Existing installation network change does not work
- Thread starter damnlie
- Start date
check out the reference documentation: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_configuration
especially the part about NATed setups: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#_masquerading_nat_with_span_class_monospaced_iptables_span
if this does not help please post your node's network config
hope this helps!
especially the part about NATed setups: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#_masquerading_nat_with_span_class_monospaced_iptables_span
if this does not help please post your node's network config
hope this helps!
Hey Stoiko,
Thank you for your answer. Well even with just configuring the adapter to a public IP I can't ping the gateway.
auto eno1np0
iface eno1np0 inet static
address 1.2.3.4
netmask x.x.x.x
gateway 1.2.3.7
So this is it atm cause I wanted to know if the simplest network config would work but I can't ping gw at all. I connected eno1np0 to my laptop which has an ip of 1.2.3.5 that obviously works. Firewall/iptables are off (pve-firewall is running but disabled). I tried several config and I just can't get out from the pve to ping gw or vm's. I don't know if it's important but the DNS server for this pve is also one of the vm. But I guess /etc/hosts /etc/resolve.conf has nothing to do with pinging GW.
Any idea is welcome cause this is my 4th day in the DC and we really running out of options here.
Thank you for your answer. Well even with just configuring the adapter to a public IP I can't ping the gateway.
auto eno1np0
iface eno1np0 inet static
address 1.2.3.4
netmask x.x.x.x
gateway 1.2.3.7
So this is it atm cause I wanted to know if the simplest network config would work but I can't ping gw at all. I connected eno1np0 to my laptop which has an ip of 1.2.3.5 that obviously works. Firewall/iptables are off (pve-firewall is running but disabled). I tried several config and I just can't get out from the pve to ping gw or vm's. I don't know if it's important but the DNS server for this pve is also one of the vm. But I guess /etc/hosts /etc/resolve.conf has nothing to do with pinging GW.
Any idea is welcome cause this is my 4th day in the DC and we really running out of options here.
do you have a bridge configured? (then configuring an ip on the bridge port usually does not work).
is this the network config from a guest or from the node?
Please post:
* '/etc/network/interfaces' from the node
* the network config from a guest (if that's what you're trying to debug)
* `ip link` output from the node
* `ip addr` output from the node
* `ip route` output from the node
* the output when you try to ping the gateway
* `ip neigh` after you try to ping the gateway
* try disabling the pve-firewall completely
is this the network config from a guest or from the node?
Please post:
* '/etc/network/interfaces' from the node
* the network config from a guest (if that's what you're trying to debug)
* `ip link` output from the node
* `ip addr` output from the node
* `ip route` output from the node
* the output when you try to ping the gateway
* `ip neigh` after you try to ping the gateway
* try disabling the pve-firewall completely
* disable it in the datacenter settings
* check the `iptables-save` output
please provide the information asked above - otherwise it's not really possible to help
* check the `iptables-save` output
please provide the information asked above - otherwise it's not really possible to help
auto lo
iface lo inet loopback
auto eno1np0
iface eno1np0 inet manual
auto eno2np1
iface eno2np1 inet manual
auto eno3
iface eno3 inet manual
auto eno4
iface eno4 inet manual
auto br0
iface br0 inet static
bridge_ports eno1np0
address 1.1.36.178
netmask 255.255.255.224
network 1.1.36.176
broadcast 1.1.36.191
gateway 1.1.36.190
auto vmbr0
iface vmbr0 inet static
address 192.168.30.2
netmask 255.255.255.0
network 192.168.30.0
this is what we are trying now
iface lo inet loopback
auto eno1np0
iface eno1np0 inet manual
auto eno2np1
iface eno2np1 inet manual
auto eno3
iface eno3 inet manual
auto eno4
iface eno4 inet manual
auto br0
iface br0 inet static
bridge_ports eno1np0
address 1.1.36.178
netmask 255.255.255.224
network 1.1.36.176
broadcast 1.1.36.191
gateway 1.1.36.190
auto vmbr0
iface vmbr0 inet static
address 192.168.30.2
netmask 255.255.255.0
network 192.168.30.0
this is what we are trying now
check the reference documentation I posted above - there a working setup is described!
* if you want vmbr0 to be a bridge (I guess you want) - you need to add a `bridge_ports none` line to it (otherwise ifupdown does not know that it's a bridge)
* you should not need to make the public interface a bridge by itself ('br0') leave the Ip configured directly on the eno1np0 port
* you need to add the iptables rules for NATing somewhere (usually in the post-up of `vmbr0`)
hope this helps!
