Connect a Proxmox server directly to a ONT (FTTH)

[NiPeGun]

I'm trying to connect my Proxmox host directly into my ONT's ethernet port.
The ONT serves a unique ethernet connection with the internet data in the VLAN 6. The public IP must be obtained via PPP over that VLAN6.
I managed to make all the WAN, VLAN and PPP connections work without problems.
Here is the /etc/network/interfaces text related to the WAN, VLAN and PPP configs:

auto lo
  iface lo inet loopback

auto eth0
  allow-hotplug eth0
  iface eth0 inet manual

auto eth0.6
  iface eth0.6 inet manual
  metric 1

auto MovistarWAN
  iface MovistarWAN inet ppp
  pre-up /bin/ip link set eth0.6 up
  provider MovistarWAN

With that configuration in /etc/network/interfaces the host manages to get a public IP in the ppp0 interface and all works as is expected.

Now the problem comes when I try to create the bridge for the VMs. I need to make use of the Proxmox Masquerading configuration. So, the text in /etc/network/interfaces related to the bridge is:

auto vmbr0
  iface vmbr0 inet static
  address 192.168.0.200
  netmask 255.255.255.0
  bridge-ports none
  bridge-stp off
  bridge-fd 0
  post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
  post-down echo 0 > /proc/sys/net/ipv4/ip_forward
  post-up   iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o ppp0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o ppp0 -j MASQUERADE
  post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
  post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

And there the problems started.

PROBLEMS:
- The VMs are not able to get an IP if I config them with DHCP.
- If I, instead, config the VMs to get a static IP, they get it but they aren't able to ping the host nor get internet.

EXTRA INFO:
HAProxy is running in the host and forwarding traffic to each different VM depending on the SNI of the arriving TCP packets. Curious thing is that the web pages located inside each VM are able to serve the webs like they are supposed to. So, there is a route to forward traffic from the host to the VM. But if the VM originates the connection, find not route at all.

I'm not a network expert nor an IT guy. Just a martial arts instructor here. So I'll appreciate any help you can give me.

I'm trying to find a solution that can work without the need to modify each VM in case I change from bridge to masquerading with IPTables and viceversa.

I mean, if I decide to change PVE again to a default bridged configuration, I still want to make use of that VMs without needing to modify its network configuration files inside them.

So, What do I making wrong with the bridge?

The much detail in the answer, the better.

Thanks!

 

[t.lamprecht]

address 192.168.0.200
netmask 255.255.255.0

General tip: Above notation is obsolete and will be dropped in the future, rather write above in the CIDR notation 192.168.0.200/24 (I know we need to still update that in some places of the docs ourselves)

- The VMs are not able to get an IP if I config them with DHCP.

I mean, does a dhcp server like dnsmasq runs and listens on vmbr0 to reply to DHCP requests?

- If I, instead, config the VMs to get a static IP, they get it but they aren't able to ping the host nor get internet.

So they cannot ping 192.168.0.200 (and there's no firewall configured?)
Because if that works they may just not be aware of the fact that they have to use 192.168.0.200 as their gateway, and so have no route to the internet.

I'm trying to find a solution that can work without the need to modify each VM in case I change from bridge to masquerading with IPTables and viceversa.

I mean, if I decide to change PVE again to a default bridged configuration, I still want to make use of that VMs without needing to modify its network configuration files inside them.

Using DHCP can make sense then, one can also configure most dhcp server to serve specific addresses depending on the MAC address of the request and so have a static-like network also then.