Network fails after restarting network (Proxmox 7.x)

A

aleksdj

Member
May 1, 2019
8
0
6
45
Hello, I have a brand new Proxmox 7.1 with the typical settings in interfaces to allow 1 public NIC (vmbr0) and another virtual NIC (vmbr1) that servers as a outbound gateway for containers.

Code: 
auto vmbr0
iface vmbr0 inet static
        address x.x.x.x/24
        gateway x.x.x.x
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        hwaddress x:x:x:0f:5e:e8

auto vmbr1
iface vmbr1 inet static
        address 10.0.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE
        post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.100:80
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.100:80

All is correct and I can ping public google.com and 10.0.0.1 from the containers.

However, after editing the "interfaces" file and restarting the networking service with "systemctl restart networking", the containers cannot ping 10.0.0.1 anymore and they lose the connectivity to outside.

Even if I do a ifdown vmbr1 & ifup vmbr1, it will lose connectivity.

It only works if I reboot the "Proxmox host", but I don't wanna to be forced to reboot the whole host for any simple change in interfaces in the future.

Some logs:

Code: 
root@proxmox:/etc/network# systemctl is-enabled networking
enabled

Code: 
root@proxmox:/etc/network# apt -qq list ifupdown
ifupdown/stable,now 0.8.36+pve1 amd64 [residual-config]

root@proxmox:/etc/network# apt -qq list ifupdown2
ifupdown2/stable,now 3.1.0-1+pmx3 all [installed]

Code: 
brctl show
bridge name     bridge id               STP enabled     interfaces
fwbr100i0               8000.26737a49bb74       no              fwln100i0
                                                        veth100i0
fwbr101i0               8000.6690b9fe1b83       no              fwln101i0
                                                        veth101i0
vmbr0           8000.fc15b40f5ee8       no              eno1
vmbr1           8000.a6219607602f       no

Code: 
root@sd-167331:/etc/network/ifupdown2# ifup vmbr1 -d
debug: args = Namespace(all=False, iflist=['vmbr1'], verbose=False, debug=True, quiet=False, CLASS=None, withdepends=False, perfmode=False, nocache=False, excludepats=None, interfacesfile=None, interfacesfileformat='native', type=None, syntaxcheck=False, skipupperifaces=False, force=False, syslog=False, noact=False, printdependency=None, noaddons=False, version=None, nldebug=False)
debug: creating ifupdown object ..
info: requesting link dump
info: requesting address dump
info: requesting netconf dump
debug: nlcache: reset errorq
debug: {'use_daemon': 'no', 'template_enable': '1', 'template_engine': 'mako', 'template_lookuppath': '/etc/network/ifupdown2/templates', 'default_interfaces_configfile': '/etc/network/interfaces', 'disable_cli_interfacesfile': '0', 'addon_syntax_check': '0', 'addon_scripts_support': '1', 'addon_python_modules_support': '1', 'multiple_vlan_aware_bridge_support': '1', 'ifquery_check_success_str': 'pass', 'ifquery_check_error_str': 'fail', 'ifquery_check_unknown_str': '', 'ifquery_ifacename_expand_range': '0', 'link_master_slave': '0', 'delay_admin_state_change': '0', 'ifreload_down_changed': '0', 'addr_config_squash': '0', 'ifaceobj_squash': '0', 'adjust_logical_dev_mtu': '1', 'state_dir': '/run/network/'}
info: loading builtin modules from ['/usr/share/ifupdown2/addons']
info: module openvswitch not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: module openvswitch_port not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: module ppp not loaded (module init failed: no /usr/bin/pon found)
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found)
debug: bridge: using reserved vlan range (0, 0)
debug: bridge: init: warn_on_untagged_bridge_absence=False
debug: bridge: init: vxlan_bridge_default_igmp_snooping=None
debug: bridge: init: arp_nd_suppress_only_on_vxlan=False
debug: bridge: init: bridge_always_up_dummy_brport=None
info: executing /sbin/sysctl net.bridge.bridge-allow-multiple-vlans
debug: bridge: init: multiple vlans allowed True
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found)
info: executing /bin/ip rule show
info: executing /bin/ip -6 rule show
info: module ethtool not loaded (module init failed: /sbin/ethtool: not found)
info: address: using default mtu 1500
info: address: max_mtu undefined
info: executing /usr/sbin/ip vrf id
info: mgmt vrf_context = False
info: dhclient: dhclient_retry_on_failure set to 0
info: executing /bin/ip addr help
info: address metric support: OK
info: module ethtool not loaded (module init failed: /sbin/ethtool: not found)
info: module ppp not loaded (module init failed: no /usr/bin/pon found)
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found)
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found)
info: module openvswitch_port not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: module openvswitch not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: looking for user scripts under /etc/network
info: loading scripts under /etc/network/if-pre-up.d ...
info: loading scripts under /etc/network/if-up.d ...
info: loading scripts under /etc/network/if-post-up.d ...
info: loading scripts under /etc/network/if-pre-down.d ...
info: loading scripts under /etc/network/if-down.d ...
info: loading scripts under /etc/network/if-post-down.d ...
info: using mgmt iface default prefix eth
info: processing interfaces file /etc/network/interfaces
debug: vmbr0: evaluating port expr '['eno1']'
debug: scheduling '['pre-up', 'up', 'post-up']' for ['vmbr1']
debug: dependency graph {
        lo : []
        eno1 : []
        eno2 : []
        vmbr0 : ['eno1']
        vmbr1 : []
}
info: vmbr1: running ops ...
debug: vmbr1: pre-up : running module xfrm
debug: vmbr1: pre-up : running module link
debug: vmbr1: pre-up : running module bond
debug: vmbr1: pre-up : running module vlan
debug: vmbr1: pre-up : running module vxlan
debug: vmbr1: pre-up : running module usercmds
debug: vmbr1: pre-up : running module bridge
info: vmbr1: netlink: ip link add dev vmbr1 type bridge
info: vmbr1: applying bridge settings
info: vmbr1: set bridge-fd 0
info: vmbr1: set bridge-mcsnoop yes
info: reading '/sys/class/net/vmbr1/bridge/stp_state'
info: vmbr1: netlink: ip link set dev vmbr1 type bridge (with attributes)
debug: attributes: {1: 0, 23: True}
debug: vmbr1: pre-up : running module bridgevlan
debug: vmbr1: pre-up : running module tunnel
debug: vmbr1: pre-up : running module vrf
debug: vmbr1: pre-up : running module address
info: executing /sbin/sysctl net.mpls.conf.vmbr1.input=0
info: writing '1
' to file /proc/sys/net/ipv6/conf/vmbr1/forwarding
info: vmbr1: netlink: ip addr add 10.0.0.1/24 dev vmbr1
info: writing '0' to file /proc/sys/net/ipv4/conf/vmbr1/arp_accept
info: vmbr1: netlink: ip link set dev vmbr1 up
debug: vmbr1: up : running module dhcp
debug: vmbr1: up : running module address
debug: vmbr1: up : running module addressvirtual
debug: vmbr1: up : running module usercmds
debug: vmbr1: up : running script /etc/network/if-up.d/openntpd
info: executing /etc/network/if-up.d/openntpd
debug: vmbr1: up : running script /etc/network/if-up.d/bind9
info: executing /etc/network/if-up.d/bind9
debug: vmbr1: up : running script /etc/network/if-up.d/postfix
info: executing /etc/network/if-up.d/postfix
debug: vmbr1: post-up : running module usercmds
info: executing echo 1 > /proc/sys/net/ipv4/ip_forward
info: executing iptables -t nat -A POSTROUTING -s '10.0.0.1/24' -o vmbr0 -j MASQUERADE
info: executing iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.100:80
info: executing iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.0.0.100:81
info: executing iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.100:443
debug: vmbr1: statemanager sync state pre-up
info: running upperifaces (parent interfaces) if available ..
debug: saving state ..
info: exit status 0

Any clue about the problem?
 
Last edited:
Ok, I have discovered that using "ifreload -a" I can reload the network interfaces without losing connectivity, the only problem I see, is that whenever I execute ifreload, It adds/duplicate a new rule to iptables due to the post-up instructions, so:

What is the best practices to add iptables rules in interfaces (or wherever) that is "compatible" with new "ifreload"?:

Code: 
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.0.100:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:81 to:10.0.0.100:81
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.0.100:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:81 to:10.0.0.100:81
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.0.0.100:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.0.100:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:81 to:10.0.0.100:81
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.0.0.100:443

I don't think its a correct solution because I would like to be able to execute ifdown and ifup without losing network connectivity until next reboot. how can i make it works?
 
Last edited:
You must log in or register to reply here.
Top Bottom