hi
i installed proxmox on VPS with single public ip
set up masquerading for my private guest lan and everything is working as intended
however when i add nat port forwards on the host, systemctl restart networking enables the port but kills internet on all guests and only reboot (lxc) and shutdown/stop (vm) restores internet. this is due to 'deleting and readding' the bridge vmbr1 to which all guests are connected.
when i remove port forward the same command kills internet but the port forward is still active until host is rebooted. reboot clears remove port forward rule and lxc / vm has internet because all guests were restarted.
ifreload -a doesnt seem to be doing anything as well as far as enabling/disabling forward rules.
will getting some sort of vm firewall in front of proxmox (on the host) help with this ? but that introduces other issues as well?
any pointers?
basically this is exactly whats happening
add it in iptables using shell vs interfaces file?
however these rules are not persistent and will be wiped out on host reboot?
just trying to figure out the best way to get it working
auto lo
iface lo inet loopback
auto ens18
iface ens18 inet static
address x.x.x.x/24 #my public ip
gateway x.x.x.x #my public gateway
auto vmbr1
iface vmbr1 inet static
address 10.x.x.x/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s 10.x.x.x/24 -o ens18 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.x.x.x/24 -o ens18 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
post-up iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to 10.x.x.x:80
post-down iptables -t nat -D PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to 10.x.x.x:80
post-up iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 443 -j DNAT --to 10.x.x.x:443
post-down iptables -t nat -D PREROUTING -i ens18 -p tcp --dport 443 -j DNAT --to 10.x.x.x:443
i installed proxmox on VPS with single public ip
set up masquerading for my private guest lan and everything is working as intended
however when i add nat port forwards on the host, systemctl restart networking enables the port but kills internet on all guests and only reboot (lxc) and shutdown/stop (vm) restores internet. this is due to 'deleting and readding' the bridge vmbr1 to which all guests are connected.
when i remove port forward the same command kills internet but the port forward is still active until host is rebooted. reboot clears remove port forward rule and lxc / vm has internet because all guests were restarted.
ifreload -a doesnt seem to be doing anything as well as far as enabling/disabling forward rules.
will getting some sort of vm firewall in front of proxmox (on the host) help with this ? but that introduces other issues as well?
any pointers?
basically this is exactly whats happening
add it in iptables using shell vs interfaces file?
however these rules are not persistent and will be wiped out on host reboot?
just trying to figure out the best way to get it working
auto lo
iface lo inet loopback
auto ens18
iface ens18 inet static
address x.x.x.x/24 #my public ip
gateway x.x.x.x #my public gateway
auto vmbr1
iface vmbr1 inet static
address 10.x.x.x/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s 10.x.x.x/24 -o ens18 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.x.x.x/24 -o ens18 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
post-up iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to 10.x.x.x:80
post-down iptables -t nat -D PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to 10.x.x.x:80
post-up iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 443 -j DNAT --to 10.x.x.x:443
post-down iptables -t nat -D PREROUTING -i ens18 -p tcp --dport 443 -j DNAT --to 10.x.x.x:443
Last edited: