NAT for VMs with private IP Adress not working

[Tesla2k]

I have a Hetzner Server, where I installed proxmox.
I have a IPv4 subnet which is handled bei vmbr0 and some VMs using this IPs. This works without problems.
Now I added a second bridge vmbr1 with a private subnet and setup NAT, so that the VMs in the private subnet can reach the internet. This is not working. I have the same setup on a other Hetzner Server but without the additional IPv4 subnet which works with almost the same config.

I can ping the host from the container, but no outside IPs.


Here are the config files of the proxmox host:

/etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
        address x.x.x.51/27
        gateway x.x.x.33
        up route add -net x.x.x.32 netmask 255.255.255.224 gw x.x.x.33 dev enp0s31f6
        post-up sysctl -w net.ipv4.ip_forward=1

        #NPM
        post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p tcp -m multiport -d x.x.x.51 --dport 80,443 -j DNAT --to 10.10.10.3
        post-down iptables -t nat -D PREROUTING -i enp0s31f6 -p tcp -m multiport -d x.x.x.51 --dport 80,443 -j DNAT --to 10.10.10.3

        #XMPP
        post-up iptables -t nat -A PREROUTING -i enp0s31f6 -p tcp -m multiport --dport 5000,5269,5222 -j DNAT --to x.x.x.x
        post-down iptables -t nat -D PREROUTING -i enp0s31f6 -p tcp -m multiport --dport 5000,5269,5222 -j DNAT --to x.x.x.x


# route 88.198.23.32/27 via 88.198.23.33

iface enp0s31f6 inet6 static
        address x:x:x:x::x/64
        gateway fe80::1

auto vmbr0
iface vmbr0 inet static
        address x.x.x.136/29
        bridge-ports none
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        #MASQ
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE

The output of iptables -L -t nat -v shows that no packed goes through the MASQUERADE rule.

Chain PREROUTING (policy ACCEPT 3018 packets, 149K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    40 DNAT       tcp  --  enp0s31f6 any     anywhere             naruto               multiport dports http,https to:10.10.10.3
   13   688 DNAT       tcp  --  enp0s31f6 any     anywhere             anywhere             multiport dports 5000,xmpp-server,xmpp-client to:x.x.x.138

Chain INPUT (policy ACCEPT 585 packets, 25047 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 85 packets, 5332 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 2524 packets, 130K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  any    enp0s31f6  10.10.10.0/24        anywhere

A tcpdump shows, that the packages are sent but no nat happened

tcpdump -i enp0s31f6 icmp -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:36:22.833630 IP 10.10.10.4 > 8.8.8.8: ICMP echo request, id 33002, seq 204, length 64

Here are the settings of the container:



Do you have any idea what is wrong?
Thank You very much.

 

[Gilberto Ferreira]

Hi there.
I am facing the very same issue.
I set up a Proxmox VE 8 in Google Cloud.
I have set up a NAT to my VM can reach Internet, via a "fake" bridge.
If I ticked the firewall in the VM Network configuration no connection between host and the guest!
But if I unticked, the connection woks fine!
Just don't understand why?

 

[Tesla2k]

Same behaviour here.
Strange that it works on my other Proxmox installation with activated firewall.