Bridge Multiple Networks to VyOS Podman Containers

General questions
1

VyOS version: 1.5-rolling-202406060020 (I forgot to mention the version of VyOS.)

Here is my setup:

Vyos_Server_Desktop_Networking
Vyos_Server_Desktop_Networking1311×1739 246 KB

The screenshot shows VyOS router that will run VyOS podman containers, each behaving as its own router. This allows me to do things such as configuring OSPF that can bridge between routers within each of the containers. What’s physically attached to the VyOS router is my server and my desktop, each having VLANs that gets assigned to its own bridges (br300, br301, etc.). The same goes for my home server.

Here is the snipped config for VyOS:


...
    bridge br300 {
        member {
            interface eth3.300 {
            }
            interface eth4.300 {
            }
        }
    }
    bridge br301 {
        member {
            interface eth3.301 {
            }
            interface eth4.301 {
            }
        }
    }
    bridge br302 {
        member {
            interface eth3.302 {
            }
            interface eth4.302 {
            }
        }
    }
...
    bridge br390 {
        address 10.210.0.254/24
        description "VLab Network"
        member {
            interface eth3.390 {
            }
            interface eth4.390 {
            }
        }
    }
   bridge br391 {
        address 10.210.1.254/24
        description "VLab Network"
        member {
            interface eth3.390 {
            }
            interface eth4.390 {
            }
        }
    }
...
    ethernet eth3 {
        hw-id 34:1a:4c:04:16:92
        vif 300 {
        }
        vif 301 {
        }
        vif 302 {
        }
        vif 303 {
        }
        vif 304 {
        }
        vif 305 {
        }
        vif 306 {
        }
        vif 307 {
        }
        vif 308 {
        }
        vif 309 {
        }
        vif 390 {
        }
        vif 391 {
        }
    }
    ethernet eth4 {
        hw-id 34:1a:4c:04:16:93
        vif 300 {
        }
        vif 301 {
        }
        vif 302 {
        }
        vif 303 {
        }
        vif 304 {
        }
        vif 305 {
        }
        vif 306 {
        }
        vif 307 {
        }
        vif 308 {
        }
        vif 309 {
        }
        vif 390 {
        }
        vif 391 {
        }
    }

With the setup and the snipped config file in mind, is it possible to assign bridges to podman containers so I can perform routing within the containers? Or am I better off putting VyOS in its own VM and setup additional VMs for virtual routing setups? The reason why I’m going for this is because I want to setup some make-believe companies that make use of Windows Server Cores in separate VLANs in my server along with running Windows 10/11 VMs in virtual machines in my desktop.

Update as of 9:30 PM EST: Know what? I don’t like starting my first thread just to answer my own question. Regardless, it does seem that Podman does not support binding to a specific bridge interface and I had a look through this article:

Well, so much for running a couple of VyOS routers within the main VyOS. I’m leaving this thread here in case someone might ask questions about assigning pod containers to a bridged interface.

2

We currently do not have CLI support to bridge a network into a container. Containers have layer 3 networking only, which could be bridged by the underlaying VyOS, but not tested by me.

Looking at your config, it may become easier by moving individual bridges to one VLAN aware bridge with multiple VIFs configured for the bridge itself.

3

Okay, thank you.

I’m thinking I’m going to move over to just standard Debian and go with standard virtual machines for multiple VyOS setups.

4

I do not know the reason as you prefer multiple routers for different VLANs - maybe it’s due to network isolation.

VyOS supports VRFs so you can not only have L2 VLAN isolation but also L3 VRF isolation.

5

Oh so I can isolate VyOS containers via VRF? I need to check that out and do some research.

Update: It seems I can only set one VRF per bridge… Interesting. So a bridge cannot have more than one VRF. So this is what I’m thinking:

br300:
  VRF 1: VLab1
br301:
  VRF 1: VLab1
br303:
  VRF 1: VLab1
...
br390 (to Internet):
  VRF 1: VLab1
  VRF 2: VLab2
  ...
  VRF N: VLabN

(Where “N” represents the number for virtual lab networks.)

The only work around I can see if I bridge to an existing bridge. In that case, br390XX where XX represents the number, but as far as I know, that would be very complex for me to do that.

Nah, I’m not going that route. Thank you for your help.