Unable to forward/display client WAN IPs in containers

philliplowery · November 15, 2025, 4:27pm

I am struggling to display clients WAN-IP to my containers. I can connect to them without trouble from WAN, but I am unable to see the client-ip that conencts in the logs. This breaks basic security-settings like fail2ban, hostsdeny, blocklists, etc.

If I set up a proxy-device witht the proxy-pass=true setting enabled, my conenctions fail (tested with a simple xmpp-server and a simple ssh-server). If I disable proxy-pass they work flawlessly, but logging shows 127.0.0.1

Question: what would be the most simple way to accomplish both of this:
A) forward incoming WAN traffic on a specific port to a specific container
B) make the connecting clients IP visible in the containers logs (instead of 127.0.0.1)

Simple example: basic ssh-server “mycontainer” listening on port 55444, internal LXD LAN IP is 10.242.191.102

Currently my LXD network settings are:


+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
|  NAME   |   TYPE   | MANAGED |      IPV4       |           IPV6            | DESCRIPTION | USED BY |  STATE  |
+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| eno1    | physical | NO      |                 |                           |             | 0       |         |
+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| enp2s0  | physical | NO      |                 |                           |             | 0       |         |
+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| lxbriso | bridge   | YES     | 10.242.191.1/24 | fd42:3f60:b2e8:e797::1/64 |             | 20      | CREATED |
+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| lxdbr0  | bridge   | YES     | 10.162.190.1/24 | fd42:dd78:6fbb:a515::1/64 |             | 1       | CREATED |
+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+
| wlp3s0  | physical | NO      |                 |                           |             | 0       |         |
+---------+----------+---------+-----------------+---------------------------+-------------+---------+---------+

Network config for specified container (without adding proxy-device)

devices:
  eth0:
    ipv4.address: 10.242.191.102
    name: eth0
    network: lxbriso
    security.port_isolation: "true"
    type: nic

Any help very much appreciated. I browsed the docu about devices, proxy and NAT, but didn’t succeed in solving my issue.

tomp · November 17, 2025, 12:35pm

Hi,

I am unfamiliar with the proxy-pass setting from the proxy device settings: https://documentation.ubuntu.com/lxd/latest/reference/devices_proxy/#device-options

Please can you show lxc config show <instance> --expanded so we can see your instance config.

Perhaps you mean proxy_protocol=true, if so then that requires support from the target application in order to “talk” the proxy protocol.

If your target application doesn’t support that, then you could try instead setting nat=true on the proxy device.

However in order to do that you need to ensure that container has a static DHCP allocation that can be used as the target address of the proxy.

This can be achieved by setting ipv4.address on the eth0 NIC, e.g.

lxc network show lxdbr0 # Get ipv4.address subnet
lxc config device override <instance> eth0 ipv4.address=<a free IP from lxdbr0's subnet>
lxc config device add <instance> myproxy proxy \
    listen=tcp:<external address>:22 \
    connect=tcp:<instance's eth0 ipv4.address>:22 \
    nat=true
lxc restart c1

This will then use a DNAT firewall rule on the host that will maintain the external client address.

philliplowery · November 18, 2025, 12:58am

Solved. I retried what you instructed regarding the NAT setting, and discovered a typo in my previous commands.

Sorry about the fuss, it all works now.

For anyone else looking for a quick-fix this works (adjust variables to your own need)

PORT=55443
CONTAINER_name=mycontainer
CONTAINER_ip4=10.22.100.10
CONTAINER_device=eth0
HOST_LAN_IP=192.168.0.10

lxc config device override $LXCCONTAINER $CONTAINER_device ipv4.address=$CONTAINER_ip4
lxc config device add $LXCCONTAINER $LXCCONTAINER-$PORT proxy nat=true listen=tcp:$HOST_LAN_IP:$PORT connect=tcp:$CONTAINER_ip4:$PORT

system · November 21, 2025, 12:58am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.