everyone,

I already posted this to askubuntu.com
(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address), 


but I think this might be a better place to find help.

I try to setup a LXC container with bridged network on ubuntu 14.04.1,
but the outgoing traffic seems to be blocked. Ping another IP than the
container's one is not working. Actually I tried this with a working
container of a ubuntu 12.04 host moved to new hardware and a recent
ubuntu 14.04, but the problem also applies to a new created ubuntu
14.04 container.

I should mention that if I bind the IP address to an aliasing
interface of the host directly, pinging inside and outside to the host
is working correctly.

I hope someone has an idea what I am doing wrong.


I created a the new container with:
 lxc-create -t ubuntu -n ubuntu-test


This is my config file:
 # Template used to create this container:
/usr/share/lxc/templates/lxc-ubuntu
 # Parameters passed to the template: -r trusty
 # For additional config options, please look at 
lxc.container.conf(5)


 # Common configuration
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf

 # Container specific configuration
 lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
 lxc.mount = /var/lib/lxc/ubuntu-test/fstab
 lxc.utsname = ubuntu-test
 lxc.arch = amd64

 # Network configuration
 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = br0
 lxc.network.hwaddr = 00:16:3e:6c:7c:79
 lxc.network.ipv4=91.143.88.119/24
 lxc.network.ipv4.gateway=91.143.88.1
 lxc.network.name=eth0


My '/etc/network/interfaces' on the host:
 auto lo
 iface lo inet loopback

 auto br0
 iface br0 inet static
 address 81.7.15.233
 netmask 255.255.255.0
 broadcast 81.7.15.255
 gateway 81.7.15.1
 bridge_ports eth0
 bridge_f

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread Fajar A. Nugraha 
On Thu, Sep 11, 2014 at 4:05 PM, othiman  wrote:

> Hi everyone,
>
> I already posted this to askubuntu.com (http://askubuntu.com/
> questions/522457/lxc-container-no-outgoing-traffic-
> with-bridged-network-and-public-ip-address), but I think this might be a
> better place to find help.
>
> I try to setup a LXC container with bridged network on ubuntu 14.04.1, but
> the outgoing traffic seems to be blocked. Ping another IP than the
> container's one is not working. Actually I tried this with a working
> container of a ubuntu 12.04 host moved to new hardware and a recent ubuntu
> 14.04, but the problem also applies to a new created ubuntu 14.04 container.
>
> I should mention that if I bind the IP address to an aliasing interface of
> the host directly, pinging inside and outside to the host is working
> correctly.
>
> I hope someone has an idea what I am doing wrong.
>
>
Sounds suspiciously similar to a dedicated server/colo setup where your
provider only allows one MAC on each port. Is that the case for you? If
yes, then short answer is you can't use bridge.

SInce your container IP (91.143.88.119) and host IP (81.7.15.233) is on a
different subnet mask, I suspect that your provider routes the additional
IP to your main IP. In which case you should use routed setup.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread Tamas Papp 

hi,

Is it allowed by your provider?

tamas

On 09/11/2014 12:46 PM, othiman wrote:

Hi Andreas, hi tamas,

thanks for your fast answers. I removed the IP settings from the 
config, but that was obviously not the problem.


I cannot ping the gateway from inside of the container:
ubuntu@ubuntu-test:~$ ping 91.143.88.1
PING 91.143.88.1 (91.143.88.1) 56(84) bytes of data.
^C
--- 91.143.88.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

Meanwhile I used "tcpdump -i eth0 -v icmp -n" on the host to look at 
the ICMP packets (because there is a lot of other traffic on that 
device).


tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
65535 bytes
11:46:27.181917 IP (tos 0x0, ttl 244, id 28226, offset 0, flags 
[none], proto ICMP (1), length 84)
176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq 
31682, length 64
11:46:27.401801 IP (tos 0x0, ttl 64, id 48628, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 1, 
length 64
11:46:28.409373 IP (tos 0x0, ttl 64, id 48629, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 2, 
length 64
11:46:29.417370 IP (tos 0x0, ttl 64, id 48630, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 3, 
length 64
11:46:30.425366 IP (tos 0x0, ttl 64, id 48631, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 4, 
length 64
11:46:31.383279 IP (tos 0x0, ttl 244, id 29380, offset 0, flags 
[none], proto ICMP (1), length 84)
176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq 
32673, length 64

^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel


So it looks like the packets are going out, but there is no answer 
coming back. So I tried Andreas hint. I called (in the container)


ubuntu@ubuntu-test:~$ sudo ./arping -I eth0 -u 91.143.88.119 -c4
ARPING 91.143.88.119

--- 91.143.88.119 statistics ---
4 packets transmitted, 0 packets received, 100% unanswered (0 extra)

But still no answers from the gateway :-(

Best regards,
Thomas

On 11.09.2014 11:20, Andreas Laut wrote:

We face this problem very often.

