iptables 1:1 NAT for 2 IPs one NIC

[leonidas_o]

Hello guys,

as I'm having a pretty tough time to get one of the services (BigBlueButton) to work I would like to try the deployment with a 1:1 NAT in iptables. Long story short, I have a virtualised opnesense/pfsene, tried really everything in there (1:1Nat), port forwardings, different reverse proxies etc. But simply couldn't get it to work. Therefore trying even to avoid all that and directly map the public IP to the VM.

I got a second public IP address but only one NIC. This IP should be solely used for my BBB VM, nothing else.

So I tried the following, added the IP to the enp0s31f6 interface and prerouted everything for the new IP 94.x.x.B to the VM's local IP via vmbr0. vmbr0 is used only by this one VM. I can reach the VM via ssh, the VM has internet access etc. All seems to work, except BBB is still not satisfied, showing a connection error (see at the bottom). I guess I'm still missing something to make it a full 1:1 Nat, a full mapping of a public IP to a VM.
Any ideas?

auto enp0s31f6
iface enp0s31f6 inet static
  address 94.x.x.A
  netmask 255.255.255.192
  gateway 94.x.x.x
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
  up ip addr add 94.x.x.B/26 dev $IFACE label $IFACE:0
  down ip addr del 94.x.x.B/26 dev $IFACE label $IFACE:0
  post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p tcp -d 94.x.x.A -m multiport ! --dport 22,8006,179 -j DNAT --to 10.10.10.2
  post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p udp -d 94.x.x.A -m multiport ! --dport 5405:5412,4789 -j DNAT --to 10.10.10.2
  post-up iptables -t nat -A PREROUTING -d 94.x.x.B -j DNAT --to 10.2.1.2

...

auto vmbr0
iface vmbr0 inet static
        address  10.2.1.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.2.1.1/30' -o enp0s31f6 -j SNAT --to-source 94.x.x.B
        post-down iptables -t nat -D POSTROUTING -s '10.2.1.1/30' -o enp0s31f6 -j SNAT --to-source 94.x.x.B
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

...

As a side note, when executing the check on the BBB server/ the VM, it shows this connection issue.

Checking Connection: Failed
Error connecting to BigBlueButton server - Failed to open TCP connection to bbb.my-domain.com:443 (execution expired)

 

[leonidas_o]

I encountered also something weird, at least for me.
I can ping the main IP A from within the BBB VM 94.x.x.A but not the second one 94.x.x.B.
BUT I can ping the second IP 94.x.x.B from another Server or the Proxmox host itself which has this IP. So within vmbr0 it is not working and from within vmbr11 (behind opnsense/pfsense) it's also not working. I think I'm either missing for sure an iptable rule or I have to modify one of the above.

 

[leonidas_o]

Couldn't make BigBlueButton work with 1:1 NAT + Reflection, so I gave up on that approach. I still found a solution assigning the second public IP to the BBB VM, which I documented here: https://serverfault.com/questions/1...vm-from-outside-not-reachable/1121266#1121266