[Firehol-support] lxd container in other network not reachable

Jonathan Baecker jonbae77 at gmail.com
Thu May 4 20:51:54 BST 2017 

Hello Everybody,

I have here a strange problem and I hope you can help me.

On a server runs dhcp, dns, some other services and a hand full lxd 
container. The server manage different networks, with different privileges.

One network is our working network (interface br0, network 
192.168.0.0/24), a second network is for streaming servers (interface 
br3, network 192.168.3.0/24).

On br0 hangs the default lxd container to, but one container (streamer) 
is to br3 connected. From network 192.168.3.0/24 I can reach the 
container streamer, and all computers from network 192.168.0.0/24, but 
from inside the streamer container I can not reach the other network. 
 From network 192.168.0.0/24 I can reach all computer in network 
192.168.3.0/24 but not the streamer container. Connecting to the 
containers on br0 is also possible, even from the computer of the 
192.168.3.0/24 network (except my streamer container).

The problem is, that I don't get any logging information from 
connections to the streamer.

Before I used for this setup firehol, I had a firewall based on 
fwbuilder - so in general it works, only not with firehol.

My routers looks like this:

# route local work networks to wlan net and vpn net
router4 lanWork2others inface "${lanWork}" outface 
"${wlanGuest},${vpnAdmin},${vpnGuest}"
         route all accept

# route local work networks to streaming net
router4 lanWork2stream inface "${lanWork}" outface "${lanStream}"
         server  "http https ping rdp ssh rtmp httpalt"  accept

# route local streaming networks to work net and vpn net
router4 lanStream2others inface "${lanStream}" outface 
"${lanWork},${vpnAdmin},${vpnGuest}"
         route   all     accept


And here the corresponding interfaces:

# firewall rule from working lan to interface lanWork
interface "${lanWork}" lan-Work
         policy  reject
         ipv4    server  "dhcp dhcprelay"        accept
         ipv4    server  "netbios_dgm netbios_ns"        accept dst 
"255.255.255.255 192.168.0.255"
         ipv4    server  "icmp ping dns ssh http https squid" accept  
dst 192.168.0.1
         ipv4    server "dropboxBroadcast unknownBroadcast" drop dst 
"255.255.255.255 192.168.0.255" # prevent log spam
         ipv4    client  all     accept

# firewall rule from streaming lan to interface lanStream
interface "${lanStream}" lan-Stream
         policy  reject
         ipv4    server "dhcp dhcprelay udpStream"       accept
         ipv4    server  "netbios_dgm netbios_ns"        accept dst 
"255.255.255.255 192.168.3.255"
         ipv4    server  "icmp ping dns ssh http https squid" accept  
dst 192.168.3.1
         ipv4    client  all     accept

Have you any idea what is happen here?

Sorry when my explanation is a bit confusing.


Regards

Jonathan

More information about the Firehol-support mailing list