OK, so I've found that in the lxd image, it fails as with rimelek's setup. So I've been able to reliably reproduce it. I've also got it configured on the host that runs the lxd image, and it works there. From there I've been able to determine that the traffic is never leaving the userspace network. Running wireshark both inside the userspace network and outside it, I see the requests inside the userspace network, and no traffic on the host's network at all. What I was hoping to see was a DNS lookup request and response, followed by nothing - but the DNS request isn't even getting out. When I do the trace on the host (where it works for me), I see traffic on the host's external network. So it seems that the issue is that traffic isn't passing from the userspace network to the real-world network. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits