LXC+iptables networking stop working after some time

Sep 19, 2018
4
0
6
36
Hello, guys! I have a very strange problem which I don't know how to solve.

I have LXC container on my Proxmox server with two interfaces:
- public IP which is accessible on Internet
- private IP for inter-container network

I also configured this container for:
- SNAT for traffic from internal network (other non-public containers)
- DNAT for certain ports e.g. route HTTP traffic (port 80) to my Nginx container in inter-container network

All works very good! But after some idle time (may be several hours) the container drops all incoming traffic (SSH, HTTP, etc).

The strange thing is that if I open terminal for this container in Proxmox GUI, login as root and execute `iptables -L -t nat` command all traffic goes back and I can SSH into container from the Internet again! I can't understand how to fix that!

I appreciate any help or advice! Please, ask any questions, I can give you more details.
Thank you!
 
Hi,

I do not know your setup in detail but I guess your setup will not allow that the first vmbr can discover your veth.
After a time switches will forget the MAC of the ports if they are not used anymore.
And if the switch can not find it the traffic will dropped.

If you be active you send packages and the switch will not forget the MAC.
 
Hello, @wolfgang! Thank you for your response!

This is my /etc/network/interfaces:
Code:
auto lo
iface lo inet loopback
iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 172.23.70.11/25
        gateway 172.23.70.1
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address 192.168.103.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#Inter-container network

vmbr0 - is linked to the Internet. I have Cisco firewall before eno1 which translates local addresses from 172.23.70.0/25 network to public IPs. I have a couple of public IPs one of which is bound to the host and another one - to LXC container (it is called 'router' coz it acts as a router for internal network for other containers).

LXC container 'router' network config:
Code:
root@router:~# cat /etc/systemd/network/eth0.network
[Match]
Name = eth0

[Network]
Description = Interface eth0 autoconfigured by PVE
Address = 192.168.103.100/24
DHCP = no
IPv6AcceptRA = false

root@router:~# cat /etc/systemd/network/eth1.network
[Match]
Name = eth1

[Network]
Description = Interface eth1 autoconfigured by PVE
Address = 172.23.70.48/25
Gateway = 172.23.70.1
DHCP = no
IPv6AcceptRA = false

Currently I solve the problem with `*/1 * * * * iptables -L -t nat > /dev/null` crontab task. But it is crazy hack.

Could you please advice me a better solution for my issue? Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!