No access to loc and dmz network with PVE host being router

[cmonty14]

Hello!

I have configured 2 additional networks, loc and dmz, on the PVE host:

root@pc4-svp:/var/lib/vz/dump# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

## unitymedia business static IPv4
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet manual

auto eth2
iface eth2 inet manual


## LAN an eth0
auto vmbr0
iface vmbr0 inet static
        address   10.0.0.1
        netmask   255.255.255.0
        broadcast 10.0.0.255
        bridge_ports none
        bridge_stp off
        bridge_fd 0

## DMZ an eth1
auto vmbr1
iface vmbr1 inet static
        address   10.1.0.1
        netmask   255.255.255.0
        broadcast 10.0.0.255
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

## LAN net1-fb6490 mit zweiter Routingtabelle an eth2
auto vmbr2
iface vmbr2 inet static
        address  192.168.178.14
        netmask  255.255.255.0
        gateway  192.168.178.1
        bridge_ports eth2
        bridge_stp off
        bridge_fd 0

On top of PVE the firewall software "Shorewall" is installed and here I configured the additional route:

root@pc4-svp:/var/lib/vz/dump# ip route show
10.0.0.0/24 dev vmbr0  proto kernel  scope link  src 10.0.0.1
blackhole 10.0.0.0/8
10.1.0.0/24 dev vmbr1  proto kernel  scope link  src 10.1.0.1 linkdown
blackhole 172.16.0.0/12
blackhole 192.168.0.0/16
192.168.178.0/24 dev vmbr2  proto kernel  scope link  src 192.168.178.14
192.168.178.1 dev vmbr2  scope link  src 192.168.1.14
217.8.50.64/26 dev eth0  proto kernel  scope link  src 217.8.50.86
217.8.50.65 dev eth0  scope link  src 217.8.50.86

Network 192.168.178.0/24 is provided by Fritz!Box router.

From PVE host (192.168.178.14) I can access any client in loc (10.0.0.0/24) and dmz (10.1.0.0/24).
The PVE host is router in loc (10.0.0.1) and dmz (10.1.0.1).

The issue is that I cannot access any client in loc or dmz from another client in 192.168.178.0/24.

What is needed to get access to loc / dmz network from any client in 192.168.178.0/24?

 

[Richard]

## LAN net1-fb6490 mit zweiter Routingtabelle an eth2
auto vmbr2
iface vmbr2 inet static
        address  192.168.178.14
        netmask  255.255.255.0
        gateway  192.168.1.1
        bridge_ports eth2
        bridge_stp off
        bridge_fd 0

Souldn't the gateway be

192.168.178.1 ?

Network 192.168.178.0/24 is provided by Fritz!Box router.

From PVE host (192.168.178.14) I can access any client in loc (10.0.0.0/24) and dmz (10.1.0.0/24).
The PVE host is router in loc (10.0.0.1) and dmz (10.1.0.1).

The issue is that I cannot access any client in loc or dmz from another client in 192.168.178.0/24.

What is needed to get access to loc / dmz network from any client in 192.168.178.0/24?

From my experience with Fritz!Box (and other NAT routers) they block internal traffic if the IP (destination) addresses do not match to the local subnet (192.168.178.0/24).

If you use a switch for local traffic it should work. Other possibility: to masquerade traffic to loc and dmz.

 

[cmonty14]

True... this is a type.
The router gateway is 192.168.178.1.

In between the router and the host I have a managed switch: Longshine LCS-GS8208-A

Would it make sense to create a VLAN and assign a dedicated IP in 10.0.0.0/24 to any client in 192.168.178.0/24?