Proxmox VE 8 with Firewall in Routed Configuration. Netfilter POSTROUTING SNAT not working

[Michi]

Hi,
since switching to Proxmox VE 8 Postrouting SNAT (Unfortunately I must use NAT) in combination with the Proxmox Firewall is not working anymore even with conntrack zones enabled.
In Proxmox VE 7 it worked after adding

post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

to the /etc/network/interfaces.


This is how my /etc/network/interfaces looks like

auto eno1 
iface eno1 inet static 
        address <Main public IP>/26 
        gateway <Gateway IP> 
 
 
 
 
 
 
auto vmbr0 
iface vmbr0 inet static 
        address <Main public IP>/32 
        bridge-ports none 
        bridge-stp off 
        bridge-fd 0 
        #fix for SNAT and VE Firewall 
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 
 
 
        #SNAT for Backup 
        post-up iptables -t nat -A POSTROUTING -s <internel IP Backup>/32 -o eno1 -j SNAT --to-source <Main public IP> 
        post-down iptabels -t nat -D  POSTROUTING -s <internel IP Backup>/32 -o eno1 -j SNAT --to-source <Main public IP>

Any feedback is much appreciated.

Best regards

 

[spirit]

does it work if you boot on old kernel 5.15 ? (maybe something have changed in netfilter, not sure abou that)

 

[Michi]

Proxmox 7 with kernel 5.15.30 - working
Proxmox 8 on Bookworm with kernel 6.2.16-> Not working

 

[kemeris]

Same problem here after upgrade to Proxmox 8. I would appreciate any help.