[SOLVED] configuring WLAN-based host (no wired connection)

[Namudril]

Hello!
I've been stuck trying to configure wireless setup with my home lab by this article:
https://pve.proxmox.com/pve-docs/ch..._nat_with_span_class_monospaced_iptables_span

main network: 192.168.1.0/24
gw (wifi-router): 192.168.1.1

host
# cat /etc/network/interfaces

auto lo
iface lo inet loopback

allow-hotplug wl0
iface wl0 inet dhcp
wpa-ssid mySSID
wpa-psk mypasswd

auto vmbr0
iface vmbr0 inet static
address 192.168.2.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -o wl0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/24' -o wl0 -j MASQUERADE

lxt
# cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.2.12/24
gateway 192.168.2.1

What I try to achieve:
1) both host and VMs/LXTs are accessible from the Internet via Port Forwarding at the router;
2) both host and VMs/LXTs are able to connect to the Internet and DNS resolving

 

[leesteken]

For a NAT setup with a single IP, I also needed to add this from section 3.3.6 to vmbr0:
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
I'm not using WiFi but my setup is very similar so maybe this can help you too?

EDIT: Does your host get an IP from your WiFi router? Have you checked with ip a and ip r? Can you access the internet from the host?

 

[Namudril]

For a NAT setup with a single IP, I also needed to add this from section 3.3.6 to vmbr0:
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
I'm not using WiFi but my setup is very similar so maybe this can help you too?

EDIT: Does your host get an IP from your WiFi router? Have you checked with ip a and ip r? Can you access the internet from the host?

That part was for a setup with firewall enabled, wasn't it? Not my situation.
The host works just fine on wifi connection

 

[leesteken]

The only other difference with my working configuration is that instead of address 192.168.2.1/24 I have separated the address and mask
address 192.168.2.1 netmask 255.255.255.0
If WiFi is working fine for the host, then your configuration should give you NAT for your CTs and VMs. Can you explain the problem your have in more detail?

 

[Namudril]

I couldn't ping CT from other machine on 192.168.1.0/24 network, including host/node.
Couldn't ping anything from CT.
Couldn't resolve domain names from CT as nameserver 192.168.1.1 (router) belonged to another network than CT (192.168.2.0/24) and I didn't know what gateway to configure on CT side.
My lab is out of reach now. I think, I'll be able to run some tests tomorrow or a day after.

 

[leesteken]

I couldn't ping CT from other machine on 192.168.1.0/24 network, including host/node.

You cannot because it is behind NAT. You need to forward ICMP but that means you can only ping to one specific CT or VM. This is probably similar to port forwarding, where you can only forward each port to one CT or VM. You cannot connect to specific machines on a network behind NAT, af far as I know.

Couldn't ping anything from CT.

Maybe ICMP forwarding or reflection is not enabled by your NAT?

Couldn't resolve domain names from CT as nameserver 192.168.1.1 (router) belonged to another network than CT (192.168.2.0/24) and I didn't know what gateway to configure on CT side.

My guess is that you need to configure the domain names in the DNS of your router or your DHCP server of the 192.168.2.0/24 network.

My lab is out of reach now. I think, I'll be able to run some tests tomorrow or a day after.

I'm not very experienced with these detailed network things, sorry. I thought you just needed help to setup WiFi and NAT, but you already got that working.
There is a specific sub-forum for network questions, maybe someone there can be of more help to you than me.

