[SOLVED] How to configure the network correct

Discussion in 'Proxmox VE: Networking and Firewall' started by t_b, Nov 4, 2015.

  1. t_b

    t_b New Member

    Joined:
    Nov 4, 2015
    Messages:
    22
    Likes Received:
    0
    Hi,

    I'm new to proxmox as well as advanced network configuration. I have a KMV vServer which should host some lxc container.
    This picture is the goal i want to reach:


    postimg.org/image/4cv00dh8v/full/


    Some additional informations:

    proxy should become a (reverse-)proxy which routes the traffic for each (sub-)domain and filter not wanted traffic. Therefore, the network 10.0.0.0/30
    A direct connection is only allowed for some machines like mail server, the 10.0.1.0/28 network
    The third network is only for internal communication between al vms, the 10.0.2.0/24 network



    This is the current (default configuration)

    Code:
    auto lo
    iface lo inet loopback
    
    auto vmbr0
    iface vmbr0 inet static
            address 188.68.49.XXX
            netmask 255.255.252.0
            gateway 188.68.48.1
            bridge_ports eth0
            bridge_stp off
            bridge_fd 0
    
    I've read two or more days but nobody has a configuration like that nor i can find a "simple" turorial for that.

    Could someone help me with the basics, configuring the networks on proxmox and the container?
     
    #1 t_b, Nov 4, 2015
    Last edited: Dec 6, 2015
  2. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    704
    Likes Received:
    25
    AFAIU you need 3 virtual networks, each virtual network has to defined in Proxmox Host as bridge (such a bridge can be seen as a switch). Call them e.g. vmbr1,2,3 (all 3 without any physical NIC connected).

    Assign to two of them addresses in the host (the third is for 10.0.2.0/24 and only for containers, above named "VMs" are lxc container I guess - to not mix up them with "KVM" I prefer to use categorically "container" for them ).

    Assign then the virtual NICs in the container definition to that bridges according to your needs as well as their IP addresses.

    Since there is no direct connection from containers to public net planned you can delete vmbr0 and assign all these data to eth0 (can be done by GUI),
    finally your /etc/network/interfaces will look like

    Code:
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
            address 188.68.49.XXX
            netmask 255.255.252.0
            gateway 188.68.48.1
            
    auto vmbr1
    iface vmbr1 inet static
            address 10.0.0.1
            netmask 255.255.252.0
            bridge_ports none
        bridge_stp off
        bridge_fd 0
    
    auto vmbr2
    iface vmbr2 inet static
            address 10.0.1.1
            netmask 255.255.240.0
            bridge_ports none
        bridge_stp off
        bridge_fd 0
            
    auto vmbr3
    iface vmbr3 inet manual
        bridge_ports none
        bridge_stp off
        bridge_fd 0
          
                                    
    
    
    [/QUOTE]


    Communication from containers to public has to be controlled by

    Code:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    
    in the host and

    Code:
    route add -net default gw 10.0.0.1
    
    etc. in the containers.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Richard, Nov 5, 2015
    Last edited: Nov 5, 2015
  3. t_b

    t_b New Member

    Joined:
    Nov 4, 2015
    Messages:
    22
    Likes Received:
    0
    Damn Bullitin Board! Third time i write this....

    Now in short:

    A typo in subnet in your reply (255.255.255.240 vs 255.255.240.0): ?
    Communication between containers: ok (see screenshots)
    Configuring gateway: failed, "SIOCADDRT: File exists", do i have to remove an existing entry before (see screenshots) => no communication with the outside
    DNS: for resolving container names in container only network i do have to install a dns server, map ip to name, add dns form proxmox and e.g. google dns as secondary dns?

    Screenshots: picsurge.com/g/AaMI3L

    Thanks for your response and your support
     
  4. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    704
    Likes Received:
    25
    Yes indeed - sorry for that

    Yes, but normally you should reboot the node after changing of IP configuration and something like this should not occur


    no screenshot attached
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. geormanth

    geormanth New Member

    Joined:
    Sep 9, 2013
    Messages:
    16
    Likes Received:
    0
    Try this:




    auto lo
    iface lo inet loopback


    auto vmbr0
    iface vmbr0 inet static
    address 188.68.49.XXX
    netmask 255.255.252.0
    gateway 188.68.48.1
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0
    # default route to access subnet
    up route add -net 188.68.49.0 netmask 255.255.252.0 gw 188.68.48.1 eth0


    auto vmbr1
    iface vmbr1 inet static
    address 10.0.0.1
    netmask 255.255.252.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE






    auto vmbr2
    iface vmbr2 inet static
    address 10.0.1.1
    netmask 255.255.240.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.1.0/24' -o vmbr0 -j MASQUERADE




    ## Transfer port 80 to VM venet network




    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.0.1.xxx:80
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.0.1.xxx:80








    Now you can have VMs with venet networks.
     
  6. t_b

    t_b New Member

    Joined:
    Nov 4, 2015
    Messages:
    22
    Likes Received:
    0
    Sorry for the late reply:

    i finally managed to get the network work as expected (some days before your post, as i said, i'm sorry). So here is what i've did:


    netwotrk interfaces on proxmox
    [TABLE="width: 1578"]
    [TR]
    [TD="class: code"]auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet static
    address 188.68.49.XX
    netmask 255.255.252.0
    gateway 188.68.48.1

    auto vmbr1
    iface vmbr1 inet static
    address 10.0.0.1
    netmask 255.255.255.252
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    auto vmbr2
    iface vmbr2 inet static
    address 10.0.1.1
    netmask 255.255.255.240
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    auto vmbr3
    iface vmbr3 inet manual
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    [/TD]
    [/TR]
    [/TABLE]




    Commmands on proxmox
    [TABLE="width: 1578"]
    [TR]
    [TD="class: code"]iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2
    iptables-save > /etc/iptables/rules.v4

    [/TD]
    [/TR]
    [/TABLE]




    Changes in /etc/sysctl.conf on proxmox
    [TABLE="width: 1578"]
    [TR]
    [TD="class: code"]net.ipv4.ip_forward=1
    net.ipv4.conf.all.accept_redirects = 0
    fs.inotify.max_user_watches=16384

    [/TD]
    [/TR]
    [/TABLE]





    Hope that will help others.
     
  7. geormanth

    geormanth New Member

    Joined:
    Sep 9, 2013
    Messages:
    16
    Likes Received:
    0
    With this way every iptables rules are permanent. If you add your rules in network interfaces then every time the network is up will be add the rules and every time is down remove the rules.
    So you have a better control.
    Of course this is my opinion and nothing more.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice