How to configure network forwards¶
Note
Network forwards are available for the OVN network and the Bridge network.
Network forwards allow an external IP address (or specific ports on it) to be forwarded to an internal IP address (or specific ports on it) in the network that the forward belongs to.
This feature can be useful if you have limited external IP addresses and want to share a single external address between multiple instances. There are two different ways how you can use network forwards in this case:
Forward all traffic from the external address to the internal address of one instance. This method makes it easy to move the traffic destined for the external address to another instance by simply reconfiguring the network forward.
Forward traffic from different port numbers of the external address to different instances (and optionally different ports on those instances). This method allows to “share” your external IP address and expose more than one instance at a time.
Tip
Network forwards are very similar to using a proxy device in NAT mode.
The difference is that network forwards are applied on a network level, while a proxy device is added for an instance. In addition, proxy devices can be used to proxy traffic between different connection types (for example, TCP and Unix sockets).
List network forwards¶
View a list of all forwards configured on a network:
lxc network forward list <network_name>
Example:
lxc network forward list lxdbr0
Note
This list displays the listen address of the network forward and its default target address, if set. To view the target addresses for a network forward’s ports set in its port specifications, you can show details about the network forward or edit the network forward.
In the web UI, select Networks in the left sidebar, then select the desired network. On the resulting screen, view the Forwards tab:
Show a network forward¶
Show details about a specific network forward:
lxc network forward show <network_name> <listen_address>
Example:
lxc network forward show lxdbr0 192.0.2.1
In the web UI, select Networks in the left sidebar, then select the desired network. On the resulting screen, view the Forwards tab. This tab shows you information about all forwards on the network. You can click the Edit icon to view details for a specific forward:
Create a network forward¶
Requirements for listen addresses¶
Before you can create a network forward, you must understand the requirements for listen addresses.
For both OVN and bridge networks, the listen addresses must not overlap with any subnet in use by other networks on the host. Otherwise, the listen address requirements differ by network type.
For an OVN network, the allowed listen addresses must be defined in at least one of the following configuration options, using CIDR notation:
ipv4.routesoripv6.routesin the OVN network’s uplink network configurationrestricted.networks.subnetsin the OVN network’s project configuration
A bridge network does not require you to define allowed listen addresses. Use any non-conflicting IP address available on the host.
Create a forward in an OVN network¶
Note
You must configure the allowed listen addresses before you can create a forward in an OVN network.
The IP addresses and ports shown in the examples below are only examples. It is up to you to choose the allowed and available addresses and ports for your setup.
Use the following command to create a forward in an OVN network:
lxc network forward create <ovn_network_name> <listen_address>|--allocate=ipv{4,6} [target_address=<target_address>] [user.<key>=<value>]
For
<ovn_network_name>, specify the name of the OVN network on which to create the forward.Immediately following the network name, provide only one of the following for the listen address:
A listen IP address allowed by the Requirements for listen addresses (no port number)
The
--allocate=flag with a value of eitheripv4oripv6for automatic allocation of an allowed IP address
Optionally provide a default
target_address(no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the OVN network’s subnet; typically, the static IP address of an instance is used.Optionally provide custom user.* keys to be stored in the network forward’s configuration.
This example shows how to create a network forward on a network named ovn1 with an allocated listen address and no default target address:
lxc network forward create ovn1 --allocate=ipv4
This example shows how to create a network forward on a network named ovn1 with a specific listen address and a target address:
lxc network forward create ovn1 192.0.2.1 target_address=10.41.211.2
In the web UI, select Networks in the left sidebar, then select the desired OVN network. On the resulting screen, view the Forwards tab. Click the Create forward button.
In the Create a new forward panel, only the Listen address field is required.
For the Listen address, provide an IP address allowed by the Requirements for listen addresses (no port number).
Optionally provide a Default target address (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the OVN network’s subnet; typically, the static IP address of an instance is used.
You can optionally set up port specifications for the network forward by clicking the Add port button. These specifications allow forwarding traffic from specific ports on the listen address to ports on a target address. For details on how to configure this section, see: Configure ports.
Once you have finished setting up the network forward, click the Create button.
Create a forward in a bridge network¶
Note
The IP addresses and ports shown in the examples below are only examples. It is up to you to choose the allowed and available addresses and ports for your setup.
Use the following command to create a forward in a bridge network:
lxc network forward create <bridge_network_name> <listen_address> [target_address=<target_address>] [user.<key>=<value>]
For
<bridge_network_name>, specify the name of the bridge network on which to create the forward.Immediately following the network name, provide an IP address allowed by the Requirements for listen addresses (no port number).
Optionally provide a default
target_address(no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the bridge network’s subnet; typically, the static IP address of an instance is used.Optionally provide custom user.* keys to be stored in the network forward’s configuration.
You cannot use the
--allocateflag with bridge networks.
This example shows how to create a forward on a network named bridge1 with a specific listen address and a target address:
lxc network forward create bridge1 192.0.2.1 target_address=10.41.211.2
In the web UI, select Networks in the left sidebar, then select the desired bridge network. On the resulting screen, view the Forwards tab. Click the Create forward button.
