I have a CentOS 7 box with 2 NICs - one ethernet port, and one wireless. I would like to create an lxc container that acts as a router that meets the following requirements:
- When running hostapd, client's which are connected to the access point should have all data routed through this container.
- Any other installed lxc containers should also route all data through this routing container.
- If the ethernet port is connected to the internet, then the host and all containers should have internet access, as well as any clients connected to the access point.
To configure this, I have done the following:
- Created the routing lxc container
- The host has interfaces eth0, and wlan0. I have also created br-eth0 and br-wlan0, which are bridges, and have added those two interfaces to them, respectively.
- br-eth0 is configured as a dhcp client to connect to my external router via the eth0 NIC
- br-wlan0 has a static IP of 10.0.0.1, and dnsmasq is listening on that interface and issuing IP addresses in the 10.0.0.0/24 subnet
- I have configured the lxc routing container to bring to create 2 interfaces that are connected to those bridges (leth0, leth1). leth0 is a dhcp client, and leth1 has a static IP address of 10.0.0.201.
- I have created another bridge, br-router, which has also been connected to a third interface in the routing container. This bridge has a static IP address of 192.168.3.254 in the host, and the interface in the routing container (leth2) has a static IP address of 192.168.3.1
- The routing container is also running dnsmasq, listening on the leth2 interface, and provides IP addresses in the 192.168.3/24 subnet (.3 - .200), so any other lxc containers that bring this bridge in will be given any IP address in that subnet
- I have turned on masquerading on leth0 in the routing container.
- I have configured the default gateway in the host to be 192.168.3.1, so that all traffic originating from within the host is routed through the routing container.
For test purposes, I also created a second lxc container, that includes a single interface that brings br-router into the container, and this container is hosting a webpage on port 8080. That single interface (teth0) is issued an IP address via dhcp (in this case, 192.168.3.9)
With this setup, I can successfully reach the internet from within the host, the routing container, and the test container. As well, from both the routing container and test container, I can curl http://192.168.3.9:8080 and successfully retrieve the webpage.
So, requirements 2 and 3 are met. However, when connecting a client to this system, while I am provided an IP address in the 10.0.0.0/24 subnet (via dnsmasq running on br-wlan0), I do not have an internet connection (I realize I wouldn't without some routing changes or something, that's why I'm here). I also have tried doing some port forwarding using firewalld in the routing container on leth1 from port 80 to 192.168.3.9:8080, in the hopes that I could serve the web page from the test container to a connected client using http://10.0.0.201 - however, no such luck. (that said, this port forwarding attempt DOES allow me access the website via the 201 address from the host)
I'm sure there is a combination of routing changes, ip table rules, and port forwarding rules that would make this all play nicely, but after a few days of experimenting I can't for the life of me figure it out. I'm still pretty novice when it comes to all of this networking, so I'm hoping someone out there can help me. Hopefully I painted a decent enough picture of the current configuration..
Thanks!
