Skip to content
Docs
How-to guides
How to configure network forwards

How to configure network forwards

Note
Network forwards are available for the OVN network and the Bridge network.

▶ Watch on YouTube (opens in a new tab)

Network forwards allow an external IP address (or specific ports on it) to be forwarded to an internal IP address (or specific ports on it) in the network that the forward belongs to.

This feature can be useful if you have limited external IP addresses and want to share a single external address between multiple instances. In this case, you have two options:

  • Forward all traffic from the external address to the internal address of one instance. This method makes it easy to move the traffic destined for the external address to another instance by simply reconfiguring the network forward.
  • Forward traffic from different port numbers of the external address to different instances (and optionally different ports on those instances). This method allows to "share" your external IP address and expose more than one instance at a time.

Tip
Network forwards are very similar to using a proxy device in NAT mode.

The difference is that network forwards are applied on a network level, while a proxy device is added for an instance. In addition, proxy devices can be used to proxy traffic between different connection types (for example, TCP and Unix sockets).

List network forwards

View a list of all forwards configured on a network:

CLI

lxc network forward list <network_name>

Example:

lxc network forward list lxdbr0

Note
This list displays the listen address of the network forward and its default target address, if set. To view the target addresses for a network forward's ports set in its port specifications, you can show details about the network forward or edit the network forward.

API

Query the /1.0/networks/{networkName} endpoint to list all forwards for a network.

lxc query --request GET /1.0/networks/{networkName}/forwards

Example:

lxc query --request GET /1.0/networks/lxdbr0/forwards

See the API reference for more information.

You can also use recursion to list the forwards with a higher level of detail:

lxc query --request GET /1.0/networks/{networkName}/forwards?recursion=1

UI

In the web UI, select Networks in the left sidebar, then select the desired network. On the resulting screen, view the Forwards tab:

View a list of forwards on a network

Show a network forward

Show details about a specific network forward:

CLI

lxc network forward show <network_name> <listen_address>

Example:

lxc network forward show lxdbr0 192.0.2.1

API

Query the following endpoint for details about a specific forward:

lxc query --request GET /1.0/networks/{networkName}/forwards/{listenAddress}

See the API reference for more information.

Example:

lxc query --request GET /1.0/networks/ovn1/forwards/10.152.119.200

UI

In the web UI, select Networks in the left sidebar, then select the desired network. On the resulting screen, view the Forwards tab. This tab shows you information about all forwards on the network. You can click the Edit icon to view details for a specific forward:

View details about a specific forward on a network through its edit screen

Create a network forward

Requirements for listen addresses

Before you can create a network forward, you must understand the requirements for listen addresses.

For both OVN and bridge networks, the listen addresses must not overlap with any subnet in use by other networks on the host. Otherwise, the listen address requirements differ by network type.

OVN network

For an OVN network, the allowed listen addresses must be defined in at least one of the following configuration options, using CIDR notation (opens in a new tab):

Bridge network

A bridge network does not require you to define allowed listen addresses. Use any non-conflicting IP address available on the host.

Create a forward in an OVN network

Note
You must configure the allowed listen addresses before you can create a forward in an OVN network.

The IP addresses and ports shown in the examples below are only examples. It is up to you to choose the allowed and available addresses and ports for your setup.

CLI

Use the following command to create a forward in an OVN network:

lxc network forward create <ovn_network_name> <listen_address>|--allocate=ipv{4,6} [target_address=<target_address>] [user.<key>=<value>]
  • For <ovn_network_name>, specify the name of the OVN network on which to create the forward.
  • Immediately following the network name, provide only one of the following for the listen address:
    • A listen IP address allowed by the Requirements for listen addresses (no port number)
    • The --allocate= flag with a value of either ipv4 or ipv6 for automatic allocation of an allowed IP address
  • Optionally provide a default target_address (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the OVN network's subnet; typically, the static IP address of an instance is used.
  • Optionally provide custom user.* keys to be stored in the network forward's configuration.
Examples

This example shows how to create a network forward on a network named ovn1 with an allocated listen address and no default target address:

lxc network forward create ovn1 --allocate=ipv4

This example shows how to create a network forward on a network named ovn1 with a specific listen address and a default target address:

lxc network forward create ovn1 192.0.2.1 target_address=10.41.211.2

API

To create a network forward in an OVN network, send a POST request to the /1.0/networks/{networkName}/forwards endpoint:

lxc query --request POST /1.0/networks/{networkName}/forwards --data '{
  "listen_address": "<listen_address>",            # required
  "description": "<description of the forward>",   # optional
  "config": {
     "target_address": "<default_target_address>",  # optional
     "user.<key>": "<value>"                        # optional
  },
  "ports": [                                        # optional
    {
      "description": "<description of the forward to this port>",
      "listen_port": "<listen_port>",
      "protocol": "<tcp|udp>",
      "target_address": "<target address>",
      "target_port": "<target port or ports>"
    }
  ]
}'
  • For {networkName}, specify the name of the OVN network on which to create the forward.
  • For <listen_address>, provide only one of the following:
    • A listen IP address allowed by the Requirements for listen addresses (no port number)
    • For automatic allocation of an allowed IP address, use "0.0.0.0" for IPv4 and "::" for IPv6.
  • Optionally provide a description of the forward.
  • Optionally provide a default target_address as part of the config object (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the OVN network's subnet; typically, the static IP address of an instance is used.
  • Optionally provide custom user.* keys, also as part of the config object.
  • Optionally set up port specifications during forward creation. These specifications allow forwarding traffic from specific ports on the listen address to ports on a target address. For details on how to configure ports, see: Configure ports.

See the API reference for more information.

Examples

This example shows how to create a network forward on a network named ovn1 with an allocated listen address and no default target address:

lxc query --request POST /1.0/networks/ovn1/forwards --data '{
  "listen_address": "0.0.0.0"
}'

This example shows how to create a network forward on a network named ovn1 with a specific listen address and a default target address:

lxc query --request POST /1.0/networks/ovn1/forwards --data '{
  "listen_address": "192.0.2.1",
  "config": {
    "target_address": "10.41.211.2"
  }
}'

UI

In the web UI, select Networks in the left sidebar, then select the desired OVN network. On the resulting screen, view the Forwards tab. Click the Create forward button.

In the Create a new forward panel, only the Listen address field is required.

Create an OVN network forward

  • For the Listen address, provide an IP address allowed by the Requirements for listen addresses (no port number).
  • Optionally provide a Default target address (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the OVN network's subnet; typically, the static IP address of an instance is used.

You can optionally set up port specifications for the network forward by clicking the Add port button. These specifications allow forwarding traffic from specific ports on the listen address to ports on a target address. For details on how to configure this section, see: Configure ports.

Once you have finished setting up the network forward, click the Create button.

Create a forward in a bridge network

Note
The IP addresses and ports shown in the examples below are only examples. It is up to you to choose the allowed and available addresses and ports for your setup.

CLI

Use the following command to create a forward in a bridge network:

lxc network forward create <bridge_network_name> <listen_address> [target_address=<target_address>] [user.<key>=<value>]
  • For <bridge_network_name>, specify the name of the bridge network on which to create the forward.
  • Immediately following the network name, provide an IP address allowed by the Requirements for listen addresses (no port number).
  • Optionally provide a default target_address (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the bridge network's subnet; typically, the static IP address of an instance is used.
  • Optionally provide custom user.* keys to be stored in the network forward's configuration.
  • You cannot use the --allocate flag with bridge networks.
Example

