NAT not working

[denvercoder9]

After following the instructions "Masquerading (NAT) with iptables" I was unable to set up a vmbr1 which should use vmbr0 to access the internet.
This post will be a duplicate which never got an answer.

proxmox-ve:
Installed: 6.2-1

/etc/network/interfaces:

iface eno2 inet manual
auto vmbr0
iface vmbr0 inet dhcp
    bridge_ports eno2
    bridge_stp off
    bridge_fd 0
auto vmbr1
iface vmbr1 inet static
    address 192.168.0.1
    netmask 255.255.0.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
    post-up iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
    post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
    post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

Ping from VM in vmbr1:

root@vm-host-00:~# tcpdump -i vmbr1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:39:08.194348 IP 192.168.0.2 > one.one.one.one: ICMP echo request, id 6201, seq 136, length 64
13:39:09.218333 IP 192.168.0.2 > one.one.one.one: ICMP echo request, id 6201, seq 137, length 64

root@vm-host-00:~# tcpdump -i vmbr0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:36:59.169941 IP vm-host-00 > one.one.one.one: ICMP echo request, id 6201, seq 10, length 64
13:36:59.192148 IP one.one.one.one > 192.168.0.2: ICMP echo reply, id 6201, seq 10, length 64

After one Ping:

Chain PVEFW-FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 PVEFW-FWBR-IN  all  --  any    any     anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
    1    84 PVEFW-FWBR-OUT  all  --  any    any     anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
    2   168            all  --  any    any     anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

The ping never comes back to 192.168.0.2 since it does not pass PVEFW-FWBR-IN.
Is there something I am missing?

 

[jlebherz]

Hey,

you have to configure the vmbr0 with a static IP, then this should work

 

[denvercoder9]

That solved my problem.
What exactly is the reason that static config is required?

 

[jlebherz]

I'm not quite sure, on a standard interface you can use DHCP but not on a bridge...

 

[denvercoder9]

Well the bridge used this config to get an IP it kinda worked fine.