eth0 routing through LAN and should not be

M

mudmanc4

Renowned Member
Aug 4, 2014
9
0
66
lime-it.us
eth0 and eth1 on proxmox node are on different networks.

eth1/vmbr1 is WAN for containers and connected to LAN firewall appliance. Which functions normally for all intent and purpose.

Why or how could eth0 on proxmox node route through eth1 and or vmbr1 proxmox node.

I was not using the second network (eth0) for anything but proxmox node GUI.

At this point eth0 can access all internal IP's but nothing external, due to the firewall blocking the IP associated with eth0

The firewall logs show constant connection attempts get this, originating from the IP associated with eth0, however monitoring I set up some time ago, for the IP associated with eth0, is attempting to access various external IP's. So somehow pingdom is getting in ( I am assuming(which I cannot see how at this point because I cannot access that IP directly)) however pingdom responses are getting blocked on the way out. They should not be going through the firewall in any sense to begin with.

I know there are many scenarios, my first thought was the datacenter noticed not much activity and routed these IP's to the firewall IP, I asked them they said no.

Any idea's are more than welcome.
 
Last edited:
LimeIT said:
So somehow pingdom is getting in
Click to expand...

It seems to be rather a problem of the firewall than proxmox host. But it would be clearer if you post an example about LAN traffic and specify what you suspect as going wrong ......
 
Mr.Holmes said:
It seems to be rather a problem of the firewall than proxmox host. But it would be clearer if you post an example about LAN traffic and specify what you suspect as going wrong ......
Click to expand...
Should have said - the blocked IP, the IP associated with eth0 on the node are being logged as originating from eth0. (And they should not have any route through eth1)

Looking the [destination] IP's up they are constellix not pingdom, I mispoke. (which is reverse of the way that schema functions) as it's pretty much a ping service. And originates from external sources. (yes I have constellix set up to monitor) none the less.

Only way into the node is through VPN via firewall appliance. Shell as well as proxmox GUI.

That is my issue, is to request suggestions as to where to look for some packet forwarding, misconfigured bridge ect.

I find nothing leading me forward in /etc/resolv.conf /etc/sysctl.conf /etc/hosts /etc/network/interfaces ,I find no iptable rule files or pre ups.

In the attempt to install nmap from source, of course there is no compiler by default in proxmox, which gcc dependencies are endless compared to what is currently installed by default. Wireshark the same.
 
Last edited:
traceroute -s <eth0 IP> some host

look what will happen.
p.s. it would be easier with schemes. Always use traceroute and tcpdump as debuging tool.
Also, as ip forwarding is allowed in iptables, why it would not try to forwawrd eth0 packets via eth1? remember the default network rule? If I don't know where to send a packet, I'll send it to default GW. eth1->eth0 forwarding is allowed by default, default GW is behind eth1 and linux knows that. so it just forwards packets there.
just add a rule to disable forwarding from eth1 to eth0 ie.
 
RRJ said:
traceroute -s <eth0 IP> some host

look what will happen.
p.s. it would be easier with schemes. Always use traceroute and tcpdump as debuging tool.
Also, as ip forwarding is allowed in iptables, why it would not try to forwawrd eth0 packets via eth1? remember the default network rule? If I don't know where to send a packet, I'll send it to default GW. eth1->eth0 forwarding is allowed by default, default GW is behind eth1 and linux knows that. so it just forwards packets there.
just add a rule to disable forwarding from eth1 to eth0 ie.
Click to expand...

IP assigned to eth0 on node is on a different network than IP assigned to firewall eth0 , with different gateway.

I am not familiar with the traceroute command posted. However any host attempted to be input times out. Because firewall is blocking IP associated with eth0 node - and should be.

basic-network-layout-a.png
 
Last edited:
Code: 
[FONT=Andale Mono]tcpdump -v -i vmbr0
tcpdump: listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes[/FONT]
[FONT=Andale Mono]09:38:37.282986 STP 802.1d, Config, Flags [none], bridge-id 8000.00:07:xx:cc:xx:46.8415, length 43[/FONT]
[FONT=Andale Mono]    message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s[/FONT]
[FONT=Andale Mono]    root-id 8000.00:07:xx:xx:xx:xx, root-pathcost 0[/FONT]
[FONT=Andale Mono]09:38:37.565592 IP (tos 0x0, ttl 55, id 48697, offset 0, flags [DF], proto TCP (6), length 60)[/FONT]
[FONT=Andale Mono]    uschi-mon1.constellix.net.52293 > s3.xxxxxxxx.com.ssh: Flags [S], cksum 0xff93 (correct), seq 144542093, win 14600, options [mss 1460,sackOK,TS val 2630826665 ecr 0,nop,wscale 3], length 0[/FONT]

Code: 
[FONT=Andale Mono]tcpdump -v -i eth0
tcpdump: WARNING: eth0: no IPv4 address assigned[/FONT]
[FONT=Andale Mono]tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes[/FONT]
[FONT=Andale Mono]09:40:51.674398 STP 802.1d, Config, Flags [none], bridge-id 8000.00:07:4x:xx:33:xx.8415, length 43[/FONT]
[FONT=Andale Mono]    message-age 0.00s, max-age 20.00s, hello-time 2.00s, forwarding-delay 15.00s[/FONT]
[FONT=Andale Mono]    root-id 8000.00:07:4f:cc:33:46, root-pathcost 0[/FONT]


Taken from node.
mac and domain edited

Claims no IP assigned on eth0 - apparently this is an issue between what /etc/network/interfaces and or the proxmox GUI claims ?
 
LimeIT said:
Claims no IP assigned on eth0 - apparently this is an issue between what /etc/network/interfaces and or the proxmox GUI claims ?
Click to expand...

If eth0´s IP address is missed - add it!

It would be clearer if you post the results of

Code: 
ifconfig
brctl show

I prefer to call tcpdump like this

Code: 
tcpdump -i eth0 -e -n
 
Mr.Holmes said:
If eth0´s IP address is missed - add it!

It would be clearer if you post the results of

Code: 
ifconfig
brctl show

I prefer to call tcpdump like this

Code: 
tcpdump -i eth0 -e -n
Click to expand...

ifconfig shows proper IP-gateway-mask on vmbr0


Code: 
[COLOR=#232323][FONT=Andale Mono]brctl show[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]bridge name    bridge id        STP enabled    interfaces[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]vmbr0        8000.00269eb5e7d2    no        eth0[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]vmbr1        8000.00269eb5e7d3    no        eth1[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]                            veth100.0[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]                            veth101.0[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]                            veth102.0[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]                            veth131.0[/FONT][/COLOR]
[COLOR=#232323][FONT=Andale Mono]                            veth136.0[/FONT][/COLOR]


I've got to run out- Hope to continue this a bit later this morning if possible- thanks
 
Last edited:
Below is output from ifconfig

Code: 
eth0      Link encap:Ethernet  HWaddr 00:26:xx:xx:xx:xx            inet6 addr: fe80::226:9eff:feb5:e7d2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:156630 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2250 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10616083 (10.1 MiB)  TX bytes:148356 (144.8 KiB)


eth1      Link encap:Ethernet  HWaddr 00:xx:xx:xx:xx:xx  
          inet6 addr: fe80::226:9eff:feb5:e7d3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1293241 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1432200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:360739157 (344.0 MiB)  TX bytes:810256394 (772.7 MiB)


lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:162863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162863 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:135940865 (129.6 MiB)  TX bytes:135940865 (129.6 MiB)


venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet6 addr: fe80::1/128 Scope:Link
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


veth100.0 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet6 addr: fe80::3cce:d5ff:fe23:3b8a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34332 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62506 errors:0 dropped:122 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24002679 (22.8 MiB)  TX bytes:6177291 (5.8 MiB)


veth101.0 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet6 addr: fe80::f8df:f7ff:feec:a4b4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:244436 errors:0 dropped:0 overruns:0 frame:0
          TX packets:274455 errors:0 dropped:125 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:141115208 (134.5 MiB)  TX bytes:58515457 (55.8 MiB)


veth102.0 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet6 addr: fe80::8c31:d9ff:feba:b73d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:457046 errors:0 dropped:0 overruns:0 frame:0
          TX packets:452724 errors:0 dropped:141 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:360830118 (344.1 MiB)  TX bytes:45474090 (43.3 MiB)


veth131.0 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet6 addr: fe80::285f:70ff:feea:d627/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9421 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38470 errors:0 dropped:138 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2760437 (2.6 MiB)  TX bytes:3306223 (3.1 MiB)


veth136.0 Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet6 addr: fe80::f440:5ff:fee8:e50c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14778 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46209 errors:0 dropped:26 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8883218 (8.4 MiB)  TX bytes:4013249 (3.8 MiB)


vmbr0     Link encap:Ethernet  HWaddr 00:xx:xx:xx:xx:xx  
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:255.255.255.252
          inet6 addr: fe80::226:9eff:feb5:e7d2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:156630 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8420172 (8.0 MiB)  TX bytes:998 (998.0 B)


vmbr1     Link encap:Ethernet  HWaddr 00:xx:xx:xx:e7:  
          inet addr:10.10.1.2  Bcast:10.10.1.255  Mask:255.255.255.0
          inet6 addr: fe80::226:9eff:feb5:e7d3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:576875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:634136 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:237740638 (226.7 MiB)  TX bytes:259509499 (247.4 MiB)
 
RRJ said:
do you use multiple gateways on single os?
Click to expand...

Yes, (and no- since I do not use the second drop for any CT's at this point , and the only other allocated IP is through the firewall LAN/ node or CT WAN to the proxmox node) Which worked well until now.

Something has changed , possibly the last update but I cannot be sure exactly when this occurred, since I do not yet know what the issue is.
 
Last edited:
as far as I know in system with multiple gateways there might be problems with routing, if there is no source routing defined.
 
RRJ said:
as far as I know in system with multiple gateways there might be problems with routing, if there is no source routing defined.
Click to expand...
Entirely agree, however the interesting section of this issue, I never manually added routes before this.

This went south when I flushed iptables with a preup script adding ports. {edit}actually took a dump before this - not sure exactly when or how.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back