You can try to ping the Host IP and after that the gateway IP from
inside the container.
If that doesn't work you'll have to send arpings from inside the 
conainter:

arping -I [lxc-interfacename]  -U 91.143.88.119 -c4 (arping from iputils
package)

After that you'll get the following output:
Sent 4 probes (4 broadcast(s))
Received 0 response(s)

0 responses are ok. Try to ping again.
Hope that helps.

Best Regards



Am 11.09.2014 um 11:05 schrieb othiman:

Hi everyone,

I already posted this to askubuntu.com
(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address), 


but I think this might be a better place to find help.

I try to setup a LXC container with bridged network on ubuntu 14.04.1,
but the outgoing traffic seems to be blocked. Ping another IP than the
container's one is not working. Actually I tried this with a working
container of a ubuntu 12.04 host moved to new hardware and a recent
ubuntu 14.04, but the problem also applies to a new created ubuntu
14.04 container.

I should mention that if I bind the IP address to an aliasing
interface of the host directly, pinging inside and outside to the host
is working correctly.

I hope someone has an idea what I am doing wrong.


I created a the new container with:
 lxc-create -t ubuntu -n ubuntu-test


This is my config file:
 # Template used to create this container:
/usr/share/lxc/templates/lxc-ubuntu
 # Parameters passed to the template: -r trusty
 # For additional config options, please look at 
lxc.container.conf(5)


 # Common configuration
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf

 # Container specific configuration
 lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
 lxc.mount = /var/lib/lxc/ubuntu-test/fstab
 lxc.utsname = ubuntu-test
 lxc.arch = amd64

 # Network configuration
 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = br0
 lxc.network.hwaddr = 00:16:3e:6c:7c:79
 lxc.network.ipv4=91.143.88.119/24
 lxc.network.ipv4.gateway=91.143.88.1
 lxc.network.name=eth0


My '/etc/network/interfaces' on the host:
 auto lo
 iface lo inet loopback

 auto br0
 iface br0 inet static
 address 81.7.15.233
 netmask 255.255.255.0
 broadcast 81.7.15.255
 gateway 81.7.15.1
 bridge_ports eth0
 bridge_fd 0
 bridge_stp off
 bridge_waitport 0
 bridge_maxwait 0


and on the client:
 auto lo
 iface lo inet loopback

 auto eth0
 iface eth0 inet static
 address 91.14

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread othiman 

Hi Andreas, hi tamas,

thanks for your fast answers. I removed the IP settings from the config, 
but that was obviously not the problem.


I cannot ping the gateway from inside of the container:
ubuntu@ubuntu-test:~$ ping 91.143.88.1
PING 91.143.88.1 (91.143.88.1) 56(84) bytes of data.
^C
--- 91.143.88.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

Meanwhile I used "tcpdump -i eth0 -v icmp -n" on the host to look at the 
ICMP packets (because there is a lot of other traffic on that device).


tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
65535 bytes
11:46:27.181917 IP (tos 0x0, ttl 244, id 28226, offset 0, flags [none], 
proto ICMP (1), length 84)
176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq 31682, 
length 64
11:46:27.401801 IP (tos 0x0, ttl 64, id 48628, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 1, 
length 64
11:46:28.409373 IP (tos 0x0, ttl 64, id 48629, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 2, 
length 64
11:46:29.417370 IP (tos 0x0, ttl 64, id 48630, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 3, 
length 64
11:46:30.425366 IP (tos 0x0, ttl 64, id 48631, offset 0, flags [DF], 
proto ICMP (1), length 84)
91.143.88.119 > 91.143.88.1: ICMP echo request, id 457, seq 4, 
length 64
11:46:31.383279 IP (tos 0x0, ttl 244, id 29380, offset 0, flags [none], 
proto ICMP (1), length 84)
176.227.209.42 > 81.7.14.108: ICMP echo request, id 263, seq 32673, 
length 64

^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel


So it looks like the packets are going out, but there is no answer 
coming back. So I tried Andreas hint. I called (in the container)


ubuntu@ubuntu-test:~$ sudo ./arping -I eth0 -u 91.143.88.119 -c4
ARPING 91.143.88.119

--- 91.143.88.119 statistics ---
4 packets transmitted, 0 packets received, 100% unanswered (0 extra)

But still no answers from the gateway :-(

Best regards,
Thomas

On 11.09.2014 11:20, Andreas Laut wrote:

We face this problem very often.

You can try to ping the Host IP and after that the gateway IP from
inside the container.
If that doesn't work you'll have to send arpings from inside the conainter:
arping -I [lxc-interfacename]  -U 91.143.88.119 -c4 (arping from iputils
package)

After that you'll get the following output:
Sent 4 probes (4 broadcast(s))
Received 0 response(s)

0 responses are ok. Try to ping again.
Hope that helps.

Best Regards



Am 11.09.2014 um 11:05 schrieb othiman:

Hi everyone,

I already posted this to askubuntu.com
(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address),
but I think this might be a better place to find help.

I try to setup a LXC container with bridged network on ubuntu 14.04.1,
but the outgoing traffic seems to be blocked. Ping another IP than the
container's one is not working. Actually I tried this with a working
container of a ubuntu 12.04 host moved to new hardware and a recent
ubuntu 14.04, but the problem also applies to a new created ubuntu
14.04 container.

I should mention that if I bind the IP address to an aliasing
interface of the host directly, pinging inside and outside to the host
is working correctly.

I hope someone has an idea what I am doing wrong.


I created a the new container with:
 lxc-create -t ubuntu -n ubuntu-test


This is my config file:
 # Template used to create this container:
/usr/share/lxc/templates/lxc-ubuntu
 # Parameters passed to the template: -r trusty
 # For additional config options, please look at lxc.container.conf(5)

 # Common configuration
 lxc.include = /usr/share/lxc/config/ubuntu.common.conf

 # Container specific configuration
 lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
 lxc.mount = /var/lib/lxc/ubuntu-test/fstab
 lxc.utsname = ubuntu-test
 lxc.arch = amd64

 # Network configuration
 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = br0
 lxc.network.hwaddr = 00:16:3e:6c:7c:79
 lxc.network.ipv4=91.143.88.119/24
 lxc.network.ipv4.gateway=91.143.88.1
 lxc.network.name=eth0


My '/etc/network/interfaces' on the host:
 auto lo
 iface lo inet loopback

 auto br0
 iface br0 inet static
 address 81.7.15.233
 netmask 255.255.255.0
 broadcast 81.7.15.255
 gateway 81.7.15.1
 bridge_ports eth0
 bridge_fd 0
 bridge_stp off
 bridge_waitport 0
 bridge_maxwait 0


and on the client:
 auto lo
 iface lo inet loopback

 auto eth0
 iface eth0 inet static
 address 91.143.88.119
 netmask 255.255.255.0
 broadcast 91.143.88.255
 gateway 91.

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread Andreas Laut 
We face this problem very often.

You can try to ping the Host IP and after that the gateway IP from
inside the container.
If that doesn't work you'll have to send arpings from inside the conainter:
arping -I [lxc-interfacename]  -U 91.143.88.119 -c4 (arping from iputils
package)

After that you'll get the following output:
Sent 4 probes (4 broadcast(s))
Received 0 response(s)

0 responses are ok. Try to ping again.
Hope that helps.

