Create VLAN Aware Incus Bridge for DHCP Passthrough
“DHCP Passthrough” may not be the most accurate term for what we’re doing here, but it sounds a lot like what I was trying to accomplish when I wrote this article. I don’t want my Incus bridge to do DHCP or be a gateway at all. Instead, I want to add my Incus bridge to containers to allow non-NATed traffic to traverse my network VLAN.
Current Infrastructure
Here is what my home lab looks like. To provide some isolation and control over which endpoints can access which servers I have setup VLANs and let my router handle DHCP. Here’s a simple diagram.
I’ve configured my switch such that workstations with untagged traffic use vlan4, but on my workstations I can create a virtual server and tag the traffic vlan5 to have the VM be on the server subnet. This gets servers up and running easily with a DHCP provided address. Your knee jerk reaction should be that this is dumb, and in a business or enterprise you would be right. Allowing each of my workstation ports to host server vlan traffic is a little silly, but since this is my home network, my server’s subnet is more akin to test servers (none are vital), so it’s not really a concern for me. The point is, I have servers on Proxmox and Servers on my and my family’s desktops and I want them all to be able to talk to each other on the same subnet. That’s what I’ve setup.
Now I want to add my Raspberry Pi Incus host to be able to easily create containers on that same server vlan, using the same centralized DHCP server from my router.
Create an Incus Bridge that Passes Traffic on a VLAN
The
https://linuxcontainers.org/incus/docs/main/reference/network_bridge/bridge.external_interfacesoption supports an extended format allowing the creation of missing VLAN interfaces. The extended format is<interfaceName>/<parentInterfaceName>/<vlanId>. When the external interface is added to the list with the extended format, the system will automatically create the interface upon the network’s creation and subsequently delete it when the network is terminated. The system verifies that the<interfaceName>does not already exist. If the interface name is in use with a different parent or VLAN ID, or if the creation of the interface is unsuccessful, the system will revert with an error message.
Additionally, since I’ll have DHCP issuing IP addresses directly to my containers and the bridge only needs to be layer 2, I will turn off ipv4. The bridge does not need an IP address since my router will act as my gateway.
incus network create <bridgeName> --type=bridge \
bridge.external_interfaces=<interfaceName/<parentInterface>/<vlanId> \
ipv4.address=none \
ipv6.address = noneTo create a bridge called incusbr123 that is managed by incus and a host interface called eth0.123 we can use the command below. In this example, the wired ethernet connection on the Raspberry Pi is eth0, and the desired vlan is 123.
incus network create incusbr123 --type=bridge \
bridge.external_interfaces=eth0.123/eth0/123 \
ipv4.address=none \
ipv6.address = none