Proxmox with single IPv4 address and NAT VMs

[iTz_EthqnHD]

Hello all,

I have a rented dedicated server with a smaller provider solely used as a Proxmox host. As the title states, I have a single public IP on the machine that is being used on the physical/main port (vmbr0) in Proxmox. I have it all set up, and it worked fine until I recently added a new VM. All the VMs use the same OS, basic config, and network adapter setup. The new VM that I have added has occasional packet loss to any public IP and even to the virtual internal network on which I have all the VMs. The packet loss only occurs on the new VM, and there is also no packet loss issues on the host.

Where do I start with diagnosing this internal Proxmox network issue?

 

[Chris]

Hi,
this issue sounds like there might be an IP address conflict. Check that all VMs/CTs and other members in the same subnet have a unique IP address.
ip neigh on the PVE node gives you a list of the arp neighbours of the host, so you can double check the mac addresses.
If that is not the issue, you might want to check with tcpdump if the packages are arriving as expected on the PVE hosts vmbrX bridge, to which the VM is attached to. Is there a firewall active which might interfere with the traffic from that VM, iptables-save dumps you the rules for the PVE host.
Also check the systemd journal for errors, journalctl -b -r gives you a paginated view of the journal since boot in reverse.

 

[iTz_EthqnHD]

Hi,
this issue sounds like there might be an IP address conflict. Check that all VMs/CTs and other members in the same subnet have a unique IP address.
ip neigh on the PVE node gives you a list of the arp neighbours of the host, so you can double check the mac addresses.
If that is not the issue, you might want to check with tcpdump if the packages are arriving as expected on the PVE hosts vmbrX bridge, to which the VM is attached to. Is there a firewall active which might interfere with the traffic from that VM, iptables-save dumps you the rules for the PVE host.
Also check the systemd journal for errors, journalctl -b -r gives you a paginated view of the journal since boot in reverse.

Chris,

Thank you for the help so far!

I've checked the systems journal for errors and IP conflicts, and there are no apparent issues. How would I go about a TCP dump on the virtual network?

 

[Chris]

Chris,

Thank you for the help so far!

I've checked the systems journal for errors and IP conflicts, and there are no apparent issues. How would I go about a TCP dump on the virtual network?

You can e.g. use tcpdump -i vmbr0 to dump and inspect the traffic flowing over the bridge, or do the same using a different interface.

 

[iTz_EthqnHD]

You can e.g. use tcpdump -i vmbr0 to dump and inspect the traffic flowing over the bridge, or do the same using a different interface.

There were no dropped packets by the kernel on the virtual network when the packet loss occurred while pining the internal network.

This sure is a tricky one...

 

[Chris]

There were no dropped packets by the kernel on the virtual network when the packet loss occurred while pining the internal network.

This sure is a tricky one...

So you see the outbound pings going trough the vmbr0, but not the response? That indicates that either your NAT is not configured correctly (check the source IP on the outgoing interface) or there is a routing problem, the packets not finding their way back to the host.

 

[iTz_EthqnHD]

What do the NAT rules need to look like then?

 

[Chris]

What do the NAT rules need to look like then?

You can find an example for a NAT setup in the docs, see https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_masquerading