Best Regards



Am 11.09.2014 um 11:05 schrieb othiman:
> Hi everyone,
>
> I already posted this to askubuntu.com
> (http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address),
> but I think this might be a better place to find help.
>
> I try to setup a LXC container with bridged network on ubuntu 14.04.1,
> but the outgoing traffic seems to be blocked. Ping another IP than the
> container's one is not working. Actually I tried this with a working
> container of a ubuntu 12.04 host moved to new hardware and a recent
> ubuntu 14.04, but the problem also applies to a new created ubuntu
> 14.04 container.
>
> I should mention that if I bind the IP address to an aliasing
> interface of the host directly, pinging inside and outside to the host
> is working correctly.
>
> I hope someone has an idea what I am doing wrong.
>
>
> I created a the new container with:
> lxc-create -t ubuntu -n ubuntu-test
>
>
> This is my config file:
> # Template used to create this container:
> /usr/share/lxc/templates/lxc-ubuntu
> # Parameters passed to the template: -r trusty
> # For additional config options, please look at lxc.container.conf(5)
>
> # Common configuration
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
>
> # Container specific configuration
> lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
> lxc.mount = /var/lib/lxc/ubuntu-test/fstab
> lxc.utsname = ubuntu-test
> lxc.arch = amd64
>
> # Network configuration
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.hwaddr = 00:16:3e:6c:7c:79
> lxc.network.ipv4=91.143.88.119/24
> lxc.network.ipv4.gateway=91.143.88.1
> lxc.network.name=eth0
>
>
> My '/etc/network/interfaces' on the host:
> auto lo
> iface lo inet loopback
>
> auto br0
> iface br0 inet static
> address 81.7.15.233
> netmask 255.255.255.0
> broadcast 81.7.15.255
> gateway 81.7.15.1
> bridge_ports eth0
> bridge_fd 0
> bridge_stp off
> bridge_waitport 0
> bridge_maxwait 0
>
>
> and on the client:
> auto lo
> iface lo inet loopback
>
> auto eth0
> iface eth0 inet static
> address 91.143.88.119
> netmask 255.255.255.0
> broadcast 91.143.88.255
> gateway 91.143.88.1
>
>
> IP forwarding is enabled:
> cat /proc/sys/net/ipv4/ip_forward
> 1
>
>
> 'iptables-save' shows
> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
> *mangle
> :PREROUTING ACCEPT [20035:4192692]
> :INPUT ACCEPT [7193:3225426]
> :FORWARD ACCEPT [2677:191017]
> :OUTPUT ACCEPT [381:36624]
> :POSTROUTING ACCEPT [3058:227641]
> -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM
> --checksum-fill
> COMMIT
> # Completed on Wed Sep 10 18:26:23 2014
> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
> *nat
> :PREROUTING ACCEPT [10474:819973]
> :INPUT ACCEPT [282:41644]
> :OUTPUT ACCEPT [7:537]
> :POSTROUTING ACCEPT [57:4274]
> -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
> COMMIT
> # Completed on Wed Sep 10 18:26:23 2014
> # Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
> *filter
> :INPUT ACCEPT [7193:3225426]
> :FORWARD ACCEPT [2677:191017]
> :OUTPUT ACCEPT [381:36624]
> -A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A FORWARD -o lxcbr0 -j ACCEPT
> -A FORWARD -i lxcbr0 -j ACCEPT
> COMMIT
> # Completed on Wed Sep 10 18:26:23 2014
>
>
> output of 'brctl show':
> bridge namebridge idSTP enabledinterfaces
> br08000.0025905700f8noeth0
> vethRTX30H
> lxcbr08000.no
>
>
> My host's 'ifconfig':
> br0   Link encap:Ethernet  Hardware Adresse 00:25:90:57:00:f8
>   inet Adresse:81.7.15.233  Bcast:81.7.15.255 Maske:255.255.255.0
>   inet6-Adresse: fe80::225:90ff:fe57:f8/64
> Gültigkeitsbereich:Verbindung
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
>   RX-Pakete:128248 Fehler:0 Verloren:15 Überläufe:0 Fenster:0
>   TX-Pakete:3835 Fehler:0 Verloren:0 Überläufe:0 Träger:0
>

Re: [lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread Tamas Papp 


On 09/11/2014 11:05 AM, othiman wrote:

Hi everyone,

I already posted this to askubuntu.com 
(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address), 
but I think this might be a better place to find help.


I try to setup a LXC container with bridged network on ubuntu 14.04.1, 
but the outgoing traffic seems to be blocked. Ping another IP than the 
container's one is not working. Actually I tried this with a working 
container of a ubuntu 12.04 host moved to new hardware and a recent 
ubuntu 14.04, but the problem also applies to a new created ubuntu 
14.04 container.


I should mention that if I bind the IP address to an aliasing 
interface of the host directly, pinging inside and outside to the host 
is working correctly.





lxc.network.ipv4=91.143.88.119/24
lxc.network.ipv4.gateway=91.143.88.1





auto br0
iface br0 inet static
address 81.7.15.233
netmask 255.255.255.0
broadcast 81.7.15.255
gateway 81.7.15.1
bridge_ports eth0
bridge_fd 0
bridge_stp off
bridge_waitport 0
bridge_maxwait 0


and on the client:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 91.143.88.119
netmask 255.255.255.0


First of all either use guest's network file or lxc.networ.ipv4* 
settings. There is no reason to use both.