In the Create a new forward panel, only the Listen address field is required.
For the Listen address, provide a listen IP address allowed by the Requirements for listen addresses (no port number).
Optionally provide a Default target address (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the bridge network’s subnet; typically, the static IP address of an instance is used.
You can optionally set up port specifications for the network forward by clicking the Add port button. These specifications allow forwarding traffic from specific ports on the listen address to ports on a target address. For details on how to configure this section, see: Configure ports.
Once you have finished setting up the network forward, click the Create button.
Forward properties¶
Network forwards have the following properties:
| Key: | config |
| Type: | string set |
| Required: | no |
The only supported keys are target_address and user.* custom keys.
The target_address key is for the default target address of the network forward.
It must be an IP address within the subnet of the network the forward belongs to.
| Key: | listen_address |
| Type: | string |
| Required: | no |
| Key: | ports |
| Type: | port list |
| Required: | no |
See Configure ports.
Configure ports¶
Once a forward is created on a network (whether bridge or OVN), it can be configured with port specifications. These specifications allow forwarding traffic from ports on the listen address to ports on a target address.
When using the CLI, you must first create a network forward before you can add port specifications to it.
Use the following command to add port specifications on a forward:
lxc network forward port add <network_name> <listen_address> <protocol> <listen_ports> <target_address> [<target_ports>]
Use the network name and listen address of the forward for which you want to add port specifications.
Use either
tcporudpas the protocol.For the listen ports, you can specify a single listen port, a port range, or a comma-separated set of ports/port ranges.
Specify a target address. This address must be within the network’s subnet, and it must be different from the forward’s default target address. Typically, the static IP address of an instance is used.
Optionally specify a target port or ports. You can:
Specify a single target port to forward traffic from all listen ports to this target port.
Specify a set of target ports with the same number of set items as the listen ports. This forwards traffic from the first listen port to the first target port, the second listen port to the second target port, and so on.
If no target port is specified, the listen port value is used for the target port.
The example below shows how to configure a forward with a single listen port. Since no target port is specified, the target port defaults to the value of the listen port:
lxc network forward port add network1 192.0.2.1 tcp 22 10.41.211.2
The example below shows how to configure a forward with a set of listen ports mapped to a single target port. Traffic to the listen address at ports 80 and 90 through 100 is forwarded to port 443 of the target address:
lxc network forward port add network1 192.0.2.1 tcp 80,90-100 10.41.211.2 443
The example below shows how to configure a forward with a set of listen ports mapped to a set of target ports. Traffic to the listen address at port 22 is forwarded to port 22 of the target address, whereas traffic to port 80 is forwarded to port 443:
lxc network forward port add network1 192.0.2.1 tcp 22,80 10.41.211.2 22,443
These specifications allow forwarding traffic from ports on the listen address to ports on a target address. In the web UI, you can configure port specifications on a network forward at the time you create the forward, or by editing the forward after creation.
For the Listen port, you can specify a single port, a port range, or a comma-separated set of ports/port ranges.
Select either TCP or UDP as the protocol.
Specify a Target address. This address must be within the network’s subnet, and it must be different from the forward’s Default target address. Typically, the static IP address of an instance is used.
Optionally specify a target port or ports. You can:
Specify a single target port to forward traffic from all listen ports to this target port.
Specify a set of target ports with the same number of set items as the listen ports. This forwards traffic from the first listen port to the first target port, the second listen port to the second target port, and so on.
If no target port is specified, the listen port value is used for the target port.
Examples:
If the Listen port is set to
22and no Target port is specified, the target port value defaults to 22.If the Listen port is set to
80,90-100and the Target port is set to 442, all traffic to the listen address at ports 80 and 90 through 100 is forwarded to port 443 of the target address.If the Listen port is set to
22,80and the Target port is set to22,443, all traffic to the listen address at port 22 is forwarded to port 22 of the target address, whereas traffic to port 80 is forwarded to port 443.
Port properties¶
Network forward ports have the following properties:
| Key: | protocol |
| Type: | string |
| Required: | yes |
Possible values are tcp and udp.
| Key: | target_address |
| Type: | string |
| Required: | yes |
This target_address must be within the subnet of the network the forward belongs to.
Also, it must be different from the forward’s default target address.
Edit a network forward¶
Use the following command to edit a network forward:
lxc network forward edit <network_name> <listen_address>
This command opens the network forward in YAML format for editing. You can edit both the general configuration and the port specifications.
In the web UI, select Networks in the left sidebar, then select the desired network. On the resulting screen, view the Forwards tab. This tab shows you information about all forwards on the network. Click the Edit icon next to a forward to edit it:
In the resulting screen, you can edit the forward’s general configuration as well as its port specifications:
Delete a network forward¶
Use the following command to delete a network forward:
lxc network forward delete <network_name> <listen_address>
In the web UI, select Networks in the left sidebar, then select the desired network. On the resulting screen, view the Forwards tab. This tab shows you information about all forwards on the network. Click the Delete icon next to a forward to delete it:
