[SOLVED] NAT networking help

[vesuvienne]

Hi team !
Need some help, i don't know what i'm doing wrong, i followed the proxmox doc for NAT but i can't access internet from my VM
they can ping each other host/vm
host can ping google
VM can't

HOST PROXMOX /etc/network/interfaces

auto enp2s2
#real IP address
iface enp2s2 inet static
      address  192.168.10.10/24
      gateway  192.168.10.254

auto vmbr0
iface vmbr0 inet static
address  10.10.10.1/24
bridge_ports none
bridge_stp off
bridge_fd 0

  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp2s2 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp2s2 -j MASQUERADE

# try with that to, even if i don't have firewall enable
   post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1

in my VM /etc/network/interfaces

auto ens18
iface en18 inet static
address 10.10.10.2/24
gateway 10.10.10.1

 

[shanreich]

what's the actual name of your network interface? you have enp2s2 and enp2S2 in your config - those name are case sensitive so I'd imagine that could cause an issue.

Can you post the output of ip a

 

[vesuvienne]

my bad for enp2s2 and enp2S2 just missclick
do i need a special router or to go out of the box dhcp range?
ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp2s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether e4:54:e8:53:cf:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.10/24 scope global enp2s2
       valid_lft forever preferred_lft forever
    inet6 2a01:e0a:d83:fcc0:e654:e8ff:fe53:cff1/64 scope global dynamic mngtmpaddr
       valid_lft 86370sec preferred_lft 86370sec
    inet6 fe80::e654:e8ff:fe53:cff1/64 scope link
       valid_lft forever preferred_lft forever
3: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether be:f2:e0:ba:e8:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::68f0:fdff:fedd:e99f/64 scope link
       valid_lft forever preferred_lft forever

 

[shanreich]

do i need a special router or to go out of the box dhcp range?

no, it should be fine as long as the host as an internet connection - which it does

what do the following commands say?

iptables -L -t nat
cat /proc/sys/net/ipv4/ip_forward

 

[vesuvienne]

 iptables -L -t nat      
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
          
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
    
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.10.10.0/24        anywhere

cat /proc/sys/net/ipv4/ip_forward
1

 

[shanreich]

looking alright to me so far - did you check via tcpdump on the host if the packets are going out properly?

Run those 2 commands in 2 shells and try to ping from within the VM

tcpdump -envi vmbr0 icmp
tcpdump -envi enp2s2 icmp

 

[vesuvienne]

so i run this 2 command (tcpdump -envi vmbr0 icmp & tcpdump -envi enp2s2 icmp) on HOST (2 different shell)

In my VM i ping the IP address of vmbr0 (hope this is correct)
i see the route: tcpdump -envi vmbr0 icmp
10.10.10.1 > 10.10.10.2: ICMP echo reply

In my VM ping the IP address of enp2s2
ping work in vm
but nothing happen on the side tcpdump -envi enp2s2 icmp

In my VM ping the IP gateway of enp2s2
i see the route: tcpdump -envi enp2s2 icmp
10.10.10.2 > 192.168.10.254: ICMP echo request

I just want separate my network (i don't want spam my local network with multiple test or personnal VM)
1. for my local network 192.168.10.* (share VM service with family)
2. for my personal use 10.10.10.*

should i have this type of iptable rules or proxmox do it for me ?

iptables -A FORWARD -i vmbr1 -o vmbr0 -j ACCEPT
iptables -A FORWARD -i vmbr0 -o vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

[vesuvienne]

so i resolve the problem but i didn't rly understand why(probably a wrong config on my side) because it's exactly the doc of proxmox, i did change a bit the configuration

host /etc/network/interfaces

auto lo
iface lo inet loopback

iface enp2s2 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.10.10/24
        gateway 192.168.10.254
        bridge-ports enp2s2
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address 192.168.20.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
      
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

In the VM: /etc/network/interfaces

auto lo
iface lo inet loopback

auto ens18
iface ens18 inet static
    address 192.168.20.2
    netmask 255.255.255.0
    gateway 192.168.20.1 # bridge IP