I'm trying to get a service in a rootless Podman container (BIND DNS server) to
respond correctly when using VRRP (via keeepalived) on the host. It seems like Pasta will
forward the inbound traffic to the container from the VRRP address, but the responses will
be from the regular IP address instead of the VRRP address, which causes the client to
ignore the response. I've tried adding Pasta network options to the container, but
the behavior seems to be the same.
OS: Centos Stream 9
Podman: 5.2.2
Pasta: 0^20240806.gee36266-2.el9.x86_64-pasta
Outside interface:
ens18
10.1.1.1/24 (main IP)
10.1.1.2/32 (VRRP IP)
TCPdump shows the problem (note that the reply packet has source as the main IP, not the
VRRP IP:
IP 10.2.2.2.37392 > 10.1.1.2.53: 60211+ [1au] A? www.example.com. (56)
IP 10.1.1.1.53 > 10.2.2.2.37392: 60211*- 1/0/1 A 192.168.254.7 (88)
Tried starting the container with non-default pasta options, but the result is the same:
--network
pasta:-I,tap0,-o,10.1.1.2,--ipv4-only,-a,10.0.2.0,-n,24,-g,10.0.2.2,--dns-forward,10.0.2.3,--no-ndp,--no-dhcpv6,--no-dhcp
Any help with possible solutions would be greatly appreciated.
Thanks,
--
ANTON CASTELLI
Network Engineer V
OFFICE OF INFORMATION TECHNOLOGY
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
ROOM B15
CARBONDALE, ILLINOIS 62901
anton.castelli(a)siu.edu
P: 618.453.6424
OIT.SIU.EDU