I can't reach gateway from CT

K

kamzata

Renowned Member
Proxmox Subscriber
Jan 21, 2011
217
9
83
Italy
I've done a fresh installation of latest version of Proxmox on my public server and it set vmbr0 to my Public IP 87.x.x.30, netmask 255.255.255.0 and gateway 87.x.x.1 while eth0 and eth1 aren't set. After this I created a brend new CT using official ubuntu 12.04 openvz template and setting with venet on private ip 192.168.1.51. So I tried to ping both gateway 87.x.x.1 and 8.8.8.8 without result.

Where am I wrong?
 
spirit said:
you need to use nat if you want to access from a private adress to a public address.
Click to expand...

Right, can you suggest me an example configuration? I'm trying to understand how iptables works... I also installed Webmin on my Proxmox HN hoping that it help me to configure NAT but without result. Do I also need to configure eth1 with a private ip address like 192.168.10.50?

Thank you
 
Last edited:
I'd seen partially the light. Helping me with Webmin interface and with this document now i can connect to internet from CT but I can't reach it from internet. I used NAT Postrouting setting SNAT to my public IP and outgoing network interface to vmbr0.

I'm trying to do a similar job with DNAT on Prerouting specifying destination port of my CT but don't works. Any idea?

Edit: Add that CT isn't reached from HN with ping but the opposite works.
 
Last edited:
https://pve.proxmox.com/wiki/Network_Model

Masquerading (NAT)

In some cases you may want to use private IPs behind your Proxmox host's true IP, and masquerade the traffic using NAT:
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
 
spirit said:
https://pve.proxmox.com/wiki/Network_Model

Masquerading (NAT)

In some cases you may want to use private IPs behind your Proxmox host's true IP, and masquerade the traffic using NAT:
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
Click to expand...

Thank you but I still don't understand. That's in your example is a private IP address, gateway isn't set and no bridge_ports is provided. This is my /etc/network/interface:

Code: 
# network interface settings
auto lo
iface lo inet loopback


iface eth0 inet manual
        post-up iptables-restore < /etc/iptables.up.rules


auto vmbr0
iface vmbr0 inet static
        address  87.x.x.30
        netmask  255.255.255.0
        gateway  87.x.x.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

and my /proc/sys/net/ipv4/ip_forward is set to 1.

As I said, I used NAT Postrouting setting SNAT to my public IP and outgoing network interface to vmbr0 to provide access TO internet FROM CT and seems it works very well.

Now, to provide access FROM internet TO a container (as write here) should I using PREROUTING and DNAT as in this example?
Code: 
[COLOR=#000000][FONT=sans-serif]In addition, to make some services in container with private IP address be accessible from the Internet, DNAT (Destination Network Address Translation) should be configured on the [URL="https://openvz.org/Hardware_Node"]Hardware Node[/URL]. To perform a simple DNAT setup, execute the following command on the [URL="https://openvz.org/Hardware_Node"]Hardware Node[/URL]:
[/FONT][/COLOR]
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport port_num \
  -i eth0 -j DNAT --to-destination ve_address:dst_port_num 

[COLOR=#000000][FONT=sans-serif]where ve_address is an IP address of the container, dst_port_num is a tcp port which requires service use, ip_address is the external (public) IP address of your [URL="https://openvz.org/Hardware_Node"]Hardware Node[/URL], and port_num is a tcp port of [URL="https://openvz.org/Hardware_Node"]Hardware Node[/URL], which will be used for Internet connections to private container service. Note that this setup makes the service which is using port_num on the [URL="https://openvz.org/Hardware_Node"]Hardware Node[/URL] be unaccessible from the Internet. Also note that SNAT translation is required too.
[/FONT][/COLOR]
[COLOR=#000000][FONT=sans-serif]For example, if you need a web server in a container to be accessible from outside and, at the same time, keep a web server on the [URL="https://openvz.org/Hardware_Node"]Hardware Node[/URL] be accessible, use the following config:
[/FONT][/COLOR]
# iptables -t nat -A PREROUTING -p tcp -d ip_address --dport 8080 \
  -i eth0 -j DNAT --to-destination ve_address:80
# iptables -t nat -A POSTROUTING -s ve_address -o eth0 -j SNAT --to ip_address

[COLOR=#000000][FONT=sans-serif]After applying this, you'll see container' web server at [URL]http://ip_address:8080/[/URL].[/FONT][/COLOR]
 
Sleep on it maybe I understand what you meant: I tried to add a second vmbr like this:

Code: 
# network interface settings
auto lo
iface lo inet loopback


iface eth0 inet manual
        post-up iptables-restore < /etc/iptables.up.rules


auto vmbr0
iface vmbr0 inet static
        address  87.x.x.30
        netmask  255.255.255.0
        gateway  87.x.x.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0



auto vmbr1
iface vmbr1 inet static
address 192.168.10.50
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE

and after add a DNAT rule. Then, I tried to replace 192.168.10.0/24 with /32 because venet0:0 netmask is 255.255.255.255 but nothing to do, it doesn't work.

I found this document and for OpenVZ CT they don't recommended to use bridge configuration. So, I tried to follow what they suggest (use NAT), but nothing to do.

At the moment, the only rule that works is this:

Code: 
iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT --to 87.x.x.30

that allows me to connect To internet FROM CT.
 
Last edited:
Eureka! I'm just a stupid bad ass! I forgot a number in CT address! I wrote 19.168.10.52 instead of 192.168.10.52. Now it works like a charm!

I used this rules:

Code: 
[COLOR=#000000][FONT=Verdana]iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j SNAT --to IP.de.votre.serveur_hote[/FONT][/COLOR]

Code: 
[COLOR=#000000][FONT=Verdana]iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1022 -j DNAT --to 10.0.0.1:22[/FONT][/COLOR]
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back