NAT from real ip

[thefatrogers]

Hello,

This is my first time trying to setup proxmox VE, I want to route traffic to VMs via one real IP i have.

I did the following to my /etc/network/interfaces:

auto lo
iface lo inet loopback

auto ens2f0
iface ens2f0 inet static
        address xxx.xxx.105.45/29
        gateway xxx.xxx.105.41

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/16
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o ens2f0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/16' -o ens2f0 -j MASQUERADE

Then I installed Ubuntu VM,
Did the network setup for the VM in the shown attachment,

from the VM i can ping to 10.0.0.1 But it doesn't reach the internet, what could cause the problem? how do I make it work. Thanks!

 

[Chris]

Hello,

This is my first time trying to setup proxmox VE, I want to route traffic to VMs via one real IP i have.

I did the following to my /etc/network/interfaces:

auto lo
iface lo inet loopback

auto ens2f0
iface ens2f0 inet static
        address xxx.xxx.105.45/29
        gateway xxx.xxx.105.41

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/16
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o ens2f0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/16' -o ens2f0 -j MASQUERADE

Then I installed Ubuntu VM,
Did the network setup for the VM in the shown attachment,

from the VM i can ping to 10.0.0.1 But it doesn't reach the internet, what could cause the problem? how do I make it work. Thanks!

Hi,
do you have the PVE Firewall enabled? Maybe you need the conntrack zones as described in the docs [0] for the outgoing connections.

You can check the traffic on the bridge and the nic via tcpdump on the PVE host for further troubleshooting.

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_masquerading

 

[thefatrogers]

Hi,
do you have the PVE Firewall enabled? Maybe you need the conntrack zones as described in the docs [0] for the outgoing connections.

You can check the traffic on the bridge and the nic via tcpdump on the PVE host for further troubleshooting.

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_masquerading

I have firewall disabled and I have added those anyways but it still hasn't worked, also is my configuration correct?
Sometimes it doesn't even reach the local IP gateway.

 

[_gabriel]

is guest ip set to /16 subnet too ?

 

[thefatrogers]

is guest ip set to /16 subnet too ?

Here's all of my config including VM:



/etc/network/interfaces

auto ens2f0
iface ens2f0 inet static
        address xxx.xxx.105.45/29
        gateway xxx.xxx.105.41

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/16
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o ens2f0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/16' -o ens2f0 -j MASQUERADE

Ubuntu VM (in the attached screenshot)

 

[thefatrogers]

the VM can ping normally to the gateway 10.0.0.1 but I can not reach the internet via the VM, that is my issue.

 

[Chris]

Can you ping the public IP of the host itself? Please attach the output of iptables-save as attachement.

 

[ProdigyNerd]

Had this same issue, the solution on the wiki worked for me. Just add that section of code to your config.

In some masquerade setups with firewall enabled, conntrack zones might beneeded for outgoing connections. Otherwise the firewall could block outgoing connections since they will prefer the POSTROUTING of the VM bridge (and notMASQUERADE).

Adding these lines in the /etc/network/interfaces can fix this problem:

post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1