 

[Namudril]

# ip r
default via 192.168.1.1 dev wlx28ee52097d6f
10.0.0.0/24 dev vmbr1 proto kernel scope link src 10.0.0.2
192.168.1.0/24 dev wlx28ee52097d6f proto kernel scope link src 192.168.1.112 192.168.2.0/24 dev vmbr0 proto kernel scope link src 192.168.2.1

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 78:e7:d1:f4:2d:22 brd ff:ff:ff:ff:ff:ff
3: enp48s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UP group default qlen 1000
    link/ether 00:0e:04:b7:37:0e brd ff:ff:ff:ff:ff:ff
4: wlx28ee52097d6f: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 28:ee:52:09:7d:6f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.112/24 brd 192.168.1.255 scope global dynamic wlx28ee52097d6f
       valid_lft 6823sec preferred_lft 6823sec
    inet6 fe80::2aee:52ff:fe09:7d6f/64 scope link
       valid_lft forever preferred_lft forever
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:a5:57:02:30:22 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::6823:4aff:feb4:7095/64 scope link
       valid_lft forever preferred_lft forever
6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:0e:04:b7:37:0e brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/24 brd 10.0.0.255 scope global vmbr1
       valid_lft forever preferred_lft forever
    inet6 fe80::20e:4ff:feb7:370e/64 scope link
       valid_lft forever preferred_lft forever
7: veth101i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i0 state UP group default qlen 1000
    link/ether fe:7e:9d:36:af:72 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: fwbr101i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ce:a0:00:11:a1:1f brd ff:ff:ff:ff:ff:ff
9: fwpr101p0@fwln101i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether f6:a5:57:02:30:22 brd ff:ff:ff:ff:ff:ff
10: fwln101i0@fwpr101p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i0 state UP group default qlen 1000
    link/ether ce:a0:00:11:a1:1f brd ff:ff:ff:ff:ff:ff
11: veth102i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr102i0 state UP group default qlen 1000
    link/ether fe:a5:d9:b2:53:ad brd ff:ff:ff:ff:ff:ff link-netnsid 1
12: fwbr102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 72:01:93:7a:2f:be brd ff:ff:ff:ff:ff:ff
13: fwpr102p0@fwln102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether ae:b7:df:19:40:19 brd ff:ff:ff:ff:ff:ff
14: fwln102i0@fwpr102p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr102i0 state UP group default qlen 1000
    link/ether 72:01:93:7a:2f:be brd ff:ff:ff:ff:ff:ff

# pct config 101
arch: amd64
cores: 4
hostname: signum-node
memory: 6144
nameserver: 8.8.8.8
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=0E:4E:5E:91:D2:EF,ip=192.168.1.11/24,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-101-disk-0,size=10G
searchdomain: 192.168.1.1
swap: 4096
unprivileged: 1

Now I see, that configuring CT network by editing /etc/network/interfaces is a wrong way, as CT config rules.

 

[Namudril]

You cannot because it is behind NAT. You need to forward ICMP but that means you can only ping to one specific CT or VM. This is probably similar to port forwarding, where you can only forward each port to one CT or VM. You cannot connect to specific machines on a network behind NAT, af far as I know.

Maybe ICMP forwarding or reflection is not enabled by your NAT?

My guess is that you need to configure the domain names in the DNS of your router or your DHCP server of the 192.168.2.0/24 network.

I'm not very experienced with these detailed network things, sorry. I thought you just needed help to setup WiFi and NAT, but you already got that working.
There is a specific sub-forum for network questions, maybe someone there can be of more help to you than me.

Shame on me, I had to figure it out by myself. Thank you!
Now I'm going to study port forwarding in Linux, never done that before.

 

[Namudril]

Successfully solved this incident by installing iptables-persistent on host and running multuple commands for each CT : port

iptables -A PREROUTING -t nat -i wlx28ee52097d6f -p tcp -d %ext_ip_on_vmbr0% --dport %ext_port% -j DNAT --to %int_CT_ip_on_vmbr0%:%int_port%

 

[Namudril]

Couldn't ping anything from CT.
Couldn't resolve domain names from CT as nameserver 192.168.1.1 (router) belonged to another network than CT (192.168.2.0/24) and I didn't know what gateway to configure on CT side.

I've found a mistake in /etc/network/interfaces - no post-up before echo 1 > /proc/sys/net/ipv4/ip_forward as I've been using smartphone for configuring the server at some point.