* if you want vmbr0 to be a bridge (I guess you want) - you need to add a `bridge_ports none` line to it (otherwise ifupdown does not know that it's a bridge)
* you should not need to make the public interface a bridge by itself ('br0') leave the Ip configured directly on the eno1np0 port
* you need to add the iptables rules for NATing somewhere (usually in the post-up of `vmbr0`)
hope this helps!
you need to edit the file '/etc/network/interfaces' with an editor of your choice (`nano` or `vim`)
auto lo
iface lo inet loopback
auto eno1np0
iface eno1np0 inet manual
auto eno2np1
iface eno2np1 inet manual
auto eno3
iface eno3 inet manual
auto eno4
iface eno4 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.30.2 (internal network)
netmask 255.255.255.0
network 192.168.30.0
bridge_stp off
bridge_fd 0
bridge_ports en4 (that's my laptop so I can able to connect the gui)
auto vmbr1
# this I would use for a vpn vm so we can get in
iface vmbr1 inet static
bridge_ports eno1np0
address 1.1.36.178
netmask 255.255.255.224
gateway 1.1.36.190
So if I ping gateway from pve from the shell nothing goes out.
If we do, a tcpdump shows only outgoing arp requests and no replies.
A wild guess would be something in the area of private vlans, ACLs or any other filtering that might be there (on the switch site maybe)
iface lo inet loopback
auto eno1np0
iface eno1np0 inet manual
auto eno2np1
iface eno2np1 inet manual
auto eno3
iface eno3 inet manual
auto eno4
iface eno4 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.30.2 (internal network)
netmask 255.255.255.0
network 192.168.30.0
bridge_stp off
bridge_fd 0
bridge_ports en4 (that's my laptop so I can able to connect the gui)
auto vmbr1
# this I would use for a vpn vm so we can get in
iface vmbr1 inet static
bridge_ports eno1np0
address 1.1.36.178
netmask 255.255.255.224
gateway 1.1.36.190
So if I ping gateway from pve from the shell nothing goes out.
If we do, a tcpdump shows only outgoing arp requests and no replies.
A wild guess would be something in the area of private vlans, ACLs or any other filtering that might be there (on the switch site maybe)
So my question is if the vmbr0 is on a internal address, do I have to have exactly the same config as here:
https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt (so with the ipv4_forwarding and masquerading to able to ping the the gateway from the pve machine? So if my setting would be following:
auto lo
iface lo inet loopback
auto eno2np1
#real IP address
iface eno2np1 inet static
address 1.1.36.178
netmask 255.255.255.224
gateway 1.1.36.190
auto vmbr0
#private sub network
iface vmbr0 inet static
address 192.168.30.2
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.30.0/24' -o eno2np1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.30.0/24' -o eno2np1 -j MASQUERADE
auto vmbr1
# this I would use for a vpn vm so we can get in
iface vmbr1 inet static
bridge_ports eno1np0
address 1.1.36.178
netmask 255.255.255.224
gateway 1.1.36.190
this would work?
https://pve.proxmox.com/wiki/Network_Configuration#_masquerading_nat_with_tt_span_class_monospaced_iptables_span_tt (so with the ipv4_forwarding and masquerading to able to ping the the gateway from the pve machine? So if my setting would be following:
auto lo
iface lo inet loopback
auto eno2np1
#real IP address
iface eno2np1 inet static
address 1.1.36.178
netmask 255.255.255.224
gateway 1.1.36.190
auto vmbr0
#private sub network
iface vmbr0 inet static
address 192.168.30.2
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.30.0/24' -o eno2np1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.30.0/24' -o eno2np1 -j MASQUERADE
auto vmbr1
# this I would use for a vpn vm so we can get in
iface vmbr1 inet static
bridge_ports eno1np0
address 1.1.36.178
netmask 255.255.255.224
gateway 1.1.36.190
this would work?
if you configured this with the correct ips and if eno1np0 (the name looks odd btw.) is indeed the interface which is connected to your ISPs uplink, and if the ip which your ISP has configured as gateway is indeed 1.1.36.190 you should be able to ping it - if not it's probably a problem with the network config and you need to ask your ISP for assistance
I'm going to write this one down for documentation for the future and maybe other people might have the same problem. So we moved from a private place to the data center, what we did not know on our Dell server the first 2 Ethernet port is 10G the last 2 is only 1G. The switches what they have at the DC can't give more then 100mb. Now Dell can't scale down when you plug it in to a 10G Ethernet. Simply just dies out and no internet at all. That's why on the switch side they also did not see the mac address from our server. So it's turn out to be a hardware issue. After plugging it to the right Ethernet worked like a charm. 