LXD instances cannot reach the WAN

[jamesbeedy]

All of the sudden my lxd instances can't talk to the WAN. I initially thought this had something to do with modifications I have made to my local routing table, but after troubleshooting I realize that is not the case.

Required information

• ubuntu 20.04

  
  config: {}
  api_extensions:

• storage_zfs_remove_snapshots
• container_host_shutdown_timeout
• container_stop_priority
• container_syscall_filtering
• auth_pki
• container_last_used_at
• etag
• patch
• usb_devices
• https_allowed_credentials
• image_compression_algorithm
• directory_manipulation
• container_cpu_time
• storage_zfs_use_refquota
• storage_lvm_mount_options
• network
• profile_usedby
• container_push
• container_exec_recording
• certificate_update
• container_exec_signal_handling
• gpu_devices
• container_image_properties
• migration_progress
• id_map
• network_firewall_filtering
• network_routes
• storage
• file_delete
• file_append
• network_dhcp_expiry
• storage_lvm_vg_rename
• storage_lvm_thinpool_rename
• network_vlan
• image_create_aliases
• container_stateless_copy
• container_only_migration
• storage_zfs_clone_copy
• unix_device_rename
• storage_lvm_use_thinpool
• storage_rsync_bwlimit
• network_vxlan_interface
• storage_btrfs_mount_options
• entity_description
• image_force_refresh
• storage_lvm_lv_resizing
• id_map_base
• file_symlinks
• container_push_target
• network_vlan_physical
• storage_images_delete
• container_edit_metadata
• container_snapshot_stateful_migration
• storage_driver_ceph
• storage_ceph_user_name
• resource_limits
• storage_volatile_initial_source
• storage_ceph_force_osd_reuse
• storage_block_filesystem_btrfs
• resources
• kernel_limits
• storage_api_volume_rename
• macaroon_authentication
• network_sriov
• console
• restrict_devlxd
• migration_pre_copy
• infiniband
• maas_network
• devlxd_events
• proxy
• network_dhcp_gateway
• file_get_symlink
• network_leases
• unix_device_hotplug
• storage_api_local_volume_handling
• operation_description
• clustering
• event_lifecycle
• storage_api_remote_volume_handling
• nvidia_runtime
• container_mount_propagation
• container_backup
• devlxd_images
• container_local_cross_pool_handling
• proxy_unix
• proxy_udp
• clustering_join
• proxy_tcp_udp_multi_port_handling
• network_state
• proxy_unix_dac_properties
• container_protection_delete
• unix_priv_drop
• pprof_http
• proxy_haproxy_protocol
• network_hwaddr
• proxy_nat
• network_nat_order
• container_full
• candid_authentication
• backup_compression
• candid_config
• nvidia_runtime_config
• storage_api_volume_snapshots
• storage_unmapped
• projects
• candid_config_key
• network_vxlan_ttl
• container_incremental_copy
• usb_optional_vendorid
• snapshot_scheduling
• snapshot_schedule_aliases
• container_copy_project
• clustering_server_address
• clustering_image_replication
• container_protection_shift
• snapshot_expiry
• container_backup_override_pool
• snapshot_expiry_creation
• network_leases_location
• resources_cpu_socket
• resources_gpu
• resources_numa
• kernel_features
• id_map_current
• event_location
• storage_api_remote_volume_snapshots
• network_nat_address
• container_nic_routes
• rbac
• cluster_internal_copy
• seccomp_notify
• lxc_features
• container_nic_ipvlan
• network_vlan_sriov
• storage_cephfs
• container_nic_ipfilter
• resources_v2
• container_exec_user_group_cwd
• container_syscall_intercept
• container_disk_shift
• storage_shifted
• resources_infiniband
• daemon_storage
• instances
• image_types
• resources_disk_sata
• clustering_roles
• images_expiry
• resources_network_firmware
• backup_compression_algorithm
• ceph_data_pool_name
• container_syscall_intercept_mount
• compression_squashfs
• container_raw_mount
• container_nic_routed
• container_syscall_intercept_mount_fuse
• container_disk_ceph
• virtual-machines
• image_profiles
• clustering_architecture
• resources_disk_id
• storage_lvm_stripes
• vm_boot_priority
• unix_hotplug_devices
• api_filtering
• instance_nic_network
• clustering_sizing
• firewall_driver
• projects_limits
• container_syscall_intercept_hugetlbfs
• limits_hugepages
• container_nic_routed_gateway
• projects_restrictions
• custom_volume_snapshot_expiry
• volume_snapshot_scheduling
• trust_ca_certificates
• snapshot_disk_usage
• clustering_edit_roles
• container_nic_routed_host_address
• container_nic_ipvlan_gateway
• resources_usb_pci
• resources_cpu_threads_numa
• resources_cpu_core_die
• api_os
• container_nic_routed_host_table
• container_nic_ipvlan_host_table
• container_nic_ipvlan_mode
• resources_system
• images_push_relay
• network_dns_search
• container_nic_routed_limits
• instance_nic_bridged_vlan
• network_state_bond_bridge
• usedby_consistency
• custom_block_volumes
• clustering_failure_domains
• resources_gpu_mdev
• console_vga_type
• projects_limits_disk
• network_type_macvlan
• network_type_sriov
• container_syscall_intercept_bpf_devices
• network_type_ovn
• projects_networks
• projects_networks_restricted_uplinks
• custom_volume_backup
• backup_override_name
• storage_rsync_compression
• network_type_physical
• network_ovn_external_subnets
• network_ovn_nat
• network_ovn_external_routes_remove
• tpm_device_type
• storage_zfs_clone_copy_rebase
• gpu_mdev
• resources_pci_iommu
• resources_network_usb
• resources_disk_address
• network_physical_ovn_ingress_mode
• network_ovn_dhcp
• network_physical_routes_anycast
• projects_limits_instances
• network_state_vlan
• instance_nic_bridged_port_isolation
• instance_bulk_state_change
• network_gvrp
• instance_pool_move
• gpu_sriov
• pci_device_type
• storage_volume_state
• network_acl
• migration_stateful
• disk_state_quota
• storage_ceph_features
• projects_compression
• projects_images_remote_cache_expiry
• certificate_project
• network_ovn_acl
• projects_images_auto_update
• projects_restricted_cluster_target
• images_default_architecture
• network_ovn_acl_defaults
• gpu_mig
• project_usage
• network_bridge_acl
• warnings
• projects_restricted_backups_and_snapshots
• clustering_join_token
• clustering_description
• server_trusted_proxy
• clustering_update_cert
• storage_api_project
• server_instance_driver_operational
• server_supported_storage_drivers
• event_lifecycle_requestor_address
• resources_gpu_usb
• clustering_evacuation
• network_ovn_nat_address
• network_bgp
• network_forward
• custom_volume_refresh
• network_counters_errors_dropped
• metrics
• image_source_project
• clustering_config
• network_peer
• linux_sysctl
• network_dns
• ovn_nic_acceleration
• certificate_self_renewal
• instance_project_move
• storage_volume_project_move
• cloud_init
• network_dns_nat
• database_leader
• instance_all_projects
• clustering_groups
• ceph_rbd_du
• instance_get_full
• qemu_metrics
• gpu_mig_uuid
• event_project
• clustering_evacuation_live
• instance_allow_inconsistent_copy
• network_state_ovn
• storage_volume_api_filtering
• image_restrictions
• storage_zfs_export
• network_dns_records
• storage_zfs_reserve_space
• network_acl_log
• storage_zfs_blocksize
• metrics_cpu_seconds
• instance_snapshot_never
• certificate_token
• instance_nic_routed_neighbor_probe
• event_hub
• agent_nic_config
• projects_restricted_intercept
• metrics_authentication api_status: stable api_version: "1.0" auth: trusted public: false auth_methods:
• tls environment: addresses: [] architectures:
  • x86_64
  • i686 certificate: |

    ---

    certificate_fingerprint: *** driver: lxc driver_version: 4.0.12 firewall: nftables kernel: Linux kernel_architecture: x86_64 kernel_features: idmapped_mounts: "false" netnsid_getifaddrs: "true" seccomp_listener: "true" seccomp_listener_continue: "true" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 5.4.0-105-generic lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Ubuntu os_version: "20.04" project: default server: lxd server_clustered: false server_event_mode: full-mesh server_name: keen-mayfly server_pid: 5700 server_version: "4.24" storage: zfs storage_version: 0.8.3-1ubuntu12.13 storage_supported_drivers:

  • name: btrfs version: 5.4.1 remote: false
  • name: cephfs version: 15.2.14 remote: true
  • name: dir version: "1" remote: false
  • name: lvm version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.41.0 remote: false
  • name: zfs version: 0.8.3-1ubuntu12.13 remote: false
  • name: ceph version: 15.2.14 remote: true

Issue description

LXD containers no longer have outbound networking.

Just the other day, my lxc instances communicated to the WAN just fine. Today, I try to launch an instance and it can't communicate with anything on the internet.

I have validated this on my local dev system, coworkers systems and fresh new 20.04 machines.

Steps to reproduce

1) Install a fresh ubuntu 20.04 machine 2) refresh the lxd snap to latest/stable 3) run sudo lxd init 4) Launch an ubuntu:20.04 instance, exec in and try to ping google - this will fail

jbemfv@VDL900076:~$ juju add-machine --series focal --constraints "spaces=maas-vm cores=8 mem=8G root-disk=20G"
created machine 0
jbemfv@VDL900076:~$ wjst
jbemfv@VDL900076:~$ juju ssh 0
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-105-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Mar 22 21:49:53 UTC 2022

  System load:  1.44               Processes:             197
  Usage of /:   36.1% of 18.21GB   Users logged in:       0
  Memory usage: 4%                 IPv4 address for eth7: 10.104.196.120
  Swap usage:   0%

0 updates can be applied immediately.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@keen-mayfly:~$ snap list
Name    Version   Rev    Tracking       Publisher   Notes
core20  20220304  1376   latest/stable  canonical✓  base
lxd     4.0.9     22526  4.0/stable/…   canonical✓  -
snapd   2.54.4    15177  latest/stable  canonical✓  snapd
ubuntu@keen-mayfly:~$ sudo snap refresh lxd --channel latest/stable
Download snap "lxd" (22710) from channel "latest/stable"                                                 83% 7.78MB/s 1.34sDownload snap "lxd" (22710) from channel "latest/stable"                                                 85% 7.78MB/s 1.24sDownload snap "lxd" (22710) from channel "latest/stable"                                                 86% 7.78MB/s 1.14sDownload snap "lxd" (22710) from channel "latest/stable"                                                 87% 7.78MB/s 1.04sDownload snap "lxd" (22710) from channel "latest/stable"                                                 88% 7.78MB/s 940msDownload snap "lxd" (22710) from channel "latest/stable"                                                 92% 7.80MB/s 620msDownload snap "lxd" (22710) from channel "latest/stable"                                                 94% 7.80MB/s 520msDownload snap "lxd" (22710) from channel "latest/stable"                                                 96% 7.81MB/s 301msDownload snap "lxd" (22710) from channel "latest/stable"                                                 97% 7.81MB/s 201msDownload snap "lxd" (22710) from channel "latest/stable"                                                 99% 7.81MB/s 101msDownload snap "lxd" (22710) from channel "latest/stable"                                                100% 7.71MB/s 0.0nsDownload snap "lxd" (22710) from channel "latest/stable"                                                100% 7.61MB/s 0.0nsDownload snap "lxd" (22710) from channel "latest/stable"                                                100% 7.52MB/s 0.0nsDownload snap "lxd" (22710) from channel "latest/stable"                                                100% 7.34MB/s 0.0nsFetch and check assertions for snap "lxd" (22710)                                                                         /Fetch and check assertions for snap "lxd" (22710)                                                                         -Mount snap "lxd" (22710)                                                                                                  |Mount snap "lxd" (22710)                                                                                                  /Mount snap "lxd" (22710)                                                                                                  \Mount snap "lxd" (22710)                                                                                                  |Stop snap "lxd" services                                                                                                  -Stop snap "lxd" services                                                                                                  \Stop snap "lxd" services                                                                                                  |Stop snap "lxd" services                                                                                                  /Stop snap "lxd" services                                                                                                  -Stop snap "lxd" services                                                                                                  |Stop snap "lxd" services                                                                                                  /Stop snap "lxd" services                                                                                                  -Stop snap "lxd" services                                                                                                  \Stop snap "lxd" services                                                                                                  |Stop snap "lxd" services                                                                                                  /Stop snap "lxd" services                                                                                                  \Stop snap "lxd" services                                                                                                  |Stop snap "lxd" services                                                                                                  -Stop snap "lxd" services                                                                                                  |Stop snap "lxd" services                                                                                                  -Handling re-refresh of "lxd" as needed                                                                                    \
lxd 4.24 from Canonical✓ refreshed
ubuntu@keen-mayfly:~$ sudo snap install juju --channel latest/stable
error: This revision of snap "juju" was published using classic confinement and thus may perform
       arbitrary system changes outside of the security sandbox that snaps are usually confined to,
       which may put your system at risk.

