0

I'm setting up a new server at a new site. The server is placed behind a router / firewall. The server shall run several LXC containers for various services. The LXC containers are connected to a bridge brlxc. The server furthermore connects to another site using OpenVPN in yet another LXC container bridged to the NIC of the server. Due to issues with the old setup the aim is to put the routing and firewalling functionality into the dedicated external router.

We end up with something like this:

Router:    10.1.1.1
Server:    10.1.1.2
OpenVPN:   10.1.2.2 (bridged with 10.1.1.2 NIC and connected to router)
brlxc:     10.1.3.1 (on server)
Container: 10.1.3.2 (on brlxc)
Ext-Site:  10.2.0.0/16 (via 10.1.2.2)

Physically the router box connected by a single cable to the Server.

The Server and the OpenVPN client receive 10.1.1.1 as default route; the container 10.1.3.1 on the server. The router, 10.1.1.1, has a route to send 10.2.0.0/16 via 10.1.2.2, a route to send 10.1.3.0/24 via 10.1.1.2, and for now has 10.1.0.0/16 as LAN.

The first puzzeling thing I noticed was that I needed 10.2.0.0/16 via 10.1.2.2 as a static route on the Server. Otherwise, the router would send an ICMP redirect and the connection broke down.

After adding the first LXC container I needed to add 10.1.3.0/24 via 10.1.1.2 to the OpenVPN client.

While it's not exactly difficult to set-up all these routes and eventually define even firewall rules on the server, this does not meet my design goal to have the router to route and firewall, and the server to run the services.

I guess there's a better way to do it and I seem to miss some essentials. I'd appreciate some guidance with this.

Lars Hanke
  • 281
  • 2
  • 15
  • you have imho a thinking issue, how should the server know, which packet has to be dropped somewhere? i think you should consider one times more the OSI model ;) – djdomi Jan 10 '22 at 05:11
  • I assume that I'm missing something and my knowledge of lower OSI layers absolutely has room for improvement. A naive idea was that the server simply sends everything to the router and lets it decide. It might then return the package using the same physical cable it received it. But I'd probably have to separate them using VLAN - just musing ... – Lars Hanke Jan 11 '22 at 10:24

1 Answers1

0

I found a solution for the posted issue. I now use a tagged ethernet interface to the router and distribute the VLANs using the eth0.VLAN interface to bridges with no address to the host.

auto brvlanX
iface brvlanX inet static
  bridge_ports eth0.vlanX
  bridge_fd 0
  bridge_nowait 0
  address 0.0.0.0

And the host itself can use his VLAN interface immediately.

This routes all traffic of the virtual machines / containers of the host via the router, which in turn can enforce firewall rules.

Lars Hanke
  • 281
  • 2
  • 15