I have port forwarding set up in nixos-containers and a wireguard interface wg0, and I am trying to set up networking.nat to nat the virtual interfaces from the containers to the wireguard interface to get internet connection in the containers over the wireguard.
The port forwarding works and I am able to access the services within the container from my host over the IP assigned to the veth pair. But I am unable to access the internet within the container.
Relavent config files are in: https://github.com/tnichols217/nixos-config/tree/main/configuration/by-host/ASUS networking.nix and servarr.nix I thought that this would be sufficient to NAT the containers to the internet:
nat = {
enable = true;
internalInterfaces = [ "ve-+" "vb-+" ];
externalInterface = "wg0";
enableIPv6 = true;
};
The IP addresses for the host side look like this for one of the containers. Should it have this many IP addresses assigned to it? I defined a static ip as 10.0.1.15/32 for the host side of the container, which is reflected below, but when i run a ping from within the containers, tcpdump on the host side says From 169.254.87.231 icmp_seq=336 Destination Host Unreachable , which is the other IP for the interface. Is it possible that the NAT is not routing all of the assigned IPs for the interface and only routing them from the dominant IP, and if so how would I ensure all IPs get routed or that there is only the one assigned IP I gave it?
21: ve-jellyfin@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether --:--:--:--:--:-- brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.87.231/16 metric 2048 brd 169.254.255.255 scope link ve-jellyfin
valid_lft forever preferred_lft forever
inet 192.168.39.193/28 brd 192.168.39.207 scope global ve-jellyfin
valid_lft forever preferred_lft forever
inet 10.0.1.15/32 scope global ve-jellyfin
valid_lft forever preferred_lft forever
inet6 fe80::28f9:90ff:fee0:bc3/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever