How to configure masquerading with 2 IPs and 2 NICs

E

eexodus

Active Member
Jan 25, 2017
17
0
41
33
Hello. I got masquerading working with a single IP and a single NIC, but recently realized I can use my PowerEdge 2950's second network port (unless it is unknowingly to me a LOM port ONLY?) with a second IP and masquerade behind that as well. If I could get this working correctly it would solve my issue of hosting two SMB shares on the same Proxmox host in separate CTs.

IP 1.2.3.4 and first network port --> CT 100 (masquerade 192.168.1.100) SMB port 139/445
IP 1.2.3.5 and second network port --> CT 101 (masquerade 192.168.2.101) SMB port 139/445

This is an issue because in Windows SMB shares MUST be mounted via 139/445; although macOS and Linux let you specify port number when mounting.

Some symptoms: when I SSH into 1.2.3.5 port 12223 it fails. When I SSH into 1.2.3.5 port 22 (same as the Proxmox host) it actually SSHes into 1.2.3.4, even though it "correctly" connects. IE 1.2.3.5 is properly pointing to my server, but I think my network interfaces needs reworking because 1.2.3.4 seems to have preference. Also, CT 101 can successfully connect to the Internet.

Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 1.2.3.4
        netmask 255.255.255.0
        gateway 1.2.3.1

auto eth1
iface eth1 inet static
        address 1.2.3.5
        netmask 255.255.255.0
        gateway 1.2.3.1

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE

        # ct 100
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 12222 -j DNAT --to 192.168.1.100:22
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 12222 -j DNAT --to 192.168.1.100:22

        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 139 -j DNAT --to 192.168.1.100:139
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 139 -j DNAT --to 192.168.1.100:139
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 445 -j DNAT --to 192.168.1.100:445
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 445 -j DNAT --to 192.168.1.100:445

        # vm 110
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.110:3389
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.110:3389

#auto vmbr1
#iface vmbr1 inet static
#        address 192.168.2.1
#        netmask 255.255.255.0
#        bridge_ports none
#        bridge_stp off
#        bridge_fd 0

#        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
#        post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -o eth1 -j MASQUERADE
#        post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/24' -o eth1 -j MASQUERADE

        # ct 101
        post-up iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 12223 -j DNAT --to 192.168.1.101:22
        post-down iptables -t nat -D PREROUTING -i eth1 -p tcp --dport 12223 -j DNAT --to 192.168.1.101:22

        post-up iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 139 -j DNAT --to 192.168.1.101.:139
        post-down iptables -t nat -D PREROUTING -i eth1 -p tcp --dport 139 -j DNAT --to 192.168.1.101.:139
        post-up iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 445 -j DNAT --to 192.168.1.101:445
        post-down iptables -t nat -D PREROUTING -i eth1 -p tcp --dport 445 -j DNAT --to 192.168.1.101:445

Less important: RDP to VM 110 doesn't work, even with RDP enabled on the Windows VM and Windows Firewall turned off.

**Although CT 101 can connect to the Internet it is via 1.2.3.4.

**When I uncomment the commented out code and change CT 101 to 192.168.2.101 and vmbr1 it has the same symptoms as mentioned above, except it can no longer connect to the Internet.
 
Last edited:
eexodus said:
I got masquerading working with a single IP and a single NIC, but recently realized I can use my PowerEdge 2950's second network port (unless it is unknowingly to me a LOM port ONLY?) with a second IP and masquerade behind that as well. If I could get this working correctly it would solve my issue of hosting two SMB shares on the same Proxmox host in separate CTs.

IP 1.2.3.4 and first network port --> CT 100 (masquerade 192.168.1.100) SMB port 139/445
IP 1.2.3.5 and second network port --> CT 101 (masquerade 192.168.2.101) SMB port 139/445
Click to expand...

To have two NICs in the same subnet and host (respectively ip namespace) is unusal and may cause some problems. Suggestion: bridge the second NIC to a different/new bridge in the host without IP and connect it directly to the container/VM.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back