Internet in the vm are not working properly

Ramkhanal

New Member
Sep 28, 2021
3
0
1
21
Hello Everyone,

I am a newbie in proxmox and i dont have much idea on it so I hope I will get the solution for my problem here.

SO I have a proxmox machine and with a public ip in vmbr0 (eth0 bridged) i dont know why this is bridged but it works fine.

I have created another bridge interface for the vm

and I have managed my proxmox box to work as a natted router and got the vm to ping to 8.8.8.8
and ping to google.com as per now I thought the firewall and internet setting is properly settled

Then after some time I tried to download a file with wget command which failed and hence
i tried to telnet to port 80 on may sites google.com facebook and many other none of those work and same resulted for port 443.

Then i tried to connect to port 80 and 443 from my proxmox box it was connected properly

Then from the VM i tried to connect to port 587 which worked

I have no idea what is going on in proxmox so can anyone help

Thank you,
 

Moayad

Proxmox Staff Member
Staff member
Jan 2, 2020
1,283
96
48
28
Vienna
shop.maurer-it.com
Hi,


Then after some time I tried to download a file with wget command which failed and hence
have you tried to download that file from VM side? have you tried to download it from the browser? Please provide us with the PVE network configuration `cat /etc/network/interfaces` and the VM config `qm config <VMID>`
 

Ramkhanal

New Member
Sep 28, 2021
3
0
1
21
Hello Sorry for the late reply

qm config 100
Code:
boot: order=scsi0;ide2;net0
cores: 1
ide2: none,media=cdrom
memory: 3000
name: Mailcleaner
net0: virtio=BE:A1:DB:09:D5:BB,bridge=vmbr1,firewall=1
numa: 0
ostype: l26
scsi0: local:100/vm-100-disk-0.qcow2,size=32G
scsihw: virtio-scsi-pci
smbios1: uuid=a8cb0196-0c6c-48d6-8860-1769f7d73bf4
sockets: 1
unused0: local:100/vm-100-disk-1.raw
vmgenid: bc69ba07-14f7-4453-b84e-203d4ed5c665

cat /etc/network/interfaces (from host)
auto lo
iface lo inet loopback

iface enp1s0 inet manual

auto vmbr0
iface vmbr0 inet static
address <public ip>
gateway <gateway>
bridge-ports enp1s0
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

cat /etc/network/interfaces from vm:
auto lo
iface lo inet loopback
post-up echo 1 > /proc/sys/net/ipv6/conf/lo/disable_ipv6

auto eth0
allow-hotplug eth0
iface eth0 inet static
pre-up echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8
source /etc/network/interfaces.d/*.conf


Iptables rules internet shring
iptables -t nat -vnL
Code:
Chain PREROUTING (policy ACCEPT 77 packets, 5988 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1479 77016 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.101:80
   58  3036 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.1.2:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.2:80
    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222 to:192.168.1.2:2222
   10   520 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4242 to:192.168.1.2:4242


Chain INPUT (policy ACCEPT 29 packets, 1746 bytes)
 pkts bytes target     prot opt in     out     source               destination         


Chain OUTPUT (policy ACCEPT 5 packets, 380 bytes)
 pkts bytes target     prot opt in     out     source               destination         


Chain POSTROUTING (policy ACCEPT 41 packets, 2252 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  253 16676 MASQUERADE  all  --  *      vmbr0   192.168.1.0/24       0.0.0.0/0

iptables -vnL

Code:
Chain INPUT (policy ACCEPT 50880 packets, 7549K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80


Chain FORWARD (policy ACCEPT 3881 packets, 548K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1847 1232K ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           


Chain OUTPUT (policy ACCEPT 56337 packets, 8658K bytes)
 pkts bytes target     prot opt in     out     source               destination
 

Moayad

Proxmox Staff Member
Staff member
Jan 2, 2020
1,283
96
48
28
Vienna
shop.maurer-it.com
Can you ping the Proxmox VE host from the VM?

Have you tried to download a file using curl for example?
 

Ramkhanal

New Member
Sep 28, 2021
3
0
1
21
I can ping the vm from the proxmox host ..
but I download anything from my proxmox host but the vm in proxmox cant download anything
from curl or from wget or from yum..

it can ping to google.com or any other sites ...

the vm in proxmox even cannot telnet to 80 or 443 but can telnet to 587 25 and all so can you help on this
 
Oct 7, 2019
32
9
13
If I understand the problem properly, seems the iptables rules are wrong:

Code:
 1479 77016 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.101:80
   58  3036 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.1.2:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.1.2:80
    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222 to:192.168.1.2:2222
   10   520 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4242 to:192.168.1.2:4242

You are trying to DNAT every packet, from every source to every destination for both ports 80, 443, 2222 and 4242 to a set for internal IPs. That means that every packet is going to be DNAT'ed, whether it is destined to the Internet or to any internal address. That's why you cant reach ports 80 or 443 in any host in the Internet. In fact, your third rule will never be applied, as every packet will be matched in the first rule.

What are those DNAT's for?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!