Differences between revisions 29 and 30
Revision 29 as of 2016-10-31 01:27:32
Size: 8455
Editor: ?DrydenPersonalis
Comment: slight rewrite of this page
Revision 30 as of 2017-01-06 15:44:09
Size: 8444
Editor: ?ManuelFunkenberg
Deletions are marked like this. Additions are marked like this.
Line 74: Line 74:
would be a typical minimal bridge setup (using dhcp) that supersedes an IP on the main interface (eth0) provided that you have the new fancy "Predictable Network Interface Names" [[https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/#idontlikethishowdoidisablethis|disabled]]. (Don't forget to [[https://www.eugenemdavis.com/updating-initramfs-image-debian-or-fedora.html|regen]] your initramfs (`update-initramfs -u`) and reboot). would be a typical minimal bridge setup (using dhcp) that supersedes an IP on the main interface (eth0) provided that you have the new fancy "Predictable Network Interface Names" [[https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/#idontlikethishowdoidisablethis|disabled]]. (Don't forget to [[https://www.eugenemdavis.com/updating-initramfs-image-debian-or-fedora.html|regen]] your initramfs (`update-initramfs -u`)).

Translation(s): English - Français

Bridged setup for your container(s) network

There are typically two ways to create a bridged network setup:

  1. Create a bridge out of your main network interface, and assign it the IP address you normally would have on your main interface, so that you can use it for the bridge and for the containers as well.
  2. Create a different bridge that is independent of your main interface but that gets traffic forwarded to it (and from it).

The remainder of this introduction covers only part 2.

The masqueraded bridge

This second type is what is typically considered to be the ?Masqueraded Bridge. You have an internal subnet that you use on the bridge (and all the containers).

The easiest way in version 2.0 (as included in Stretch) is to use the lxc-net package (component). This is part of the lxc package (real Debian package) starting from Stretch (Debian 9) (you can find a wallpaper here ;-)).

Below is an example configuration for lxc-net.

Using lxc-net

The default setup for lxc-net is as follows:


This information is put in the file /etc/default/lxc-net.

This is also the default configuration for LXC-net as started with Debian Stretch in the default configuration (setup) without the patch applied to it (see the main page)

After creating this file with the required config you can simply start the service with:

systemctl start lxc-net after enabling it with systemctl enable lxc-net. This is covered in the introduction at the Main Page. Commands:

systemctl enable lxc-net
systemctl start lxc-net

The service will run at boot and create your bridge for you. This will also add masquerading and forward firewall rules for you using iptables2 calls.

More info on a bridge

Much is covered in ?Masqueraded Bridge.

For Debian Jessie and below (which is what most users will have at this point) you must consult that document if you are not to use lxc-net from Stretch (via Backports).

Host device as bridge

The first type of bridge that was mentioned was the “host-shared bridge”.

The host-shared bridge requires the host's network device to be superseded by a bridge that will include this network device as one of its ports.

auto lxcbr0
iface lxcbr0 inet dhcp
    bridge_ports eth0
    bridge_fd 0
    bridge_maxwait 0

would be a typical minimal bridge setup (using dhcp) that supersedes an IP on the main interface (eth0) provided that you have the new fancy "Predictable Network Interface Names" disabled. (Don't forget to regen your initramfs (update-initramfs -u)).

This type of bridge setup has the following features:

  • it is persisted in the host's /etc/network/interfaces

  • the container resides on the same ethernet segment and talks to the same dhcp server as the host.
  • the container shares the same network link on the physical interface of the host (eth0).

This requires the bridge-utils package (as does lxc-net).

Edit the host's /etc/network/interfaces in this form:

# Comment out the following:
# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0

# uncomment the below and comment the above for static ip setup on the host
#auto br0
#iface br0 inet static
#       bridge_ports eth0
#       bridge_fd 0
#       address <host IP here, e.g.>
#       netmask
#       network <network IP here, e.g.>
#       broadcast <broadcast IP here, e.g.>
#       gateway <gateway IP address here, e.g.>
#       # dns-* options are implemented by the resolvconf package, if installed
#       dns-nameservers <name server IP address here, e.g.>
#       dns-search your.search.domain.here

Restart networking:

/etc/init.d/networking restart
  • The network section in the container's config (stored on the host in /var/lib/lxc/containername/config) may look like this

## Network
lxc.utsname = containershostname
lxc.network.type = veth
lxc.network.flags = up

# that's the interface defined above in host's interfaces file
lxc.network.link = br0

# name of network device inside the container,
# defaults to eth0, you could choose a name freely
# lxc.network.name = lxcnet0 

lxc.network.hwaddr = 00:FF:AA:00:00:01

# the ip may be set to or skip this line
# if you like to use a dhcp client inside the container
lxc.network.ipv4 =

# define a gateway to have access to the internet
lxc.network.ipv4.gateway =
  • Completing the example above, the container's /etc/network/interfaces may be edited to look like this

auto eth0
iface eth0 inet dhcp
#iface eth0 inet static
#       address <container IP here, e.g.>
#       all other settings like those for the host

Additonal bridge device instead of changing a host device to br0


  • setup manually with brctl
  • the container's veth virtual ethernet interface accesses the network via the bridge device created on the host. By default, the container is not visable from outside the host.

# script to setup a natted network for lxc guests

echo 1 > /proc/sys/net/ipv4/ip_forward



  • persisted in sysctl.conf /etc/sysctl.conf

  • persisted in interfaces /etc/network/interfaces

Uncomment the following in /etc/sysctl.conf:

# Uncomment the next line to enable packet forwarding for IPv4

Insert the following in /etc/network/interfaces:

auto lxc-bridge-nat
iface lxc-bridge-nat inet static
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0
        up iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
  • Give this command to enable forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
  • The containers /etc/network/interfaces is equal to the one proposed in "Host device as bridge"; if you don't put a dhcp server on the lxc-bridge-nat, the container should now use the static ip configuration

  • The containers config file now uses lxc-bridge-nat as link, another ip and gateway

lxc.network.link = lxc-bridge-nat
lxc.network.ipv4 =
lxc.network.ipv4.gateway =
  • The host can connect easily from his original network to the natted one
  • if you want to access a containers port (e.g. putting an apache inside a container) from outside the host, you have to forward that port from the host to the containers IP