Forwarding traffic from uplink network to containers

christianrishoj · November 13, 2025, 10:32am

Hello everyone,

I’m currently running a MicroCloud/LXD cluster and trying to make my Caddy load balancer container (caddy-lb) accessible from the public IP on the uplink network.

ubuntu@flap ~> lxc list
+-----------+--------+--------------------+-------------------+-----------+-----------+---------+
| NAME      | STATE  | IPV4               | IPV6              | TYPE      | SNAPSHOTS | LOCATION|
+-----------+--------+--------------------+-------------------+-----------+-----------+---------+
| caddy-lb  | RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | flap    |
| caddy-ws-1| RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | roll    |
| caddy-ws-2| RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | flap    |
| grafana   | RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | roll    |
| mariadb   | RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | wing    |
| php-fpm   | RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | flap    |
| prometheus| RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | tail    |
| redis     | RUNNING| 10.80.x.x (eth0)   | xxxx:xxxx:xxxx::  | CONTAINER | 0         | roll    |
+-----------+--------+--------------------+-------------------+-----------+-----------+---------+

I attempted to create a network forward on my uplink to expose port 80/443:

ubuntu@flap ~> sudo lxc network forward create UPLINK <public-ip>
ubuntu@flap ~> sudo lxc network forward port add UPLINK <public-ip> tcp 80 10.80.x.x
ubuntu@flap ~> sudo lxc network forward port add UPLINK <public-ip> tcp 443 10.80.x.x

All cmds above give me the same result:

Error: Network driver "physical" does not support forwards

Here’s the configuration of the uplink network:

ubuntu@flap ~> lxc network show UPLINK
name: UPLINK
type: physical
managed: true
status: Created
config:
  dns.nameservers: 1.1.1.1,8.8.8.8
  ipv4.gateway: <gateway-ip>/29
  ipv4.ovn.ranges: <range-start>-<range-end>
used_by:
- /1.0/networks/default
locations:
- flap
- roll
- tail
- wing
project: default

My question:

It seems lxc network forward cannot be used on physical networks. What is the best-practice way to expose a container on a public IP in an OVN-based LXD cluster?

Best regards

jpelizaeus · November 13, 2025, 10:55am

Hi, you have to create the forward on the respective OVN network directly. Assuming your instances are connected to the default OVN network, create the forward on this network following the steps in https://documentation.ubuntu.com/microcloud/latest/lxd/howto/network_forwards/#create-a-network-forward.

tomp · November 13, 2025, 10:58am

If you give your instance that is connected to the ovn network a static DHCP allocation:

lxc config device override <instance> <nic> ipv4.address=n.n.n.n

You can then setup a network forward on the ovn network like so:

lxc network forward create <network> <IP on uplink> target_address=<static DHCP allocation>

See https://documentation.ubuntu.com/microcloud/latest/lxd/howto/network_forwards/#create-a-forward-in-an-ovn-network

Note you will need to also set ipv4.routes on the uplink physical network to allow downstream ovn networks to consume IPs from the uplink.

lxc network set <uplink network> ipv4.routes=<comma separated list of allowed CIDRs>

Then LXD will setup a 1:1 DNAT rule from the uplink on the listen IP to the target address of your instance inside the OVN network.