[SOLVED] Masquerading (NAT) with iptables fine, until VLAN is added

[kofl007]

Hi,

running latest PVE 8.1.4 with NAT of the public IP to a VM.

Configuration works fine, until a VLAN (vmbr0.4000) is added to the public IP adapter (internal VM (10.21.21.5) is no longer reachable from Proxmox host).

Thanks for any idea.

auto lo
iface lo inet loopback

iface enp0s31f6 inet manual

auto vmbr0
iface vmbr0 inet static
        address 88.x.y.z/26
        gateway 88.x.y.z
        bridge-ports enp0s31f6
        bridge-stp off
        bridge-fd 0


auto vmbr0.4000
iface vmbr0.4000 inet static
  address 172.16.254.10
  netmask 255.255.255.0
  vlan-raw-device enp0s31f6
  mtu 1400


auto vmbr2
iface vmbr2 inet static
    address 10.21.21.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.21.21.5:80
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.21.21.5:80
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.21.21.5:443
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.21.21.5:443


source /etc/network/interfaces.d/*

 

[_gabriel]

edit:
your hoster provide VLAN, isn't it ?

 

[kofl007]

Yes, it supported.

https://docs.hetzner.com/robot/dedicated-server/network/vswitch/

 

[kofl007]

Reboot of the server resolved the issue, just restarting the network was not sufficient.

 

[_gabriel]

have you ifreload -a ?

 

[kofl007]

systemctl restart networking

 

[_gabriel]

afaik, ifreload -a is recommended.
https://forum.proxmox.com/threads/u...idge-interface-disappeared.144373/post-649718

 

[kofl007]

Thanks, great to know