NAT Masquerade not working with Firewall enabled

Jul 15, 2019

im playing around with Proxmox at home wanting to put it on a dedicated sever at Hetzner later, and have some trouble using a private network for the VMs.

The config below works, i can Ping from a Container in the private net(192.168) to my Desktop in my LAN (10.10), and if i look at the Ping in Wireshark the source IP is But if i now enable the Firewall in Proxmox, the source IP of the ping request changes to the private address of the Container, and it does not receive the reply.

The masquerade rule is still in the NAT table after enabling the Firewall, but it does not get executed.

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
    netmask 24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    netmask 24
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '' -o vmbr1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '' -o vmbr1 -j MASQUERADE


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!