[SOLVED] Nat Networking Problem.

E

efesaid

New Member
Sep 19, 2012
2
0
1
Definition

I have installed Proxmox 3.2 and i am trying to configure a virtual machine as a communication server that handles all traffic and forwards them to the nodes with private ip.
I configured server for NAT networking with two CentOS virtual machines which has exactly same configuration.
What I Do

Proxmox wiki has a very limited and basic nat networking documentation. I found similar problems (this, this) on here and on proxmox forums. i tried to understand basics of linux nat networking so i complete this very understandable tutorial from beginning to end. I read this article for iptables nat rules
Problems

After installation and configuration when i ping from host to VM or from VM to host the output is;
Code: 
root@testPrx:~# ping 10.0.4.2
PING 10.0.4.2 (10.0.4.2) 56(84) bytes of data.
From 10.0.4.1 icmp_seq=2 Destination Host Unreachable
When i try a telnet connection to communication server's public ip from a server in the same network which has internet connection and (192.168.0.3) -bash-4.1# telnet 192.168.0.2 2701 Trying 192.168.0.2... telnet: connect to address 192.168.0.2: No route to host
When i try telnet connection to localhost, 192.168.0.2 results same,
Code: 
root@testPrx:~# telnet localhost 2701
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
Question

Everything works fine on containers but not on kvm. What is my mistake ?
Configurations

All host and virtual machines configurations are,
Proxmox Server

Proxmox version

root@testPrx:~# pveversion
pve-manager/3.2-4/e24a91c1 (running kernel: 2.6.32-29-pve)
Network interfaces

Network interfaces added by web interface,

SSv0f.png



  • net0 -> vmbr0
  • net1 -> vmbr1
    Code: 
    root@testPrx:~# cat /etc/network/interfaces     auto lo     iface lo inet loopback
  auto vmbr0
iface vmbr0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        gateway 192.168.0.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
auto vmbr1
iface vmbr1 inet static
        address 10.0.4.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.4.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.4.0/24' -o vmbr0 -j MASQUERADE

#these rules forward traffic on port 2701 to port 22 on the VM at IP 10.0.4.2

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2701 -j DNAT --to 10.0.4.2:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2702 -j DNAT --to 10.0.4.2:22
Firewall rules of nat ( there is no any filters)

Code: 
root@testPrx:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:2701 to:10.0.4.2:22

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.4.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Routing table
Code: 
  root@testPrx:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.4.0        *               255.255.255.0   U     0      0        0 vmbr1
192.168.0.0     *               255.255.255.0   U     0      0        0 vmbr0
default         192.168.0.1     0.0.0.0         UG    0      0        0 vmbr0
Ip forwarding
Code: 
root@testPrx:~# cat /proc/sys/net/ipv4/ip_forward
1
Virtual Machines

OS version

Code: 
-bash-4.1# cat /etc/redhat-release
CentOS release 6.4 (Final)
Interfaces

eth0
Code: 
-bash-4.1# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=192.168.0.3
GATEWAY=192.168.0.1
NETMASK=255.255.255.0
eth1
Code: 
-bash-4.1# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=10.0.4.2
GATEWAY=10.0.4.1
NETMASK=255.255.255.0
SSH daemon running and listening port(22) succesfully
Code: 
-bash-4.1# netstat -puntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:85                  0.0.0.0:*                   LISTEN      1100/sshd
Routing Table

Code: 
-bash-4.1# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.4.0        *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
default         10.0.4.1        0.0.0.0         UG    0      0        0 eth1
 
Last edited:
Hello efesaid,

try to adpat iptables statements like this

Code: 
iptables -t nat -A POSTROUTING -s '10.0.4.0/24' ! -d 10.0.4.0/24 -o vmbr0 -j MASQUERADE

Why? Only for traffic leaving the LAN masquerading makes sense. I guess in case of CTs it works despite this if venet0 is used.

Kind regards

Mr.Holmes
 
I created an account just to say that I have the same problem. Can't NAT or bridge to any private range.

Code: 
root@pve:~# ping -I vmbr1 google.com
PING google.com (173.194.39.97) from 10.1.1.1 vmbr1: 56(84) bytes of data.
From 10.1.1.1 icmp_seq=2 Destination Host Unreachable
From 10.1.1.1 icmp_seq=3 Destination Host Unreachable
From 10.1.1.1 icmp_seq=4 Destination Host Unreachable

Code: 
root@pve:~# tcpdump -n -v -i vmbr1
tcpdump: listening on vmbr1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:26:58.588677 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28
20:26:59.588689 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28
20:27:00.588700 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28
20:27:02.589679 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28

Thought I'm making something wrong. Tried like 100 different configurations. No success. Is there a known issue?
 
Last edited:
I found my mistake when i was sleeping, so i woke up immediately and fixed this. The interface which is doing nat networking is vmbr1 but when i setup virtual machine i was assigning wrong bridge mode (vmbr0) to network device.
To fix this i stopped virtual machine and edited bridge mode from vmbr0 to vmbr1. Now everything works fine.
Screenshot 2014-08-18 20.16.57.png
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back