NAT not working

D

denvercoder9

Member
Aug 24, 2020
4
0
6
34
After following the instructions "Masquerading (NAT) with iptables" I was unable to set up a vmbr1 which should use vmbr0 to access the internet.
This post will be a duplicate which never got an answer.

proxmox-ve:
Installed: 6.2-1

/etc/network/interfaces:
Code: 
iface eno2 inet manual
auto vmbr0
iface vmbr0 inet dhcp
    bridge_ports eno2
    bridge_stp off
    bridge_fd 0
auto vmbr1
iface vmbr1 inet static
    address 192.168.0.1
    netmask 255.255.0.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
    post-up iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
    post-down echo 0 > /proc/sys/net/ipv4/ip_forward
    post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
    post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

Ping from VM in vmbr1:

Code: 
root@vm-host-00:~# tcpdump -i vmbr1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:39:08.194348 IP 192.168.0.2 > one.one.one.one: ICMP echo request, id 6201, seq 136, length 64
13:39:09.218333 IP 192.168.0.2 > one.one.one.one: ICMP echo request, id 6201, seq 137, length 64

Code: 
root@vm-host-00:~# tcpdump -i vmbr0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:36:59.169941 IP vm-host-00 > one.one.one.one: ICMP echo request, id 6201, seq 10, length 64
13:36:59.192148 IP one.one.one.one > 192.168.0.2: ICMP echo reply, id 6201, seq 10, length 64

After one Ping:

Code: 
Chain PVEFW-FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 PVEFW-FWBR-IN  all  --  any    any     anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
    1    84 PVEFW-FWBR-OUT  all  --  any    any     anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
    2   168            all  --  any    any     anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

The ping never comes back to 192.168.0.2 since it does not pass PVEFW-FWBR-IN.
Is there something I am missing?
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back