NAT for VM not working with dhcp

W

werter

Well-Known Member
Dec 10, 2017
99
11
48
Hi!
PVE version 8.4.1

cat /etc/network/interfaces
...
auto enp3s0
iface enp3s0 inet manual

auto vmbr1
iface vmbr1 inet dhcp
bridge-ports enp3s0
bridge-stp off
bridge-fd 0

auto vmbr2
iface vmbr2 inet static
address 10.28.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.28.0.0/24' -o vmbr1 -j MASQUERADE
...

Then I'm create a VM with vmbr2 as network interface, run a VM and setup ip address 10.28.0.100 with gw 10.28.0.1 inside a VM.
I can ping 10.28.0.1 , but I can't ping 8.8.8.8 or any other external ips :(
Help me please.
Thx.
 
Last edited:
Hello,

Of course you don't.
vmbr1 is an internal bridge without a NIC hanging in it, that may would allow him to access external network(s).

Should you want your VMs in vmbr2 to access outside networks, I recommend you masquerade to vmbr0 instead of vmbr1. Something that way in the configuration of vmbr2:

pre-up iptables -t nat -A POSTROUTING -s '10.28.0.0/24' -o vmbr0 -j MASQUERADE
pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-down iptables -t nat -F

This works with according FORWARD policy / rules, but default policy ACCEPT should do the trick inside a PVE.

Kind regards,


G. Delanoy
 
Last edited:
Guillaume Delanoy said:
Hello,

Of course you don't.
vmbr1 is an internal bridge without a NIC hanging in it, that may would allow him to access external network(s).

Should you want your VMs in vmbr2 to access outside networks, I recommend you masquerade to vmbr0 instead of vmbr1. Something that way in the configuration of vmbr2:

pre-up iptables -t nat -A POSTROUTING -s '10.28.0.0/24' -o vmbr0 -j MASQUERADE
pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-down iptables -t nat -F

This works with according FORWARD policy / rules, but default policy ACCEPT should do the trick inside a PVE.

Kind regards,


G. Delanoy
Click to expand...
Hello,
1. vmbr1 - bridge with enp3s0 ('bridge-ports enp3s0' in my config above).
2. I'm don't have vmbr0 - I have vmbr1 and the name of the bridge doesn't matter.
3. And why 'pre-up' instead of 'post-up'? I did what it says here https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_masquerading
 
Last edited:
Can you post the output of the following commands?

Code: 
ip a
ip r
iptables -t nat -L
 
Hi,
Solved the problem, but only using static ip. I cannot solve the problem with dhcp.
 
Last edited:
You must log in or register to reply here.
Top Bottom