Firewall and private LAN for VM in PVE 4.2

[2cadz]

Hi,

I configured a private network for communication and inter VM as indicated on the wiki 'https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables' I added a POSTROUTING rule to allow a my VMs to go on internet. .
Everything works fine until I enable the firewall on VMs. In this case the inter VM communication works but it is not possible to go on the internet, it is as if the address translation rule was not working

vmbr0 -> external network

iface vmbr0 inet static
    address  <external_ip>
    netmask  255.255.255.0
    gateway  <external_gw>
    bridge_ports eth2
    bridge_stp off
    bridge_fd 0

vmbr2 -> private network

iface vmbr2 inet static
    address  172.16.61.1
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '172.16.61.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '172.16.61.0/24' -o vmbr0 -j MASQUERADE

Bridges when VM (vmid: 100) is started (without firewall)

brctl show vmbr0 vmbr2
bridge name     bridge id               STP enabled     interfaces
vmbr0           8000.0cc47ac2a5f8       no              eth2
vmbr2           8000.fe6ced22655d       no              veth100i0
....

Bridges when VM (vmid: 100) is started (with firewall)

brctl show vmbr0 vmbr2 fwbr100i0
bridge name     bridge id               STP enabled     interfaces
vmbr0           8000.0cc47ac2a5f8       no              eth2
vmbr2           8000.fe6ced22655d       no              fwpr100p0
fwbr100i0      8000.cedd1cc87828       no               fwln100i0
                                                        veth100i0

I do not know how to fix this postrouting rule to make it to work again, does anyone have an idea.

Best regards