Allow entry to VM Ports with SDN

S

servicios.it.gerencia

New Member
Jan 22, 2024
5
0
1
Hello community, I have been trying to get this working for three weeks and I no longer know how to do it, the frustration is such that I am about to install Windows and use its Hypervisor.

I have a PVE 8.1.3 instance with a single public IP without DHCP on /30. This is given to me by the supplier.Through SDP, create two VLans (192 and 172), I want to understand or be told what I should do so that the VM on 192.168.1.20, for example, can expose 80 of its NGINX.This is the configuration I have:


Code: 
auto vmbr0
iface vmbr0 inet static
        address 111.111.111.111/30
        gateway 122.122.122.122
        bridge-ports enp1s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4049
#PublicIP
auto LAN172
iface LAN172
        address 172.0.0.1/24
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        ip-forward on
#Intranet

auto LAN192
iface LAN192
        address 192.168.1.1/24
        post-up iptables -t nat -A POSTROUTING -s '192.168.1.1/24' -o vmbr0 -j SNAT --to-source 179.43.118.110
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.1/24' -o vmbr0 -j SNAT --to-source 179.43.118.110
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        ip-forward on
#InternetLAN

This configuration, as I present it to you, works perfectly to go out to the Internet and work within the VM. But when exposing a port I stay in Offside.
So:
- How can I open ports or which of all the Fw do I have to touch so that I can open ports of this VM?
- Where or what do I have to touch so that when I invoke the public IP 111.111.111.111:80 it goes to the VM 192.168.1.20:80?

For this reason, thanks in advance.
 
Last edited:
Through SDP, create two VLans (192 and 172),
Click to expand...

what is SDP ?

also, I don't see any vlan 192/172 in your configuration , not even any physical interace bridging

you should have at minimum something like

Code: 
iface LAN172 
     ....
     bridge_ports enp1s0.172


for LAN192, you are doing routed setup, so what is the relation with vlan here ?
 
if you have sdn configuration,

is this configuration::

Code: 
#PublicIP
auto LAN172
iface LAN172
        address 172.0.0.1/24
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        ip-forward on
#Intranet

auto LAN192
iface LAN192
        address 192.168.1.1/24
        post-up iptables -t nat -A POSTROUTING -s '192.168.1.1/24' -o vmbr0 -j SNAT --to-source 179.43.118.110
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.1/24' -o vmbr0 -j SNAT --to-source 179.43.118.110
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        ip-forward on
#InternetLAN

the sdn configuration generated in /etc/network/interfaces.d/sdn ?????


As, it's look like a "simple" zone configuration.

you should have 1zone, vlan zone type, with vmbr0 defined in the zone.
Then add vlan tag in the vnet configuration.


but again, I don't see why have configured a gw + snat on LAN192, as you don't need vlan for this. (it's a routed setup, not a bridge vlan seutp)
 
the SNAT is for the connection to internet in the VMBR0. this configuration is via PV. If this option is not available, you dont have internet in the specific lan.
 
servicios.it.gerencia said:
the SNAT is for the connection to internet in the VMBR0. this configuration is via PV. If this option is not available, you dont have internet in the specific lan.
Click to expand...
yes, sure, but why do you need vlan here ? Do you have others nodes need to communicate to the vms on this vlan && sthis subnet 192.168.1.0/24 ?
or maybe, when you said "vlan", you just want to say "sdn vnet" ? (no relation with true vlan tag ? )




For you question about port :80, SNAT is only for outgoing traffic. (vm --> internet).
You need to do a port forwarding if you have only 1 public ip, and want to map 1 host port to 1 vm port

It's not available in the gui,
but you can use something like:

"iptables -t nat -A PREROUTING -p tcp -d <external.public.ip> --dport 80 -i vmbr0 -j DNAT --to-destination 192.168.1.10:80"

where 192.168.1.10 is the vm private ip

you can add it in /etc/network/interfaces for example, in a post-up script

Code: 
auto vmbr0
iface vmbr0 inet static
   ...
   post-up  iptables -t nat  ....
 
spirit said:
yes, sure, but why do you need vlan here ? Do you have others nodes need to communicate to the vms on this vlan && sthis subnet 192.168.1.0/24 ?
or maybe, when you said "vlan", you just want to say "sdn vnet" ? (no relation with true vlan tag ? )




For you question about port :80, SNAT is only for outgoing traffic. (vm --> internet).
You need to do a port forwarding if you have only 1 public ip, and want to map 1 host port to 1 vm port

It's not available in the gui,
but you can use something like:

"iptables -t nat -A PREROUTING -p tcp -d <external.public.ip> --dport 80 -i vmbr0 -j DNAT --to-destination 192.168.1.10:80"

where 192.168.1.10 is the vm private ip

you can add it in /etc/network/interfaces for example, in a post-up script

Code: 
auto vmbr0
iface vmbr0 inet static
   ...
   post-up  iptables -t nat  ....
Click to expand...




Well, I notice what you tell me. I don't have DHCP on the vmbr0 since it's an internet bridge. If I suddenly want to create a LAN that has internet inside PVE, and another one that is for intranet. How do I do it?

I was thinking of creating an interface from an IP to an OPNSense and then from there link a VMBR1 so that it has the DHCP of opnsense and that it goes out to the internet through there and the same if I have to enter.

With the method I found, which is the one I told you above, plus the handling of iptables (w this method) I could say that I solved it but in a bit of a dirty way. I'm kind of not convinced.
 
Last edited:
do you have only 1 public ip ? (for the hypervisor ?)

It could be easier with 2 ips, 1 for the hypervisor, 1 for your opnsense vm.

I known some user forum setting only public ip on the pfsense vm, with vpn, and hypervisor with private ip. But if the vm is crashing, you'll loose access to hypervisor. (so you need physical access or some kind of ipmi access to solve the potential error)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back