- A VLAN interface is configured on the hardware node.
- A container is created on the hardware node with a network adapter in host-routed mode and is assigned an IP address from the VLAN network.
- As a result, the container is not reachable from the external network, it is only accessible within the VLAN.
Such configuration causes asymmetric routing, processed by the hardware node:
- incoming traffic goes through the VLAN interface, as it is correctly processed by the external router
- outgoing traffic goes through the default route (if not defined explicitly)
As a result, such traffic is dropped by the hardware node due to enabled by default reverse path filtering.
Enable loose rp_filter for the adapters that process traffic.
To change the setting temporarily:
# sysctl net.ipv4.conf.eth0.rp_filter=2 # sysctl net.ipv4.conf.eth0.40.rp_filter=2 # sysctl net.ipv4.conf.eth0.41.rp_filter=2
To save the settings permanently:
# echo "net.ipv4.conf.eth0.rp_filter=2" >> /etc/sysctl.conf # echo "net.ipv4.conf.eth0.40.rp_filter=2" >> /etc/sysctl.conf # echo "net.ipv4.conf.eth0.41.rp_filter=2" >> /etc/sysctl.conf