[SOLVED] Nat Networking Problem.

[efesaid]

Definition

I have installed Proxmox 3.2 and i am trying to configure a virtual machine as a communication server that handles all traffic and forwards them to the nodes with private ip.
I configured server for NAT networking with two CentOS virtual machines which has exactly same configuration.
What I Do

Proxmox wiki has a very limited and basic nat networking documentation. I found similar problems (this, this) on here and on proxmox forums. i tried to understand basics of linux nat networking so i complete this very understandable tutorial from beginning to end. I read this article for iptables nat rules
Problems

After installation and configuration when i ping from host to VM or from VM to host the output is;

root@testPrx:~# ping 10.0.4.2
PING 10.0.4.2 (10.0.4.2) 56(84) bytes of data.
From 10.0.4.1 icmp_seq=2 Destination Host Unreachable

When i try a telnet connection to communication server's public ip from a server in the same network which has internet connection and (192.168.0.3) -bash-4.1# telnet 192.168.0.2 2701 Trying 192.168.0.2... telnet: connect to address 192.168.0.2: No route to host
When i try telnet connection to localhost, 192.168.0.2 results same,

root@testPrx:~# telnet localhost 2701
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

Question

Everything works fine on containers but not on kvm. What is my mistake ?
Configurations

All host and virtual machines configurations are,
Proxmox Server

Proxmox version

root@testPrx:~# pveversion
pve-manager/3.2-4/e24a91c1 (running kernel: 2.6.32-29-pve)
Network interfaces

Network interfaces added by web interface,

• net0 -> vmbr0
• net1 -> vmbr1
  

  root@testPrx:~# cat /etc/network/interfaces     auto lo     iface lo inet loopback
    auto vmbr0
  iface vmbr0 inet static
          address 192.168.0.2
          netmask 255.255.255.0
          gateway 192.168.0.1
          bridge_ports eth0
          bridge_stp off
          bridge_fd 0
  auto vmbr1
  iface vmbr1 inet static
          address 10.0.4.1
          netmask 255.255.255.0
          bridge_ports none
          bridge_stp off
          bridge_fd 0
  
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up iptables -t nat -A POSTROUTING -s '10.0.4.0/24' -o vmbr0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '10.0.4.0/24' -o vmbr0 -j MASQUERADE
  
  #these rules forward traffic on port 2701 to port 22 on the VM at IP 10.0.4.2
  
  post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2701 -j DNAT --to 10.0.4.2:22
  post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2702 -j DNAT --to 10.0.4.2:22

Firewall rules of nat ( there is no any filters)

root@testPrx:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:2701 to:10.0.4.2:22

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.4.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Routing table

  root@testPrx:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.4.0        *               255.255.255.0   U     0      0        0 vmbr1
192.168.0.0     *               255.255.255.0   U     0      0        0 vmbr0
default         192.168.0.1     0.0.0.0         UG    0      0        0 vmbr0

Ip forwarding

root@testPrx:~# cat /proc/sys/net/ipv4/ip_forward
1

Virtual Machines

OS version

-bash-4.1# cat /etc/redhat-release
CentOS release 6.4 (Final)

Interfaces

eth0

-bash-4.1# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=192.168.0.3
GATEWAY=192.168.0.1
NETMASK=255.255.255.0

eth1

-bash-4.1# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=none
IPADDR=10.0.4.2
GATEWAY=10.0.4.1
NETMASK=255.255.255.0

SSH daemon running and listening port(22) succesfully

-bash-4.1# netstat -puntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:85                  0.0.0.0:*                   LISTEN      1100/sshd

Routing Table

-bash-4.1# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.4.0        *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
default         10.0.4.1        0.0.0.0         UG    0      0        0 eth1

 

[Mr.Holmes]

Hello efesaid,

try to adpat iptables statements like this

iptables -t nat -A POSTROUTING -s '10.0.4.0/24' ! -d 10.0.4.0/24 -o vmbr0 -j MASQUERADE

Why? Only for traffic leaving the LAN masquerading makes sense. I guess in case of CTs it works despite this if venet0 is used.

Kind regards

Mr.Holmes

 

[parlitul]

I created an account just to say that I have the same problem. Can't NAT or bridge to any private range.

root@pve:~# ping -I vmbr1 google.com
PING google.com (173.194.39.97) from 10.1.1.1 vmbr1: 56(84) bytes of data.
From 10.1.1.1 icmp_seq=2 Destination Host Unreachable
From 10.1.1.1 icmp_seq=3 Destination Host Unreachable
From 10.1.1.1 icmp_seq=4 Destination Host Unreachable

root@pve:~# tcpdump -n -v -i vmbr1
tcpdump: listening on vmbr1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:26:58.588677 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28
20:26:59.588689 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28
20:27:00.588700 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28
20:27:02.589679 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 173.194.39.78 tell 10.1.1.1, length 28

Thought I'm making something wrong. Tried like 100 different configurations. No success. Is there a known issue?

 

[efesaid]

I found my mistake when i was sleeping, so i woke up immediately and fixed this. The interface which is doing nat networking is vmbr1 but when i setup virtual machine i was assigning wrong bridge mode (vmbr0) to network device.
To fix this i stopped virtual machine and edited bridge mode from vmbr0 to vmbr1. Now everything works fine.

 

[JBB]

Hi parlitul - were you able to resolve this? I think I've got the same problem as you had. So far, I've found no solution. Is it not possible to NAT using Proxmox?

http://forum.proxmox.com/threads/21122-How-to-NAT-LAN-to-WAN