iptables 1:1 NAT for 2 IPs one NIC

L

leonidas_o

Member
Apr 17, 2022
68
5
8
Hello guys,

as I'm having a pretty tough time to get one of the services (BigBlueButton) to work I would like to try the deployment with a 1:1 NAT in iptables. Long story short, I have a virtualised opnesense/pfsene, tried really everything in there (1:1Nat), port forwardings, different reverse proxies etc. But simply couldn't get it to work. Therefore trying even to avoid all that and directly map the public IP to the VM.

I got a second public IP address but only one NIC. This IP should be solely used for my BBB VM, nothing else.

So I tried the following, added the IP to the enp0s31f6 interface and prerouted everything for the new IP 94.x.x.B to the VM's local IP via vmbr0. vmbr0 is used only by this one VM. I can reach the VM via ssh, the VM has internet access etc. All seems to work, except BBB is still not satisfied, showing a connection error (see at the bottom). I guess I'm still missing something to make it a full 1:1 Nat, a full mapping of a public IP to a VM.
Any ideas?



Code: 
auto enp0s31f6
iface enp0s31f6 inet static
  address 94.x.x.A
  netmask 255.255.255.192
  gateway 94.x.x.x
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  up ip addr add 94.x.x.B/26 dev $IFACE label $IFACE:0
  down ip addr del 94.x.x.B/26 dev $IFACE label $IFACE:0
  post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p tcp -d 94.x.x.A -m multiport ! --dport 22,8006,179 -j DNAT --to 10.10.10.2
  post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p udp -d 94.x.x.A -m multiport ! --dport 5405:5412,4789 -j DNAT --to 10.10.10.2
  post-up iptables -t nat -A PREROUTING -d 94.x.x.B -j DNAT --to 10.2.1.2

...

auto vmbr0
iface vmbr0 inet static
        address  10.2.1.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.2.1.1/30' -o enp0s31f6 -j SNAT --to-source 94.x.x.B
        post-down iptables -t nat -D POSTROUTING -s '10.2.1.1/30' -o enp0s31f6 -j SNAT --to-source 94.x.x.B
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

...



As a side note, when executing the check on the BBB server/ the VM, it shows this connection issue.
Code: 
Checking Connection: Failed
Error connecting to BigBlueButton server - Failed to open TCP connection to bbb.my-domain.com:443 (execution expired)
 
I encountered also something weird, at least for me.
I can ping the main IP A from within the BBB VM 94.x.x.A but not the second one 94.x.x.B.
BUT I can ping the second IP 94.x.x.B from another Server or the Proxmox host itself which has this IP. So within vmbr0 it is not working and from within vmbr11 (behind opnsense/pfsense) it's also not working. I think I'm either missing for sure an iptable rule or I have to modify one of the above.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom