Yes, I too found that bit about lxc.net.0.veth.pair in the name page. So the name is consistent now and what I used in the firewall zone.
After starting the container, still no ability ping, but after I ran the command you suggested, I can ping it.
# ip addr add 10.0.4.1/24 dev lxc-test
# ping 10.0.4.1
PING 10.0.4.1 (10.0.4.1): 56 data bytes
64 bytes from 10.0.4.1: seq=0 ttl=64 time=0.133 ms
64 bytes from 10.0.4.1: seq=1 ttl=64 time=0.249 ms
And
# ip route
default via xxx.xxx.xxx.1 dev eth1 src xxx.xxx.xxx.34
10.0.4.0/24 dev lxc-test scope link src 10.0.4.1
10.0.4.1 dev lxc-test scope link
10.9.5.0/24 dev eth0.5 scope link src 10.9.5.1
10.9.7.0/24 dev eth0.3 scope link src 10.9.7.1
10.9.8.0/24 dev eth0.1 scope link src 10.9.8.1
10.200.200.0/24 dev wg0 scope link src 10.200.200.200
10.200.200.201 dev wg0 scope link
10.200.200.202 dev wg0 scope link
10.200.200.203 dev wg0 scope link
xxx.xxx.xxx.0/22 dev eth1 scope link src xxx.xxx.xxx.34
And:
# ip a
...
137: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 32
link/ether 72:27:93:1b:43:a7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::7027:93ff:fe1b:43a7/64 scope link
valid_lft forever preferred_lft forever
152: lxc-test@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether fe:d8:6e:bc:44:f3 brd ff:ff:ff:ff:ff:ff
inet 10.0.4.1/24 scope global lxc-test
valid_lft forever preferred_lft forever
inet6 fe80::fcd8:6eff:febc:44f3/64 scope link
valid_lft forever preferred_lft forever
OK, the lxc.net.[i].ipv4.gateway option specifies gateway to use on the inside of the container, can you try putting 10.0.4.1 there?
P.S. I'm getting this feeling that just bridging to an interface which we can control with LuCI looks like a better idea in terms of automation and ease of control. Anywho, this was quite entertaining.
Just create a bridge e.g. lxcbr0.
Set up lxc to use lxcbr0 as the link. Set up IP 10.0.4.250/24 gateway 10.0.4.1.
Create network using lxcbr0 interface. Set up IP 10.0.4.1/24.
Create firewall zone for this network.
Voila?
The difference is traffic will be routed to lxcbr0 instead of lxc-test and we have control over LuCI since the network with lxcbr0 appears on Interfaces page & /etc/config/network.
# lxc-start -n pihole -F
lxc-start: pihole: network.c: netdev_configure_server_veth: 708 No such file or directory - Failed to attach "veth0ZzBNB" to bridge "lxcbr0", bridge interface doesn't exist
lxc-start: pihole: network.c: lxc_create_network_priv: 3419 No such file or directory - Failed to create network device
lxc-start: pihole: start.c: lxc_spawn: 1826 Failed to create the network
lxc-start: pihole: start.c: __lxc_start: 2053 Failed to spawn container "pihole"
lxc-start: pihole: tools/lxc_start.c: main: 308 The container failed to start
lxc-start: pihole: tools/lxc_start.c: main: 313 Additional information can be obtained by setting the --logfile and --logpriority options
I must also need to create an interface in LuCI for the bridge to use?
I know that LuCI represents confusing networking terms. I'm actually in the middle of writing a mail to correct them. For now, think of "Interfaces" as "Networks", and "Devices" as "Interfaces".
The network configuration looks good to me. It's kind of hard to read the firewall configuration though. That's about all I can do. And make sure /etc/resolv.conf inside the container has a correct nameserver defined.
If you can ping 1.1.1.1 from inside the container, there must be something wrong with the container itself or firewall rules allowing UDP/TCP port 53 for the lxc zone.
AH! You're also supposed to allow forwarding to wan zone (or wireguard if you use it for internet access) for lxc zone. Or did you only allow port 53 to be forwarded?
Acknowledgement to @arinc9. For others wanting this setup, see below.
RPi4 primary router/firewall using VLANs (my setup has WiFi provided by a dumb AP and uses these VLANs to maintain isolation between three networks but that is outside the scope of this) via subinterfaces
LXC running pi-hole in my case but can be anything obviously (great post on LXC setup)
Dumb AP (VLAN-aware) connected for WiFi (outside of scope of this but mentioned for clarity
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1a:184b:b879::/48'
option packet_steering '1'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'wg0'
option ipv6 '0'
config device
option type 'bridge'
option name 'lxcbr0'
option ipv6 '0'
option bridge_empty '1'
config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'
option ipv6 '0'
config device
option name 'eth0.3'
option type '8021q'
option ifname 'eth0'
option vid '3'
option ipv6 '0'
config device
option name 'eth0.5'
option type '8021q'
option ifname 'eth0'
option vid '5'
option ipv6 '0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'lxc'
option device 'lxcbr0'
option proto 'static'
option ipaddr '10.0.4.1'
option netmask '255.255.255.0'
config interface 'lan'
option device 'eth0.1'
option proto 'static'
option ipaddr '10.9.8.1'
option netmask '255.255.255.0'
config interface 'guest'
option device 'eth0.3'
option proto 'static'
option ipaddr '10.9.7.1'
option netmask '255.255.255.0'
config interface 'iot'
option device 'eth0.5'
option proto 'static'
option ipaddr '10.9.5.1'
option netmask '255.255.255.0'
config interface 'wg0'
option proto 'wireguard'
...
# wireguard specifics omitted for privacy
/etc/config/firewall
# standard firewall rules omitted
config rule 'wg'
option name 'Allow-WireGuard'
option proto 'udp'
option target 'ACCEPT'
option src 'wan'
option dest_port '4500'
config include
option path '/etc/firewall.user'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
list network 'wg0'
option input 'REJECT'
config zone
option name 'lxc'
option output 'ACCEPT'
list network 'lxc'
option forward 'ACCEPT'
option input 'REJECT'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'iot'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
list network 'wan'
config rule
option src 'guest'
option target 'ACCEPT'
option name 'guest dhcp and dns'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'iot'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'
option name 'iot dhcp and dns'
config rule
list proto 'udp'
option src 'lxc'
option dest_port '53'
option target 'ACCEPT'
option name 'pi-hole-dns lxc to input'
config rule
list proto 'udp'
option src 'guest'
option dest 'lxc'
option dest_port '53'
option target 'ACCEPT'
option name 'pi-hole-dns guest to lxc'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'lxc'
config forwarding
option src 'lxc'
option dest 'wan'
/srv/lxc/pihole/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --dist archlinux --release current
# Template script checksum (SHA-1): 8dff53d9a72ba3c071585c5762e2d14c57943cfa
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = aarch64
# Container specific configuration
lxc.rootfs.path = dir:/srv/lxc/pihole/rootfs
lxc.uts.name = pihole
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.ipv4.address = 10.0.4.250/24
lxc.net.0.ipv4.gateway = 10.0.4.1
Networks a.k.a. Interfaces and Interfaces a.k.a. Devices: