Routing issue between LXCs on same host

[johannes-z]

Hello, I have a weird issue and have no clue what to do to fix this. Hopefully someone here can help.

I have two alpine LXC containers - it doesn't matter what they're for, but in my use case one of them is an AdGuardHome DNS server (192.168.0.204), the other is a caddy reverse proxy (192.168.0.99).

The VLAN is configured as such:

InOpenWrt:


In Proxmox:

~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4092

auto vmbr0.10
iface vmbr0.10 inet static
        address 192.168.0.5/24
        gateway 192.168.0.1

Also, the Firewall on Proxmox is disabled on the Datacenter, Node and LXC.

A simplified topology of my network:



I use NAT to redirect all DNS requests to my local DNS. To allow DNS from clients from the same network, I removed the 192.168.0.0/24 route:

dns:~# ip route
default via 192.168.0.1 dev eth0  metric 202
-192.168.0.0/24 dev eth0 scope link  src 192.168.0.204

caddy:~# ip route
default via 192.168.0.1 dev eth0  metric 202
192.168.0.0/24 dev eth0 scope link  src 192.168.0.99

This causes pings from `192.168.0.99` to `192.168.0.204` to fail:

caddy:~# ping 192.168.0.204
PING 192.168.0.204 (192.168.0.204): 56 data bytes
--- 192.168.0.204 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

caddy:~# traceroute 192.168.0.204
traceroute to 192.168.0.204 (192.168.0.204), 30 hops max, 46 byte packets
 1  *  *  *
...

And even though my OpenWrt router's firewall does not block it, I cannot ssh to `192.168.0.5` from `192.168.1.50`; however I can ssh to `192.168.1.5` from `192.168.1.50`. I've already asked on the OpenWrt forums for help, but was told that this is not a router issue (for reference, here is the OpenWrt thread https://forum.openwrt.org/t/routing...ssh-using-vlan-and-dns-port-forwarding/189121)

 

[johannes-z]

With tcpdump I can see the following.

In this case I have deleted the network ip route from 192.168.0.204; so caddy can resolve DNS, but ping doesn't work:

caddy:~# ping 192.168.0.204 -c 1
PING 192.168.0.204 (192.168.0.204): 56 data bytes
15:47:34.209855 IP (tos 0x0, ttl 64, id 40750, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.99 > 192.168.0.204: ICMP echo request, id 491, seq 0, length 64
^C
--- 192.168.0.204 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

dns:~# 15:47:34.209864 IP (tos 0x0, ttl 64, id 40750, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.99 > 192.168.0.204: ICMP echo request, id 491, seq 0, length 64
15:47:34.209882 IP (tos 0x0, ttl 64, id 13296, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.204 > 192.168.0.99: ICMP echo reply, id 491, seq 0, length 64

When I restart dns i get the route back, so ping on caddy works, but DNS doesn't:

caddy:~# nslookup google.at
15:24:22.379133 IP (tos 0x0, ttl 64, id 65069, offset 0, flags [none], proto UDP (17), length 55)
    192.168.0.99.44411 > 192.168.0.1.53: 23871+ A? google.at. (27)
15:24:22.420429 IP (tos 0x0, ttl 64, id 62990, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.0.204.53 > 192.168.0.99.44411: 23871 1/0/0 google.at. A 216.58.212.163 (43)
;; communications error to 192.168.0.1#53: timed out