[SOLVED] Networking Issues

[PietMiet]

Hello everyone,

I've been struggling to setup my network for the last days and I can't figure out the problem. I want to have a private subnet for my VMs (10.10.10.0/24), the machines should be able to access the internet but do not need to be accessible from outside.
I have a Proxmox 8.1.10 installation with this /etc/network/interfaces:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp1s0
iface enp1s0 inet static
        address 192.168.178.126/24
        gateway 192.168.178.1

iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp1s0 -j MASQUERADE
        post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp1s0 -j MASQUERADE
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

In my Ubuntu (24.04LTS) i configured the IP address (10.10.10.11) and added a route to the host.

I can ping the gateways (10.10.10.1 and 192.168.178.126), but I cannot reach the internet.



What do I miss?

 

[PietMiet]

Do you have any ideas I could follow up?

 

[itkfm]

Can you reach other hosts within the 192.168.178.0/24 subnet from your VM?
What happens when you traceroute an IP address outside of your networks?

 

[PietMiet]

Good question, I just checked:
I tried to reach my home router (192.168.178.1), but it failed.

Unfortunately, i cannot perform traceroute because it is not installed and I have no internet
When listening with tcpdump on vmbr0 (on the host) while pinging 192.168.178.1 from inside the VM, I get:

It seems that it correctly resolves 192.168.178.1 to be my fritz box. A ping to 8.8.8.8 also seems to resolve google correctly:

 

[itkfm]

Unfortunately, i cannot perform traceroute because it is not installed and I have no internet

No worries. You can also download the package manually from https://packages.ubuntu.com/noble/traceroute – and use an (optionally virtual) pen drive or disk (you can also mount the disk of a shutdown VM at the host) to get the file into your VM – or, if you have busybox installed, go with busybox traceroute … instead.

 

[PietMiet]

Cool trick using busybox! Unfortunately I does not give too much information:



Also, I think the tcpdump from my previous response did resolve DNS from the host, not from the VM.
So at some point the routing from the vmbr0 bridge seems to be broken. When I view the routes on the host, it seems there is a default entry missing for vmbr0.

root@host:/home/user# ip route show dev vmbr0
10.10.10.0/24 proto kernel scope link src 10.10.10.1
root@host:/home/user# ip route show dev enp1s0
default via 192.168.178.1 proto kernel onlink
192.168.178.0/24 proto kernel scope link src 192.168.178.126

But I'm not sure it that's a problem, afaik it just says "route everything else over enp1s0".

 

[ubu]

1. ping 8.8.8.8 from your container
2. on the host check with tcpdump -ni vmbr0 icmp if you see the packets
3. check if you see the packets on your external interface with tcpdump -ni enp1s0 icmp for the outgoing packets, the sender address should be changed to 192.168.178.126 by the masquerade.
4. Do you see reply packets?
5. check with journalclt -f for dropped packets

 

[PietMiet]

Hi, thanks for the help.
I can see the packets on vmbr0. Also, I can see the packets on other interfaces identified with `brctl show`:


Here for vmbr0: tcpdump -ni vmbr0

Here for vmbr0->fwpr105p0->fwln105i0: tcpdump -ni fwln105i0


On enp1s0 I see nothing, journalctl is also not reporting packet drops. Maybe it's somehow related to docker?
Here iptables -L:

 

[PietMiet]

I changed the policy for the FORWARD chain to ACCEPT, now I can ping 8.8.8.8. I will now try to change it back to DROP and then specifically allow just my VMs. Just the DNS seems to need some more configuration, I hope I manage to do that by myself.

Thanks everyone for your quick and kind help!