[SOLVED] Container has no external access behind NAT config

BAKfr

Member
Mar 19, 2020
2
1
8
54
Hi,

I'm trying to setup some containers using a standard NAT config. Unfortunately, I can't get the containers to access to outside their LAN.


The Proxmox host is behind a router (192.168.1.254). It has a perfect Internet connectivity, and can ping the container with problem.
At this moment, there is only one container (id: 100), with IP: 192.168.202.100
The container can ping both host IP (the bridge one, 192.168.202.1 and the one used for the WAN, 192.168.1.1). It can't ping or access anything behind.

At this point, I'm running out of idea. I'm taking any suggestion.
Thanks for your help.


----

Code:
# /etc/network/interfaces

auto lo
iface lo inet loopback

# enp3s0f0 is the only physical port with a plugged cable.
allow-hotplug enp3s0f0
auto enp3s0f0
iface enp3s0f0 inet static
      address 192.168.1.1/24
      gateway 192.168.1.254
      dns-nameservers 192.168.1.254

iface enp3s0f1 inet manual
iface enp4s0f0 inet manual
iface enp4s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
      bridge-ports none

      address 192.168.202.1/24
      post-up   iptables -t nat -A POSTROUTING -s '192.168.202.0/24' -o enp3s0f0 -j MASQUERADE
      post-down iptables -t nat -D POSTROUTING -s '192.168.202.0/24' -o enp3s0f0 -j MASQUERADE

cat /proc/sys/net/ipv4/ip_forward
Code:
1


pve-firewall status
Code:
Status: disabled/stopped


iptables -L -n -v
Code:
Chain INPUT (policy ACCEPT 224 packets, 36145 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 234 packets, 35273 bytes)
pkts bytes target     prot opt in     out     source               destination


iptables -t nat -L -n -v
Code:
Chain PREROUTING (policy ACCEPT 13 packets, 2841 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain INPUT (policy ACCEPT 11 packets, 2673 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 16 packets, 951 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain POSTROUTING (policy ACCEPT 16 packets, 951 bytes)
pkts bytes target     prot opt in     out     source               destination      
    2   168 MASQUERADE  all  --  *      enp3s0f0  192.168.202.0/24     0.0.0.0/0


ip addr
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 68:b5:99:78:68:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 scope global enp3s0f0
       valid_lft forever preferred_lft forever
    inet6 2a01:e0a:276:f100:6ab5:99ff:fe78:68ac/64 scope global dynamic mngtmpaddr
       valid_lft 86109sec preferred_lft 86109sec
    inet6 fe80::6ab5:99ff:fe78:68ac/64 scope link
       valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 68:b5:99:78:68:ae brd ff:ff:ff:ff:ff:ff
4: enp4s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 68:b5:99:78:68:b0 brd ff:ff:ff:ff:ff:ff
5: enp4s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 68:b5:99:78:68:b2 brd ff:ff:ff:ff:ff:ff
6: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 82:cd:73:c8:dd:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.202.1/24 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::80f8:d6ff:fe0c:358f/64 scope link
       valid_lft forever preferred_lft forever
8: veth100i0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether fe:3a:62:13:ce:ff brd ff:ff:ff:ff:ff:ff link-netnsid 0
9: fwbr100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 76:1e:6b:8a:6a:ce brd ff:ff:ff:ff:ff:ff
10: fwpr100p0@fwln100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether 82:cd:73:c8:dd:e2 brd ff:ff:ff:ff:ff:ff
11: fwln100i0@fwpr100p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether 76:1e:6b:8a:6a:ce brd ff:ff:ff:ff:ff:ff


pct config 100
Code:
arch: amd64
cores: 4
hostname: sandbox
memory: 65535
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.202.1,hwaddr=7A:5F:04:2E:66:57,ip=192.168.202.100/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: vm-data:vm-100-disk-0,size=40G
swap: 0
unprivileged: 1
 
Last edited:
Ok, so the problem ... fixed itself after an apt dist-upgrade and a reboot.

I have rebooted several times during my attempts to fix this, and my packages were less than 2-week old.
However, I have recently installed ifupdown2. It's only a guess, but I believe some PVE file hasn't been regenerated since, and the package update triggered that.

Anyway, case closed!
 
  • Like
Reactions: Moayad

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!