Bridged nodes sharing local IP to be used as gateway for LXC

Mike Machuidel machuidel at gmail.com
Tue Mar 12 00:21:33 CET 2013 

Hello everyone,

I am running multiple nodes each having multiple LXC containers. On
those nodes I am using Tinc to share the subnet 10.20.0.0. The LXC
containers may migrate between nodes and should keep the same
configuration.
On all nodes traffic from the external interfaces (connected to the
internet) is forwarded to the bridge interfaces and masqueraded. The
LXC containers are using 10.20.0.1 as their default gateway which
should stay the same independent of the node they are running on.

How to do the following while running Tinc in switch mode,

on Node A:

  ip link set dev eth0 up
  ip addr add 192.168.200.30/24 dev eth0
  ip route add default via 192.168.200.1 dev eth0    # Gateway
connected to the internet

  brctl addbr br0
  brctl setfd br0 0
  ip link set dev br0 up
  ip addr add 10.20.0.1/16 dev br0   # using same IP on node as node B
so the LXC containers can use same gateway IP
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  ip route add 10.20.0.0/16 dev br0

  sysctl -w net.ipv4.ip_forward=1

on Node B:

  ip link set dev eth0 up
  ip addr add 192.168.160.10/24 dev eth0
  ip route add default via 192.168.160.1 dev eth0    # Gateway
connected to the internet

  brctl addbr br0
  brctl setfd br0 0
  ip link set dev br0 up
  ip addr add 10.20.0.1/16 dev br0   # using same IP on node as node A
so the LXC containers can use same gateway IP
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  ip route add 10.20.0.0/16 dev br0

  sysctl -w net.ipv4.ip_forward=1

meaning that both nodes will share the same IP which the LXC container
can use as their default gateway?

To be honest I already tried this configuration. It ran well for about
2 days till I noticed that sometimes LXC containers on Node B were
using the default gateway on Node A and the other way around.

Is it possible to force the 10.20.0.1 on the local interface to be
used instead of the traffic being bridged over to the other side? Like
setting some metrics?

Best regards,

Mike

More information about the tinc mailing list