i have a server running Ubuntu 20.04 LTS connected through one physical ethernet interface to the internet. My prodiver assigned me a static primary IP4 (i will use A.A.A.A here for this IP), so my systemd-networkd config file looked like this before (disabled netplan to work directly with systemd-networkd):
# /etc/systemd/network/20-enp7s0.network [Match] Name=enp7s0 [Network] LinkLocalAddressing=ipv6 Address=A.A.A.A/32 Gateway=fe80::1 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true My provider offers adding a additional IP address to my server, which is routed to the same interface as the primary IP. When adding this second IP to my interface i can ping it. Since i'm using systemd-nspawn containers i was thinking of using this additional IP to supply one of my container with an exclusive static IP4 (will use B.B.B.B here). This would be great to map DNS entries directly to a container on my server, while all other applications on the server still use the primary IP address.
So i started following the nice instructions from the Arch wiki on systemd-nspawn and systemd-networkd. I configured a bridge and moved all addressing from the physical interface to it:
/etc/systemd/network/br0.netdev
[NetDev] Name=br0 Kind=bridge MACAddress=xx:xx:xx:xx:xx:xx # same as my phys. interface /etc/systemd/network/20-br0.network
[Match] Name=br0 [Network] LinkLocalAddressing=ipv6 Address=A.A.A.A/32 Gateway=fe80::1 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true /etc/systemd/network/20-enp7s0.network
[Match] Name=enp7s0 [Network] Bridge=br0 IP4-Forwarding is enabled:
$ sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 I start my nspawn container with the following config:
/etc/systemd/nspawn/mycontainer.nspawn
[Network] VirtualEthernet=yes Bridge=br0 Inside the container (Debian 11 Bullseye) i enabled systemd-networkd and use the following config for networking:
# /etc/systemd/network/80-container-host0.network [Match] Name=host0 [Network] Address=B.B.B.B/32 DNS=X.X.X.1 DNS=X.X.X.2 [Route] Destination=0.0.0.0/0 Gateway=Y.Y.Y.Y GatewayOnlink=true This is the result of this configuration. On the host:
$ ip a 2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet A.A.A.A/32 scope global br0 valid_lft forever preferred_lft forever 6: vb-mycontainer@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000 link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff link-netnsid 0 $ networkctl status -a ● 1: lo [...] ● 2: enp7s0 Link File: /usr/lib/systemd/network/99-default.link Network File: /etc/systemd/network/20-enp7s0.network Type: ether State: enslaved (configured) Path: pci-0000:07:00.0 Driver: igb Vendor: Intel Corporation Model: I210 Gigabit Network Connection HW Address: xx:xx:xx:xx:xx:xx MTU: 1500 (min: 68, max: 9216) Queue Length (Tx/Rx): 8/8 Auto negotiation: yes Speed: 1Gbps Duplex: full Port: tp Activation Policy: up Required For Online: yes ● 3: br0 Link File: /usr/lib/systemd/network/99-default.link Network File: /etc/systemd/network/20-br0.network Type: bridge State: routable (configured) Driver: bridge HW Address: xx:xx:xx:xx:xx:xx MTU: 1500 (min: 68, max: 65535) Forward Delay: 15s Hello Time: 2s Max Age: 20s Ageing Time: 5min Priority: 32768 STP: no Multicast IGMP Version: 2 Queue Length (Tx/Rx): 1/1 Address: A.A.A.A Gateway: Y.Y.Y.Y (Juniper Networks) fe80::1 (Juniper Networks) DNS: X.X.X.1 X.X.X.2 Activation Policy: up Required For Online: yes ● 6: vb-mycontainer Link File: /usr/lib/systemd/network/99-default.link Network File: n/a Type: ether State: degraded (unmanaged) Driver: veth HW Address: yy:yy:yy:yy:yy:yy MTU: 1500 (min: 68, max: 65535) Queue Length (Tx/Rx): 1/1 Auto negotiation: no Speed: 10Gbps Duplex: full Port: tp Address: fe80::xxxx:xxxx:xxxx:xxxx Activation Policy: up Required For Online: yes $ ip route default via Y.Y.Y.Y dev br0 proto static onlink And inside my container:
# ip a 1: lo: [...] 2: host0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether yy:yy:yy:yy:yy:yy brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet B.B.B.B/32 scope global host0 valid_lft forever preferred_lft forever inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link valid_lft forever preferred_lft forever # networkctl status -a ● 1: lo [...] ● 2: host0 Link File: n/a Network File: /etc/systemd/network/80-container-host0.network Type: ether State: routable (configured) HW Address: zz:zz:zz:zz:zz:zz MTU: 1500 (min: 68, max: 65535) QDisc: noqueue IPv6 Address Generation Mode: eui64 Queue Length (Tx/Rx): 1/1 Auto negotiation: no Speed: 10Gbps Duplex: full Port: tp Address: B.B.B.B fe80::xxxx:xxxx:xxxx:xxxx Gateway: Y.Y.Y.Y DNS: X.X.X.1 X.X.X.2 DHCP6 Client DUID: DUID-EN/Vendor:0000ab117511f183668420370000 Feb 17 19:45:26 mycontainer systemd-networkd[25]: host0: Link UP Feb 17 19:45:26 mycontainer systemd-networkd[25]: host0: Gained carrier Feb 17 19:45:27 mycontainer systemd-networkd[25]: host0: Gained IPv6LL # ip route default via Y.Y.Y.Y dev host0 proto static onlink Regarding all other settings i stick to the systems defaults. But its not working, i cant ping from the host to the guest, nor from the guest to the host, the internet or the gateway, just getting Destination Host Unreachable. So do i miss something here? I'm not really deep into networking and already spent a lot of time on this, but already apologize for some stupid mistakes i might made. Every clue is welcome. Thank you!
EDIT:
I had a look into the neighbors table:
Host: $ ip neighbor Y.Y.Y.Y dev br0 lladdr 84:c1:c1:76:ae:9b REACHABLE <- gateway fe80::f80b:aff:fe80:d92 dev vb-mycontainer FAILED fe80::6c91:a7ff:fe1f:19a2 dev br0 FAILED fe80::1 dev br0 lladdr 84:c1:c1:76:ae:9b router STALE fe80::f80b:aff:fe80:d92 dev br0 lladdr fa:0b:0a:80:0d:92 STALE Guest: $ ip neighbor fe80::7e10:c9ff:fe21:ed87 dev host0 lladdr 7c:10:c9:21:ed:87 router STALE fe80::6c91:a7ff:fe1f:19a2 dev host0 FAILED fe80::1 dev host0 lladdr 84:c1:c1:76:ae:9b router STALE fe80::6c91:a7ff:fe1f:19a2 is the link-locale address of the virtual interface vb-mycontainer on the host. So there seems to be a connection problem between the guest and the host i assume?