       If you understand and want to proceed repeat the command including --classic.
ubuntu@keen-mayfly:~$ sudo snap install juju --channel latest/stable --classic
error: cannot perform the following tasks:
- Download snap "core18" (2344) from channel "stable" (Get https://canonical-lgw01.cdn.snapcraftcontent.com/download-origin/canonical-lgw01/CSO04Jhav2yK0uz97cr0ipQRyqg0qQL6_2344.snap?interactive=1&token=1647997200_eb7558078480cacd423b8ea4f66bb3fa39b76bf2: dial tcp: lookup canonical-lgw01.cdn.snapcraftcontent.com: No address associated with hostname)
ubuntu@keen-mayfly:~$ sudo snap install juju --channel latest/stable --classic
Download snap "juju" (18573) from channel "latest/stable"                                                13% 3.23MB/s 25.4s
Download snap "juju" (18573) from channel "latest/stable"                                                14% 3.21MB/s 25.4s
Download snap "juju" (18573) from channel "latest/stable"                                                14% 3.23MB/s 25.1s
Download snap "juju" (18573) from channel "latest/stable"                                                15% 3.21MB/s 25.1s
Download snap "juju" (18573) from channel "latest/stable"                                                16% 3.23MB/s 24.8s
Download snap "juju" (18573) from channel "latest/stable"                                                16% 3.21MB/s 24.7s
Download snap "juju" (18573) from channel "latest/stable"                                                17% 3.20MB/s 24.6s
Download snap "juju" (18573) from channel "latest/stable"                                                17% 3.21MB/s 24.4s
juju 2.9.27 from Canonical✓ installed
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ 
ubuntu@keen-mayfly:~$ sudo lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 10G
Invalid input: strconv.ParseInt: parsing "10G": invalid syntax

Size in GB of the new loop device (1GB minimum) [default=5GB]: 10GB
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]: 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
ubuntu@keen-mayfly:~$ lxc launch ubuntu:20.04 u1
If this is your first time running LXD on this machine, you should also run: lxd init

Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied
ubuntu@keen-mayfly:~$ sudo adduser ubuntu lxd
Adding user `ubuntu' to group `lxd' ...
Adding user ubuntu to group lxd
Done.
ubuntu@keen-mayfly:~$ newgrp lxd
ubuntu@keen-mayfly:~$ lxc launch ubuntu:20.04 u1
Creating u1
Retrieving image: rootfs: 21% (19.22MB/s)   
Starting u1                                 
ubuntu@keen-mayfly:~$ lxc shell u1
root@u1:~# ping google.com
PING google.com (172.217.21.174) 56(84) bytes of data.

dmesg output

https://paste.ubuntu.com/p/D7dbXDtPf6/

Please let me know if you need anything else.

Thanks

[stgraber]

Can you check that:

• The instance can ping its gateway
• That the host the instance is running on can indeed reach the internet

And then give us the output of:

• iptables -L -n -v (from the host)

[stgraber]

This seems to be using LXD 4.0.9 which hasn't been updated in several weeks so if this used to work some days ago, then it's very unlikely to be caused by anything we did :)

[tomponline]

ubuntu@keen-mayfly:~$ sudo snap refresh lxd --channel latest/stable Download snap "lxd" (22710) from channel "latest/stable" 83% 7.78MB/s 1.34sDownload snap lxd 4.24 from Canonical✓ refreshed

Looks like the OP refreshed to LXD 4.24.

Most likely this is a firewall issue. These can occur suddenly if you have an ordering issue between your system firewall and the one LXD sets up.

Please show the output of:

• lxc config show <instance> --expanded.
• ip a and ip r on the LXD host and inside the container.
• Output of sudo nft list ruleset and sudo iptables-save (if you don't have nft installed do sudo apt install nftables first).

[stgraber]

Oh right, I missed the refresh.

[jamesbeedy]

$ lxc config show u5 --expanded

architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 20.04 LTS amd64 (release) (20220321)
  image.label: release
  image.os: ubuntu
  image.release: focal
  image.serial: "20220321"
  image.type: squashfs
  image.version: "20.04"
  volatile.base_image: 9a04aa57d48d12a3a82eb71587eeef726924c3088a84a3acc62d84f02c11f32e
  volatile.eth0.host_name: veth5b0d419b
  volatile.eth0.hwaddr: 00:16:3e:59:53:d4
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 56b21b5b-04ac-4269-a406-bbbc9fbb1133
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

