NAT not working with VLAN

[murda]

I feel like this should be simple but I can't find anything relevant after many hours searching online.

I simply want to NAT a private IP range to a public IP on a VLAN aware bridge but it just doesn't work.

Creating untagged container/VM and they can reach internet just fine, but tag them with VLAN ID then they can't, they can only reach other guests within the same VLAN...

auto lo
iface lo inet loopback

iface enp0s31f6 inet manual

auto vmbr0
iface vmbr0 inet static
    address xx.xx.xx.xx/26
    gateway xx.xx.xx.xx
    bridge-ports enp0s31f6
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0
iface vmbr0 inet static
    address xx.xx.xx.xx/26
#2nd IP address alias

auto ct1
iface ct1 inet static
    address 10.0.0.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
    post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j SNAT --to-source xx.xx.xx.xx
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j SNAT --to-source xx.xx.xx.xx
    post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
#NAT to 2nd IP address

 

[thefu21]

I believe this could address your issue. Just make sure to adjust it according to your needs.

auto lo
iface lo inet loopback

iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.0.1.7/24
        gateway 10.0.1.254
        bridge-ports ens18
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vlan123
iface vlan123 inet static
        address 10.0.0.1/24
        bridge-ports vmbr1.123
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
        
auto vlan122
iface vlan122 inet static
        address 10.0.10.1/24
        bridge-ports vmbr1.122
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.10.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

 

[murda]

I believe this could address your issue. Just make sure to adjust it according to your needs.

auto lo
iface lo inet loopback

iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.0.1.7/24
        gateway 10.0.1.254
        bridge-ports ens18
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vlan123
iface vlan123 inet static
        address 10.0.0.1/24
        bridge-ports vmbr1.123
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
       
auto vlan122
iface vlan122 inet static
        address 10.0.10.1/24
        bridge-ports vmbr1.122
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.10.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

Thanks but I don't think this reaches my desired setup does it? This expects guests tagged with vid 122 and 123, while I want to be able to use any tag without creating a specific VLAN subinterface for it. Transparent vlan as the docs call it.

 

[thefu21]

Unfortunately, this is the only option available because the gateway must be reachable from all VLANs. Using the same subnet for all VLANs is not recommended, as it defeats the purpose of using VLANs and is highly undesirable.

 

[murda]

Unfortunately, this is the only option available because the gateway must be reachable from all VLANs. Using the same subnet for all VLANs is not recommended, as it defeats the purpose of using VLANs and is highly undesirable.

Ok I see. I want to configure Proxmox such that each user gets their own VLAN space for their containers, being isolated from other user's containers. So for example Bob would get 3 containers tagged 50 which can communicate with each other and to the internet, and Alice 2 containers tagged 51 in the same fashion. And subsequently increment the VLAN for each user.

It just seemed to me that this'd be simpler to automate via scripting with the PVE REST API, because my script would just be concerned with creating properly tagged containers on a VLAN aware bridge instead of also programmatically create new VLAN subinterfaces, subnets, and reloading with ifreload -a. But I will explore the latter more.