This example shows how to create a forward on a network named bridge1. The listen address is required, and the default target address is optional:

lxc network forward create bridge1 192.0.2.1 target_address=10.41.211.2

API

To create a network forward in a bridge network, send a POST request to the /1.0/networks/{networkName}/forwards endpoint:

lxc query --request POST /1.0/networks/{networkName}/forwards --data '{
  "listen_address": "<listen_address>",            # required
  "description": "<description of the forward>",   # optional
  "config": {
     "target_address": "<default_target_address>",  # optional
     "user.<key>": "<value>"                        # optional
  },
  "ports": [                                        # optional
    {
      "description": "<description of the forward to this port>",
      "listen_port": "<listen_port>",
      "protocol": "<tcp|udp>",
      "target_address": "<target address>",
      "target_port": "<target port or ports>"
    }
  ]
}'
  • For {networkName}, specify the name of the bridge network on which to create the forward.
  • For <listen_address>, provide an IP address allowed by the Requirements for listen addresses (no port number).
    • With bridge networks, you cannot dynamically allocate the listen address. You must input a specific address.
  • Optionally provide a description of the forward.
  • Optionally provide a default target_address as part of the config object (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the OVN network's subnet; typically, the static IP address of an instance is used.
  • Optionally provide custom user.* keys, also as part of the config object.
  • Optionally set up port specifications during forward creation. These specifications allow forwarding traffic from specific ports on the listen address to ports on a target address. For details on how to configure ports, see: Configure ports.

See the API reference for more information.

Example

This example shows how to create a forward on a network named bridge1. The listen address is required, and the default target address is optional:

lxc query --request POST /1.0/networks/bridge1/forwards --data '{
  "listen_address": "192.0.2.1",
  "config": {
    "target_address": "10.41.211.2"
  }
}'

UI

In the web UI, select Networks in the left sidebar, then select the desired bridge network. On the resulting screen, view the Forwards tab. Click the Create forward button.

In the Create a new forward panel, only the Listen address field is required.

Create a bridge network forward

  • For the Listen address, provide a listen IP address allowed by the Requirements for listen addresses (no port number).
  • Optionally provide a Default target address (no port number). Any traffic that does not match a port specification is forwarded to this address. This must be an IP address within the bridge network's subnet; typically, the static IP address of an instance is used.

You can optionally set up port specifications for the network forward by clicking the Add port button. These specifications allow forwarding traffic from specific ports on the listen address to ports on a target address. For details on how to configure this section, see: Configure ports.

Once you have finished setting up the network forward, click the Create button.

Forward properties

Network forwards have the following properties:

config

User-provided free-form key/value pairs

Key: config
Type: string set
Required: no

The only supported keys are target_address and user.* custom keys.

The target_address key is for the default target address of the network forward. It must be an IP address within the subnet of the network the forward belongs to.

description

Description of the network forward

Key: description
Type: string
Required: yes

listen_address

IP address to listen on

Key: listen_address
Type: string
Required: no

See Requirements for listen addresses.

ports

List of port specifications

Key: ports
Type: port list
Required: no

See Configure ports.

Configure ports

Once a forward is created on a network (whether bridge or OVN), it can be configured with port specifications. These specifications allow forwarding traffic from ports on the listen address to ports on a target address.

CLI

When using the CLI, you must first create a network forward before you can add port specifications to it.

Use the following command to add port specifications on a forward:

lxc network forward port add <network_name> <listen_address> <protocol> <listen_ports> <target_address> [<target_ports>]
  • Use the network name and listen address of the forward for which you want to add port specifications.
  • Use either tcp or udp as the protocol.
  • For the listen ports, you can specify a single listen port, a port range, or a comma-separated set of ports/port ranges.
  • Specify a target address. This address must be within the network's subnet, and it must be different from the forward's default target address. Typically, the static IP address of an instance is used.
  • Optionally specify a target port or ports. You can:
    • Specify a single target port to forward traffic from all listen ports to this target port.
    • Specify a set of target ports with the same number of set items as the listen ports. This forwards traffic from the first
How to associate profiles with an imageHow to create OVN peer routing relationships