ip a in host

ubuntu@keen-mayfly:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:12:d3:a3 brd ff:ff:ff:ff:ff:ff
    inet 10.104.196.120/23 brd 10.104.197.255 scope global eth7
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe12:d3a3/64 scope link 
       valid_lft forever preferred_lft forever
3: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:27:7e:00 brd ff:ff:ff:ff:ff:ff
    inet 10.14.99.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe27:7e00/64 scope link 
       valid_lft forever preferred_lft forever
5: veth66c0b3a0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether aa:71:95:7a:2d:3c brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: veth5b0d419b@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether ba:bc:38:22:48:16 brd ff:ff:ff:ff:ff:ff link-netnsid 1

ip a in container

$ lxc shell u5
root@u5:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:59:53:d4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.14.99.164/24 brd 10.14.99.255 scope global dynamic eth0
       valid_lft 2989sec preferred_lft 2989sec
    inet6 fe80::216:3eff:fe59:53d4/64 scope link 
       valid_lft forever preferred_lft forever

ubuntu@keen-mayfly:~$ sudo nft list ruleset
table inet lxd {
    chain pstrt.lxdbr0 {
        type nat hook postrouting priority srcnat; policy accept;
        @nh,96,24 659043 @nh,128,24 != 659043 masquerade
    }

    chain fwd.lxdbr0 {
        type filter hook forward priority filter; policy accept;
        ip version 4 oifname "lxdbr0" accept
        ip version 4 iifname "lxdbr0" accept
    }

    chain in.lxdbr0 {
        type filter hook input priority filter; policy accept;
        iifname "lxdbr0" tcp dport 53 accept
        iifname "lxdbr0" udp dport 53 accept
        iifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
        iifname "lxdbr0" udp dport 67 accept
    }

    chain out.lxdbr0 {
        type filter hook output priority filter; policy accept;
        oifname "lxdbr0" tcp sport 53 accept
        oifname "lxdbr0" udp sport 53 accept
        oifname "lxdbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
        oifname "lxdbr0" udp sport 67 accept
    }
}

$ sudo iptables-save
# Generated by iptables-save v1.8.4 on Wed Mar 23 22:58:42 2022
*raw
:PREROUTING ACCEPT [325446:1196590277]
:OUTPUT ACCEPT [189286:10633456]
COMMIT
# Completed on Wed Mar 23 22:58:42 2022
# Generated by iptables-save v1.8.4 on Wed Mar 23 22:58:42 2022
*mangle
:PREROUTING ACCEPT [325446:1196590277]
:INPUT ACCEPT [301092:1149692953]
:FORWARD ACCEPT [21336:46097554]
:OUTPUT ACCEPT [189288:10633832]
:POSTROUTING ACCEPT [210624:56731386]
COMMIT
# Completed on Wed Mar 23 22:58:42 2022
# Generated by iptables-save v1.8.4 on Wed Mar 23 22:58:42 2022
*nat
:PREROUTING ACCEPT [3389:886619]
:INPUT ACCEPT [324:85006]
:OUTPUT ACCEPT [347:26057]
:POSTROUTING ACCEPT [346:26017]
COMMIT
# Completed on Wed Mar 23 22:58:42 2022
# Generated by iptables-save v1.8.4 on Wed Mar 23 22:58:42 2022
*filter
:INPUT ACCEPT [301092:1149692953]
:FORWARD ACCEPT [21336:46097554]
:OUTPUT ACCEPT [189293:10634784]
COMMIT
# Completed on Wed Mar 23 22:58:42 2022

[jamesbeedy]

$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 301K packets, 1150M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 21336 packets, 46M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 189K packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination 

[stgraber]

Not seeing anything obviously wrong there. Can you do:

• lxc exec u5 -- ping 10.14.99.1 -c5
• lxc exec u5 -- ping 8.8.8.8 -c5
• ping 8.8.8.8 -c5

[tomponline]

Can we see 'lxc network show lxdbr0' too please

[tomponline]

Also you didn't provide the requested output of 'ip r' from host and container

[One-sixth]

@stgraber I have a similar problem. The instance is randomly disconnected after rebooting the host. Whenever something like this happens, I need to manually lxd shutdown and sudo lxd to restart the LXD service. Then instance can access the WAN and host's LAN again. This problem only affects the instance's access to the WAN and host's LAN, and does not affect the host's access to the instance through the proxy device. This problem occurs in containers that are automatically started after reboot the host, and the probability of occurrence is 20%. The instance uses LxC's default network settings without special changes.

System is ubuntu20.04. LXD version is 4.23.

[tomponline]

disconnected

Unfortunately "disconnected" comes in many ways, so without being able to narrow down what form of disconnection is occuring in both cases it is not possible to resolve it.

Next time it happens please can you gather the diagnostics output requested in this thread to see if we can narrow it down.

Thanks