Need to NAT from a bridge to another

[Glikz]

Hi guys,

I'm facing a problem and I would need your help please. Here are some details :

- let's imagine two bridges (vmbr1 and vmbr9)
- vmbr1 is associated with a public IP range
- vmbr9 is masquarading all hosts "behind" it by using vmbr0 IP address (which is my Proxmox/dedicated server's public IP address)

Right now packets from vmbr9 to vmbr1 are routed by Proxmox, so the machine behind vmbr1 see the private IP address of the machines behind vmbr9. What I would need is Proxmox to NAT machines located behind vmbr9 even when they try to communicate with vmbr1 machines. So I would need machines from vmbr1 to see the vmbr0 IP address and not their real private IP address as it is right now.

Any help appreciated. Thanks.


vmbr9 config :

auto vmbr9
iface vmbr9 inet static
address 172.16.32.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up iptables -t nat -A POSTROUTING -s '172.16.32.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '172.16.32.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t nat -D PREROUTING -i fwbr+ -j CT --zone 1

 

[Sviat]

Hi,
It looks like your current setup only masquerades traffic going out via vmbr0, which works for internet-bound traffic. But when packets go from vmbr9 to vmbr1, they don't hit vmbr0, so no NAT is applied.
You can fix this by adding a NAT rule for traffic from vmbr9 to vmbr1, something like:

post-up iptables -t nat -A POSTROUTING -s 172.16.32.0/24 -d 192.168.1.0/24 -j SNAT --to-source 203.0.113.10
post-down iptables -t nat -D POSTROUTING -s 172.16.32.0/24 -d 192.168.1.0/24 -j SNAT --to-source 203.0.113.10