[SOLVED] apt-get update fails with cannot connect but wget on the same ip works just fine

C

CursedExistence

New Member
May 3, 2022
8
0
1
Hello all,
I have a problem with the proxmox host, I am using a proxmox host + a opnsense VM as my home server/firewall setup. Everything works inside the network, vms etc except for apt-get update on the actual proxmox host. I am not sure how to fix this problem so here are some details:

Ip of pve host 192.168.0.2
Ip of VM 192.168.0.1

The VM is configured as pci passtrough for wan and vmbr0 net card as lan (virtio)

the host has the following config in networking:
Code: 
root@gate:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp7s0 inet manual

iface enp4s0 inet manual

iface enp5s0 inet manual

iface enp6s0 inet manual

iface enp8s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.0.2/24
        gateway 192.168.0.1
        bridge-stp off
        bridge-fd 0
        bridge_ports enp5s0 enp6s0 enp7s0 enp8s0
        dns-nameservers 192.168.0.1

Doing an apt-get update gives me this:
Code: 
root@gate:~# apt-get update
Err:1 http://security.debian.org bullseye-security InRelease       
  Connection failed [IP: 199.232.138.132 80]
Err:2 http://download.proxmox.com/debian/pve bullseye InRelease     
  Connection failed [IP: 212.224.123.70 80]
Err:3 http://ftp.ro.debian.org/debian bullseye InRelease
  Connection failed [IP: 130.89.148.12 80]
Err:4 http://ftp.ro.debian.org/debian bullseye-updates InRelease
  Connection failed [IP: 130.89.148.12 80]
Reading package lists... Done
W: Failed to fetch http://ftp.ro.debian.org/debian/dists/bullseye/InRelease  Connection failed [IP: 130.89.148.12 80]
W: Failed to fetch http://ftp.ro.debian.org/debian/dists/bullseye-updates/InRelease  Connection failed [IP: 130.89.148.12 80]
W: Failed to fetch http://security.debian.org/dists/bullseye-security/InRelease  Connection failed [IP: 199.232.138.132 80]
W: Failed to fetch http://download.proxmox.com/debian/pve/dists/bullseye/InRelease  Connection failed [IP: 212.224.123.70 80]
W: Some index files failed to download. They have been ignored, or old ones used instead.

while doing a wget on an ip in that failed list gives me this:

Code: 
root@gate:~# wget 130.89.148.12
--2022-05-03 10:58:04--  http://130.89.148.12/
Connecting to 130.89.148.12:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://130.89.148.12/debian/ [following]
--2022-05-03 10:58:04--  http://130.89.148.12/debian/
Reusing existing connection to 130.89.148.12:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.2’

index.html.2                                                               [ <=>                                                                                                                                                                      ]   6.26K  --.-KB/s    in 0s     

2022-05-03 10:58:04 (170 MB/s) - ‘index.html.2’ saved [6407]

nc gives me this aswell:
Code: 
root@gate:~# nc -zv 130.89.148.12 80
klecker-ftp.debian.org [130.89.148.12] 80 (http) open

i have no ideea why this is happening, Any help would be greatly appreciated.

Note: i also have a linux vm in the net and that works just fine
 
I had a few cases where this behavior (apt not working, wget/curl/nc working fine) was due to some IPS system on the network/ISP

-> maybe ask your network provider if they have something in between you and 130.89.148.12 that might cause this
 
i rebooted the node and apt-get worked for an update + an apt-get install sensors, after that i get waiting for headers again... not sure what is happening
 
nope, host has static ip and i get no duplicate macs in opnsense logs, issue seems to be with dns on the host i think. Is there a way to flush local dns on the host without breaking the network? (aka restarting the network)
 
bobmc said:
any reason why you didn't create a bond for interfaces enp5s0-enp8s0 and then link vmbr0 to the bond?
Click to expand...
no reason at all, the other interfaces are simply network cards i use for the rest of my network (as basically a switch). The main reason of the node is to provide routing trough opnsense and that works just fine. The network devices + virtual machines all work fine, can reach the internet and do trafic, can query opnsense dns, etc. For all intents and purposes they work. the only thing that does not is the actual proxmox host apt get. i can download things on the host, ping other hosts on the net or on the internet. the only thing that seems messed up is apt-get
 
I think @bobmc has a good hint (and I missed it before) - but yes - you're effectively bridging the nics together which in almost all cases is not what you want (and can easily cause a loop)

Try removing all but one ports - then consider creating a bond (or separating the nics with a bridge each)
 
Stoiko Ivanov said:
I think @bobmc has a good hint (and I missed it before) - but yes - you're effectively bridging the nics together which in almost all cases is not what you want (and can easily cause a loop)

Try removing all but one ports - then consider creating a bond (or separating the nics with a bridge each)
Click to expand...
Again the main ideea is i want those nics inside the bridge since the bridge provides internet access to the rest of the network. The setup is like this:
enp4s0 -> forwarded directly to opnsense trough pci forwarding -> plugged in to the fiber modem.

virtio network card plugged in bridge/opnsense vm for lan.

enp5s0 enp6s0 enp7s0 enp8s0 all part of the vmbr0 so they can reach the virtio network card and have opnsense route them.

but again the network works JUST FINE and even the proxmox host has internet/net connectivity just fine

The problem i'm facing is it seems like the apt-get domains get resolved wrong as if i reboot the machine (and effectively flushing the dns cache) it seems to work ONCE (i can install packages but only once, after that something seems to break inside the dns resolver or something because apt complains that it can't connect to the ips provided by the resolver)
 
I think you're falling into the trap of wanting things to work the way you expect them to and not listening to advice that suggests you should take a different approach.
 
Figured it out... suricata was blocking traffic for the user agent used by debian for some obscure reason. changed the rule, everything is swell now.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom