Container does not have full internet access

T

tester100

New Member
Nov 8, 2022
6
0
1
Hi, I would like my LXC container to have direct access to the Internet.
My container has IP address 192.168.1.35

The container has tunneling access enabled, of course.

Code: 
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

My default HOST /etc/network/interfaces

Bash: 
auto lo
iface lo inet loopback

iface enp1s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.30/24
        gateway 192.168.1.1
        bridge-ports enp1s0
        bridge-stp off
        bridge-fd 0


I added to it

Bash: 
post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o enp1s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o enp1s0 -j MASQUERADE
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1


When I install the service (zerotier) directly on the host it works fine, it is fully reachable from the Internet, but when I do the same in the container it is no longer fully reachable, despite firewalls disabled, in the container itself also, why does this happen and how to fix it?
 
post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o enp1s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o enp1s0 -j MASQUERADE

- Please remove the single quotes. '192.168.1.0/24' > 192.168.1.0/24
 
On pure metal did not help, all the time can not put together a direct connection.

I did another test, this time on VirtualBox under Windows 10, I installed a virtual machine with proxmox there, I chose a bridged network card as the network and here there is no problem, it connects directly.

Do you have any more ideas why this happens in a native installation of proxmox 8?
 
a couple of questions :

- what exactly do you mean by "direct internet access"
- why do you enable tunneling access
- what is the purpose of the iptables rules you added
- have you set a DNS server in the LXC option?

I have several LXC's running, all of them have internet acces, out of the box.
 
Spoonman2002 said:
a couple of questions :

- what exactly do you mean by "direct internet access"
- why do you enable tunneling access
- what is the purpose of the iptables rules you added
- have you set a DNS server in the LXC option?

I have several LXC's running, all of them have internet acces, out of the box.
Click to expand...
The LXC container has access to the Internet, but something breaks down in the host <==> container communication, which I will write about below.The container does not have a firewall installed, I did not check the firewall option during creation.I haven't changed anything in the host other than what is in this thread.

1. Direct, i.e. the application connects directly to the Internet, i.e. as if I put the server on debian without any firewall, connect to the router and expose the service to the world.

2. The target is samba over the ZeroTier tunnel, currently it connects without a problem, only there is a problem with the transfer because the ZeroTier in LXC has some trouble with direct communication to the internet, which results in a transfer of 2 MB/s.

The best thing is that when I run proxmox in a virtual machine with VirtualBox under Windows 10 where the machine has a bridged network card set, there is no problem, the transfer is always at 45 MB/s, a similar situation is on another server where I have debian without a firewall with ZeroTier and samba, there I also have 45 MB/s, and in Proxmox it is always around 2 MB/s.
Of course, the test conditions are the same, i.e. all computers are connected to the same router, the sender of the test file is an external VPS server on which a ZeroTier with samba is also installed.

3. According to the documentation, it was necessary for the container to have full Internet input and output, but as you can see, it's not enough.
4. Yes, I have set DNS in container 1.1.1.1 and 8.8.8.8.

If something is unclear, I'll clarify.
 
Last edited:
I have no Zerotier experience, but did some research.

Run this command on the host : # chown 100000:100000 /dev/net/tun
Check it with : # ls -l /dev/net/tun
It should read something like: # crw-rw-rw- 1 100000 100000 10, 200 Jul 17 20:59 /dev/net/tun
 
Spoonman2002 said:
I have no Zerotier experience, but did some research.

Run this command on the host : # chown 100000:100000 /dev/net/tun
Check it with : # ls -l /dev/net/tun
It should read something like: # crw-rw-rw- 1 100000 100000 10, 200 Jul 17 20:59 /dev/net/tun
Click to expand...
I did this on the host
chown 100000:100000 /dev/net/tun
Now I have
root@pve:~# ls -l /dev/net/tun
crw-rw-rw-1 100000 100000 100000 10, 200 Jul 23 13:16 /dev/net/tun

I restarted the container, but the problem is still there, that is, the transfer is at 1-2 MB/sec.

PS. Earlier I also did a test on ArchLinux and there I installed VirtualBox and created a virtual machine with Proxmox 8 with identical settings well and of course with bridged network card and there it was better, because the transfer was at the level of 15 MB/s, probably I could get as much as I had on Windows but I did not go into it anymore.

For some unknown reason Proxmox in my case "prefers" VirtualBox bridges more than the native installation.

UPDATE:
These are 2 screenshots from tcpdump running on these two hosts, one from a native installation and the other from VirtualBox on Windows 10.
Maybe this will help with this unusual problem.
In red I have blurred the address of the external VPS.
 

Attachments

  • native-proxmox.png
    native-proxmox.png
    58.9 KB · Views: 27
  • proxmox-virtualbox.png
    proxmox-virtualbox.png
    59.3 KB · Views: 28
Last edited:
Spoonman2002 said:
I must admit, I'm a bit lost for a solution..
What container do you use, Debian, Ubuntu ?
Click to expand...
Debian 12

UPDATE:

I did a Stun test on the host and the container, maybe this will give someone an idea on how to solve this.

Native Proxmox Host:
STUN client version 0.97
Primary: Independent Mapping, Port Dependent Filter, random port, will hairpin
Return value is 0x000006

Native Container: LXC
STUN client version 0.97
Primary: Independent Mapping, Independent Filter, random port, will hairpin
Return value is 0x000002


Windows 10 VirtualBox Proxmox Host:
STUN client version 0.97
Primary: Independent Mapping, Port Dependent Filter, random port, will hairpin
Return value is 0x000006

Windows 10 VirtualBox Proxmox Container LXC:
STUN client version 0.97
Primary: Independent Mapping, Independent Filter, random port, will hairpin
Return value is 0x000002

It seems to me that the container in native proxmox is behind dual NAT :-/
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back