From FWbuilder to ProxMox firewall; S-NAT / D-NAT / IPv6 / Public IPs

R

rbg

Member
Proxmox Subscriber
May 16, 2013
25
0
21
hi,

my private root server runs at the moment with Debian Wheezy, Xen and six running paravirtualized VMs. I have 5 public IPs:


  1. Host itself
  2. Mail VM
  3. Web VM
  4. Jabber VM
  5. DNS

One VM has only a private IP, but public IPv6.

All VMs have also a private IP, for internal communications ... backup etc.

On the Dom0 (host), I have configured two bridges:


  • eth0 -> peth0 (physical) + one interface from every VM, with a public IP
  • xentinbr -> all hosts, for internal communication, private IP

Also I have on the host and VMs too, IPv6 enabled with static IPV6 addresses (no tunnel).

With FWBuilder I configured a firewall, that allows all on the internal interfaces (no restrictions), and only allowed inbound and outbound ports. For the VMs with only private IPv4, I use DNAT/SNAT/MASQ for portforwarding 80/22.

Now I want to switch to the ProxMox firewall, but I'm unsure, if that is possible, without too many workarounds.

My thoughts are now:


  • Create vmbr0 with public IPv4 and IPv6
    • Configure VMs with public IPs(4/6) and put them into this bridge
  • Create vmbr1 with private IP (192.168.1.1/24)
    • Configure VMs with private IPs (IPv4 only) and puth them into this bridge
    • Configure/enable MASQUARADE for the single VM with only private IP
    • Configure PREROUTING for the VM with only a private IP, to forward port 80/443 from the public host IP to that VM
    • Configure SNAT for the VM with only a private IP, to change internal IP to the public IP from the host

So, what kind of solutions is the best one? I red wiki/Network_Model and wiki/Proxmox_VE_Firewall, and I think I have to use a combination from both. Right?

One of the most important parts is IPv6. I didn't read anything, if the new firewall supports IPv6 in 3.4 too. Also, should I use the standard 2.6-pve kernel, or pve-kernel-3.10 ?

any suggestions ?
 
Last edited:
Hi,
the Firewall supports IPv6.
Kernel 2.6 is required if you use OpenVz container.
Kernel 3.10 is required if you use PCI Passthrough.
 
wolfgang said:
Hi,
the Firewall supports IPv6.
Kernel 2.6 is required if you use OpenVz container.
Kernel 3.10 is required if you use PCI Passthrough.
Click to expand...

I've got most things working, but IPV6. After starting firewall (with some rules), IPV6 traffic from the KVM VMs stops working. For example ping to ipv6.google.com: -> destination unreachable

Where I have to set the correct rules, to get IPV6 for my VMs working?

any suggestions?
 
hi,

hmm, I tested around ... enabled IPV6 on host/datacenter and VM, via Proxmox -> Firewall -> Add Rule -> Proto "ipv6 ... ipv6-icmp ..." but, nothing. I also see nothing in the pve-firewall.log, about dropped IPV6 packets ...

I also removed [x] firewall from the interface, which only has an IPv6 address, but also no success :-/

any suggestions?
 
hi,

it seems, that I find (one?) reason:

I got a lot of:

<pre>
pve-firewall[234067]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
</pre>

errors and the ruleset for IPV6 wasn't added. The reason was a (via macro) PING rule I added to one host. I tried to do: ip6tables-restore < ipcmdlist and one line was a problem:

<pre>
... Couldn't load match `icmp':No such file or directory
</pre>

after deleting this line, ip6tables-restore was working. I removed the rule from the VM firewall configuration ... pve-firewall restart ... and voila ... the ruleset for IPV6 was included.

Update:

Adding Macro "Ping" to an IPV6 enabled VM -> Status: enabled/running (pending changes)

Remove/Disable "Ping" -> Status: enabled/running
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back