Combining bonding and NAT problematic

liquidox · May 29, 2019

I am trying to combine bonding with NAT as follows:

Code:

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto bond0
iface bond0 inet static
        slaves eno1 eno2
        address FIRST_IP
        netmask 255.255.255.0
        hwaddress SOME_MAC_ADDRESS
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit_hash_policy layer2+3
        bond-lacp-rate 1
        up ip route add default via FIRST_IP dev bond0 metric 100

auto bond0:1
iface bond0:1 inet static
        address SECOND_IP
        netmask 255.255.255.0
        up ip route add default via SECOND_IP dev bond0 metric 200

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1
        netmask 255.255.0.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up   iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o bond0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.1.0/24' -o bond0 -j MASQUERADE

        post-up   iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -o bond0:1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -o bond0:1 -j MASQUERADE

This does not work however, cannot ping internet from inside containers. However, after a lot of fiddling and googling, this does seem to work:

Code:

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto bond0
iface bond0 inet manual
        slaves eno1 eno2
        hwaddress SOME_MAC_ADDRESS
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit_hash_policy layer2+3
        bond-lacp-rate 1

auto vmbr1
iface vmbr1 inet static
        address  FIRST_IP
        netmask  255.255.255.0
        bridge_ports bond0
        bridge_stp off
        bridge_fd 0
        up ip route add default via FIRST_IP dev vmbr1 metric 100
        down ip route del default via FIRST_IP dev vmbr1 metric 100

auto vmbr1:0
iface vmbr1:0 inet static
        address  SECOND_IP
        netmask  255.255.255.0
        up ip route add default via SECOND_IP dev vmbr1:0 metric 200
        down ip route del default via SECOND_IP dev vmbr1:0 metric 200

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1
        netmask 255.255.0.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up   iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o vmbr1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.1.0/24' -o vmbr1 -j MASQUERADE

        post-up   iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -o vmbr1:0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -o vmbr1:0 -j MASQUERADE

But I don't understand why solution #1 does not work, it's much cleaner than #2, so I would like to use the first one somehow. Any ideas?

liquidox · Jun 6, 2019

If anyone ever finds this and is stuck on the same problem, the original setup with a slave bond0:1 was actually correct. The problem I had with routing was that I needed to use source routing (http://www.linuxhorizon.ro/iproute2.html) to make it work properly.

Search

Search

Combining bonding and NAT problematic

liquidox

Renowned Member

liquidox

Renowned Member

We value your privacy