Iptables NAT not working from vmbr with bridged port

flexu

New Member
Nov 16, 2022
17
1
3
This is my current network setup on host one (vm01). I have a public network available over vmbr0 and a private network connected to a nic over vmbr1 (used for cluster traffic and VM private network via a vlan). Now I want to NAT the vlan onto vmbr0 so that the vms can have limited internet access. I've tried to do this multiple times now but I just can't get it to work...

Code:
auto lo
iface lo inet loopback

iface enp2s0f0 inet manual

iface enp2s0f1 inet manual

iface ens2f0 inet manual

iface ens2f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 109.230.xxx.xxx/29
        gateway 109.230.xxx.xxx
        bridge-ports enp2s0f0
        bridge-stp off
        bridge-fd 0
#        bridge-ports ens2f0

auto vmbr1
iface vmbr1 inet static
        address 10.1.0.1/16
        bridge-ports ens2f1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/16 ' -o vmbr0 -j MASQUERADE
#10 gig cluster network

auto vmbr1.10
iface vmbr1.10 inet static
        address 10.0.0.1/16


The VM's can reach themselves and vm01 (10.0.0.1) perfectly using the vlan, but no packets are being NATed :c
 
Last edited:
You didn't post any of your NAT settings. First, check that all routing works ok prior to being natted, including what you claim not working. Of course, check ip_forwarding is enabled. And check things that should NOT be natted, but forwarded.
 
`
You didn't post any of your NAT settings. First, check that all routing works ok prior to being natted, including what you claim not working. Of course, check ip_forwarding is enabled. And check things that should NOT be natted, but forwarded.
And check things that should NOT be natted, but forwarded.
What do you mean by this?


IP forwarding is enabled: sysctl -p net.ipv4.ip_forward = 1
The routing works without any problems, clients on vmbr1 can talk to eachother, clients on vmbr0 that have the correct ips assigned have internet access and clients on vmbr1.10 can also talk to all clients in vlan 10. They can also reach the gateway (10.0.0.1/16) but then they can not reach anything outside that network...
 
Traffic from the lxc containers in the vmbr1.10 vlan is definitely reaching the gateway where it should be natted:

1668964374630.png
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!