Guest port forwarding

A

ads

New Member
Jan 24, 2023
2
0
1
Hi everyone,

i've installed proxmox-ve 7.3 on top of a fresh Debian 11 installation hosted at Hetzner. Based on my research i've been able to setup interfaces which enable the guest system (Win) to access the internet.

My issue now are:
- i'm not able to ping the guest from the host
- i'm not able to port forward to the guest

/etc/network/interface on the host:

Code: 
auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp2s0
iface enp2s0 inet static
        address 148.xxx.8.xxx/27
        gateway 148.xxx.8.yyy
        pointopoint 148.xxx.8.yyy
        up route add -net 148.xxx.8.zzz netmask 255.255.255.224 gw 148.xxx.8.yyy dev enp2s0

auto vmbr0
iface vmbr0 inet static
        address 148.xxx.8.xxx/27
        hwaddress d4:3d:7e:ed:0b:72
        broadcast 148.xxx.8.xyz
        netmask 255.255.255.224
        gateway 148.xxx.8.yyy
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        pre-up brctl addbr vmbr0
        up route add 10.10.10.2/32 dev vmbr0
        up route add 10.10.10.3/32 dev vmbr0

auto vmbr1
iface vmbr1 inet static
        address 10.9.9.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A POSTROUTING -j MASQUERADE
        post-up iptables -t nat -A POSTROUTING -s '10.9.9.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2302 -j DNAT --to 10.9.9.5:2302
        post-down iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2302 -j DNAT --to 10.9.9.5:2302
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t nat -F

On the Windows guest i've configured vmbr1 as a network interface and set following settings manually for the interface in Win:
  • IP 10.9.9.5
  • SUBNET 255.255.255.0
  • GATEWAY 10.9.9.1
Ping result from the host to the guest:
Code: 
ping 10.9.9.5
PING 10.9.9.5 (10.9.9.5) 56(84) bytes of data.
^C
--- 10.9.9.5 ping statistics ---
328 packets transmitted, 0 received, 100% packet loss, time 334848ms

Did i mix to many guides in this setup? tbh i'm not realy understanding the routing and iptables parts.
I would very much appreciate any support to resolve my issues.

Thank you!
 
Hi,

Maybe you forgot to add `post-up echo 1 > /proc/sys/net/ipv4/ip_forward` to your vmbr1 config?

Does the firewall is enable?
 
Hi Moayad,

i've added that line to the vmbr1:
Code: 
auto vmbr1
iface vmbr1 inet static
        address 10.9.9.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -j MASQUERADE
        post-up iptables -t nat -A POSTROUTING -s '10.9.9.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2302 -j DNAT --to 10.9.9.5:2302
        post-down iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2302 -j DNAT --to 10.9.9.5:2302
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t nat -F

Restarted the network interface via ifreload --all which didn't had any effect. Therefore i've restarted the host and guest which also didn't had any effect.
In all cases following firewall was up and running, is it the correct one though?

Code: 
systemctl status pve-firewall.service
● pve-firewall.service - Proxmox VE firewall
     Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-01-26 08:47:36 CET; 2min 6s ago
    Process: 754 ExecStartPre=/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy (code=exited, status=0/SUCCESS)
    Process: 757 ExecStartPre=/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy (code=exited, status=0/SUCCESS)
    Process: 758 ExecStartPre=/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy (code=exited, status=0/SUCCESS)
    Process: 759 ExecStart=/usr/sbin/pve-firewall start (code=exited, status=0/SUCCESS)
   Main PID: 764 (pve-firewall)
      Tasks: 1 (limit: 38286)
     Memory: 88.5M
        CPU: 914ms
     CGroup: /system.slice/pve-firewall.service
             └─764 pve-firewall

Jan 26 08:47:34 voyager systemd[1]: Starting Proxmox VE firewall...
Jan 26 08:47:36 voyager pve-firewall[764]: starting server
Jan 26 08:47:36 voyager systemd[1]: Started Proxmox VE firewall.

So stil no ping possible from host to guest:
Code: 
PING 10.9.9.5 (10.9.9.5) 56(84) bytes of data.
^C
--- 10.9.9.5 ping statistics ---
54 packets transmitted, 0 received, 100% packet loss, time 54275ms

And also a port check via nc on the public ip wasn't successul:
Code: 
nc -vz 148.xxx.8.xxx 2302
voyager [148.xxx.8.xxx] 2302 (?) : Connection refused
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back