Can you ping 91.143.88.1?
What do you see with tcpdump -i eth0 on the host machine?

tamas
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] No outgoing traffic with bridged network and public IP address from container

2014-09-11 Thread othiman 

Hi everyone,

I already posted this to askubuntu.com 
(http://askubuntu.com/questions/522457/lxc-container-no-outgoing-traffic-with-bridged-network-and-public-ip-address), 
but I think this might be a better place to find help.


I try to setup a LXC container with bridged network on ubuntu 14.04.1, 
but the outgoing traffic seems to be blocked. Ping another IP than the 
container's one is not working. Actually I tried this with a working 
container of a ubuntu 12.04 host moved to new hardware and a recent 
ubuntu 14.04, but the problem also applies to a new created ubuntu 14.04 
container.


I should mention that if I bind the IP address to an aliasing interface 
of the host directly, pinging inside and outside to the host is working 
correctly.


I hope someone has an idea what I am doing wrong.


I created a the new container with:
lxc-create -t ubuntu -n ubuntu-test


This is my config file:
# Template used to create this container: 
/usr/share/lxc/templates/lxc-ubuntu

# Parameters passed to the template: -r trusty
# For additional config options, please look at lxc.container.conf(5)

# Common configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf

# Container specific configuration
lxc.rootfs = /var/lib/lxc/ubuntu-test/rootfs
lxc.mount = /var/lib/lxc/ubuntu-test/fstab
lxc.utsname = ubuntu-test
lxc.arch = amd64

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:16:3e:6c:7c:79
lxc.network.ipv4=91.143.88.119/24
lxc.network.ipv4.gateway=91.143.88.1
lxc.network.name=eth0


My '/etc/network/interfaces' on the host:
auto lo
iface lo inet loopback

auto br0
iface br0 inet static
address 81.7.15.233
netmask 255.255.255.0
broadcast 81.7.15.255
gateway 81.7.15.1
bridge_ports eth0
bridge_fd 0
bridge_stp off
bridge_waitport 0
bridge_maxwait 0


and on the client:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 91.143.88.119
netmask 255.255.255.0
broadcast 91.143.88.255
gateway 91.143.88.1


IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
1


'iptables-save' shows
# Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
*mangle
:PREROUTING ACCEPT [20035:4192692]
:INPUT ACCEPT [7193:3225426]
:FORWARD ACCEPT [2677:191017]
:OUTPUT ACCEPT [381:36624]
:POSTROUTING ACCEPT [3058:227641]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM 
--checksum-fill

COMMIT
# Completed on Wed Sep 10 18:26:23 2014
# Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
*nat
:PREROUTING ACCEPT [10474:819973]
:INPUT ACCEPT [282:41644]
:OUTPUT ACCEPT [7:537]
:POSTROUTING ACCEPT [57:4274]
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Sep 10 18:26:23 2014
# Generated by iptables-save v1.4.21 on Wed Sep 10 18:26:23 2014
*filter
:INPUT ACCEPT [7193:3225426]
:FORWARD ACCEPT [2677:191017]
:OUTPUT ACCEPT [381:36624]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
COMMIT
# Completed on Wed Sep 10 18:26:23 2014


output of 'brctl show':
bridge namebridge idSTP enabledinterfaces
br08000.0025905700f8noeth0
vethRTX30H
lxcbr08000.no


My host's 'ifconfig':
br0   Link encap:Ethernet  Hardware Adresse 00:25:90:57:00:f8
  inet Adresse:81.7.15.233  Bcast:81.7.15.255 Maske:255.255.255.0
  inet6-Adresse: fe80::225:90ff:fe57:f8/64 
Gültigkeitsbereich:Verbindung

  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
  RX-Pakete:128248 Fehler:0 Verloren:15 Überläufe:0 Fenster:0
  TX-Pakete:3835 Fehler:0 Verloren:0 Überläufe:0 Träger:0
  Kollisionen:0 Sendewarteschlangenlänge:0
  RX-Bytes:11076138 (11.0 MB)  TX-Bytes:343557 (343.5 KB)

eth0  Link encap:Ethernet  Hardware Adresse 00:25:90:57:00:f8
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
  RX-Pakete:129421 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
  TX-Pakete:4046 Fehler:0 Verloren:0 Überläufe:0 Träger:0
  Kollisionen:0 Sendewarteschlangenlänge:1000
  RX-Bytes:13510902 (13.5 MB)  TX-Bytes:449527 (449.5 KB)
  Interrupt:16 Speicher:fb90-fb92

loLink encap:Lokale Schleife
  inet Adresse:127.0.0.1  Maske:255.0.0.0
  inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
  UP LO