After following the instructions "Masquerading (NAT) with iptables" I was unable to set up a vmbr1 which should use vmbr0 to access the internet.
This post will be a duplicate which never got an answer.
proxmox-ve:
Installed: 6.2-1
/etc/network/interfaces:
Ping from VM in vmbr1:
After one Ping:
The ping never comes back to 192.168.0.2 since it does not pass PVEFW-FWBR-IN.
Is there something I am missing?
This post will be a duplicate which never got an answer.
proxmox-ve:
Installed: 6.2-1
/etc/network/interfaces:
Code:
iface eno2 inet manual
auto vmbr0
iface vmbr0 inet dhcp
bridge_ports eno2
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.0.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down echo 0 > /proc/sys/net/ipv4/ip_forward
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
Ping from VM in vmbr1:
Code:
root@vm-host-00:~# tcpdump -i vmbr1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:39:08.194348 IP 192.168.0.2 > one.one.one.one: ICMP echo request, id 6201, seq 136, length 64
13:39:09.218333 IP 192.168.0.2 > one.one.one.one: ICMP echo request, id 6201, seq 137, length 64
Code:
root@vm-host-00:~# tcpdump -i vmbr0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:36:59.169941 IP vm-host-00 > one.one.one.one: ICMP echo request, id 6201, seq 10, length 64
13:36:59.192148 IP one.one.one.one > 192.168.0.2: ICMP echo reply, id 6201, seq 10, length 64
After one Ping:
Code:
Chain PVEFW-FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 PVEFW-FWBR-IN all -- any any anywhere anywhere PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
1 84 PVEFW-FWBR-OUT all -- any any anywhere anywhere PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
2 168 all -- any any anywhere anywhere /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
The ping never comes back to 192.168.0.2 since it does not pass PVEFW-FWBR-IN.
Is there something I am missing?
Last edited: