Alpine linux veth network/bridge has no internet

Solution 1:

I applied your setup verbatim and it's working.

You must have made a typo somewhere or didn't follow exactly what you wrote in your question.

Two remarks:

bridge link show br1

is an invalid syntax. man bridge was amended in recent versions probably because it was a common mistake:

bridge link show - list ports configuration for all bridges. This command displays port configuration and flags for all bridges.

To display port configuration and flags for a specific bridge, use the "ip link show master <bridge_device>" command.

So you should use instead:

ip link show master br1

or you'd get extra interfaces on other bridges. Of course it doesn't matter.

What matters is that:

  ip -all netns exec ip route add default via 192.168.1.10

should have set default routes in the network namespaces (and did for me), but you write later:

when i run

ip netns exec namespace1 ip route

I get the results:

192.168.1.0/24 dev veth1 proto kernel scope link src 192.168.1.11

Here the default route is missing. Doing the same on my system, I get, as you should have but didn't:

# ip netns exec namespace1 ip route
default via 192.168.1.10 dev veth1 
192.168.1.0/24 dev veth1 proto kernel scope link src 192.168.1.11 

So figure out what is missing. Retest your commands exactly as given, manually, without changing any order, and verify you get the default route. For example this route would be lost if the interface is brought down then up again (but it's not done in OP's script). If needed don't use -all but repeat twice the command once for namespace1 once for namespace2.


UPDATE: from further discussion in comments it appears also that OP had iptables' with a FORWARD policy set as DROP.

If one intends to enable inter-namespace traffic (should br_netfilter be activated, see at the end) and any outgoing traffic from the namespaces, one could simply use for example:

iptables -I FORWARD -i br1 -j ACCEPT

Likewise for the namespaces to reach the host if needed:

iptables -I INPUT -i br1 -j ACCEPT

Security about this should really be pondered, and the rules integrated in the existing firewall solution.

Things can become more complex if other tools like Docker are running because it might enable br_netfilter, as can be seen in my answer to this Q/A.