[SOLVED] Newbie - Updates not going well.

[drwho351]

**Solved** Thank you!

Hello. I installed Version 8.4.0 probably 5-6 months ago on fresh hardware. On it I run my Sophos firewall, since it's the only way I can get 10G support for that software is under a VM application. While I'm a newbie, I do understand some basics of Linix, using VI editor, processes, etc.

While I haven't been able to ssh in (still having key issues) - I have been following a couple of you tube videos on upgrades, which I mainly want from a security standpoint. I was able to go in and change (I think) the proper sources over to the No-Subscription version (this is for my home network firewall only) - but still having some failures. When I do this through the GUI - here is the output I get with errors. Appears some updates happened, but not all.

Appreciate any guidance on getting through the errors.

Output from Update info:


Starting system upgrade: apt-get dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
proxmox-kernel-6.8.12-10-pve-signed
The following packages will be upgraded:
frr frr-pythontools proxmox-backup-client proxmox-backup-file-restore
proxmox-kernel-6.8 pve-esxi-import-tools pve-manager
7 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 118 MB of archives.
After this operation, 577 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Ign:1 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 frr-pythontools all 10.2.2-1+pve1
Err:2 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 frr amd64 10.2.2-1+pve1
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:3 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 proxmox-backup-client amd64 3.4.1-1
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:4 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 proxmox-backup-file-restore amd64 3.4.1-1
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:5 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 proxmox-kernel-6.8.12-10-pve-signed amd64 6.8.12-10
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:6 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 proxmox-kernel-6.8 all 6.8.12-10
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:7 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 pve-esxi-import-tools amd64 0.7.4
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:8 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 pve-manager all 8.4.1
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
Err:1 http://download.proxmox.com/debian/pve bookworm/pve-no-subscription amd64 frr-pythontools all 10.2.2-1+pve1
Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable) Could not connect to download.proxmox.com:80 (170.130.165.90). - connect (113: No route to host)
E: Failed to fetch http://download.proxmox.com/debian/pve/dists/bookworm/pve-no-subscription/binary-amd64/frr-pythontools_10.2.2-1+pve1_all.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable) Could not connect to download.proxmox.com:80 (170.130.165.90). - connect (113: No route to host)
E: Failed to fetch http://download.proxmox.com/debian/pve/dists/bookworm/pve-no-subscription/binary-amd64/frr_10.2.2-1+pve1_amd64.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Failed to fetch http://download.proxmox.com/debian/...amd64/proxmox-backup-client_3.4.1-1_amd64.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Failed to fetch http://download.proxmox.com/debian/...proxmox-backup-file-restore_3.4.1-1_amd64.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Failed to fetch http://download.proxmox.com/debian/...rnel-6.8.12-10-pve-signed_6.8.12-10_amd64.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Failed to fetch http://download.proxmox.com/debian/...ry-amd64/proxmox-kernel-6.8_6.8.12-10_all.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Failed to fetch http://download.proxmox.com/debian/...y-amd64/pve-esxi-import-tools_0.7.4_amd64.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Failed to fetch http://download.proxmox.com/debian/...iption/binary-amd64/pve-manager_8.4.1_all.deb Cannot initiate the connection to download.proxmox.com:80 (2607:5300:400:7d00::80). - connect (101: Network is unreachable)
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
System not fully up to date (found 8 new packages)
starting shell
root@pve1:/#

***END of TEXT***

**Solved** Thank you!

 

[Onslow]

Welcome!
Seems that you have some network problem. Does your Proxmox hypervisor have an access to the Internet? Does your (Sophos or other) firewall allow it?
Can you ping 170.130.165.90? (I have verified it answers to ping, at least from my place).

 

[drwho351]

Hmmmm so this is interesting. No, I cannot ping it. I can ping my FW (Sophos) primary IP address that everything on my network sees as a gateway. I cannot ping the IP address you provided. I also cannot ping a resolvable name such as att.com or google.com.

As to my physical setup, I have a NIC on the Motherboard that I'm using for a 1G connection for the ProxMox access to the LAN. It's the same LAN as the FW, etc. I cannot find anyplace where I have setup this host any differently.

 

[Onslow]

Until you show us the details of the network configuration, we can't help.
Can you post the outputs of these commands issued in the PVE host. In the <CODE> tags, please.

ip a
ip route
cat /etc/network/interfaces
ping -c 3 1.1.1.1

 

[drwho351]

Until you show us the details of the network configuration, we can't help.
Can you post the outputs of these commands issued in the PVE host. In the <CODE> tags, please.

ip a
ip route
cat /etc/network/interfaces
ping -c 3 1.1.1.1

This was fascinating -- So what I do see (and I will post these details below my note) - the pings, as an example, are trying to go down an interface labelled as 172.16.16.14 - and looking at the 10G card (it's one of two ports here) - I believe it is taking the port that is the 10G LAN side port for the Sophos FW. So - the packet has nowhere to go and the ping fails.

My ignorance was the fact that ProxMox was assigning IP addressing to these interfaces. While I had to make them active to support the single VM (Sophos FW) I didn't realize they would get mixed up in routing for the hypervisor. I'm learning.... Seems like I need to be able to tell the hypervisor to ignore these other links and only use the vrb0 bridge which is the eno1 interface.... I notice in the Interface file output - these IP addresses are automatically generated. I am assuming these are needed for the VM to actually see the interfaces and use them. Again, I'm back to "how do I manage this for the hypervisor management level". Happy to go read - Really appreciate the direction and instruction.

I've issued the commands in the PVE host shell; not sure I understand the "in the <CODE> tags" reference is.

Thank You Onslow!!!

root@pve1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether 60:cf:84:7f:4e:1c brd ff:ff:ff:ff:ff:ff
altname enp14s0
3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr2 state UP group default qlen 1000
link/ether c4:62:37:05:b6:80 brd ff:ff:ff:ff:ff:ff
4: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master vmbr4 state DOWN group default qlen 1000
link/ether c4:62:37:05:b6:81 brd ff:ff:ff:ff:ff:ff
5: enp16s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr1 state UP group default qlen 1000
link/ether 1a:4b:24:a9:98:38 brd ff:ff:ff:ff:ff:ff
6: enp16s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr3 state UP group default qlen 1000
link/ether 1a:4b:24:a9:98:39 brd ff:ff:ff:ff:ff:ff
7: wlp15s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c0:bf:be:10:fc:48 brd ff:ff:ff:ff:ff:ff
8: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 60:cf:84:7f:4e:1c brd ff:ff:ff:ff:ff:ff
inet 172.16.16.153/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::62cf:84ff:fe7f:4e1c/64 scope link
valid_lft forever preferred_lft forever
9: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1a:4b:24:a9:98:38 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.200/32 scope global vmbr1
valid_lft forever preferred_lft forever
inet6 fe80::184b:24ff:fea9:9838/64 scope link
valid_lft forever preferred_lft forever
10: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c4:62:37:05:b6:80 brd ff:ff:ff:ff:ff:ff
inet 172.16.16.13/24 scope global vmbr2
valid_lft forever preferred_lft forever
inet6 fe80::c662:37ff:fe05:b680/64 scope link
valid_lft forever preferred_lft forever
11: vmbr3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1a:4b:24:a9:98:39 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 scope global vmbr3
valid_lft forever preferred_lft forever
inet6 fe80::184b:24ff:fea9:9839/64 scope link
valid_lft forever preferred_lft forever
12: vmbr4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether c4:62:37:05:b6:81 brd ff:ff:ff:ff:ff:ff
inet 172.16.16.14/24 scope global vmbr4
valid_lft forever preferred_lft forever
inet6 fe80::c662:37ff:fe05:b681/64 scope link
valid_lft forever preferred_lft forever
13: tap101i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i1 state UNKNOWN group default qlen 1000
link/ether de:4f:52:99:b8:a7 brd ff:ff:ff:ff:ff:ff
14: fwbr101i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:20:78:b9:84:e3 brd ff:ff:ff:ff:ff:ff
15: fwpr101p1@fwln101i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1 state UP group default qlen 1000
link/ether de:b1:f1:27:cf:e8 brd ff:ff:ff:ff:ff:ff
16: fwln101i1@fwpr101p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i1 state UP group default qlen 1000
link/ether 52:20:78:b9:84:e3 brd ff:ff:ff:ff:ff:ff
17: tap101i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i2 state UNKNOWN group default qlen 1000
link/ether 0a:73:fa:8c:f2:4d brd ff:ff:ff:ff:ff:ff
18: fwbr101i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a6:fc:e7:4e:50:88 brd ff:ff:ff:ff:ff:ff
19: fwpr101p2@fwln101i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000
link/ether 56:56:25:c6:f6:35 brd ff:ff:ff:ff:ff:ff
20: fwln101i2@fwpr101p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i2 state UP group default qlen 1000
link/ether a6:fc:e7:4e:50:88 brd ff:ff:ff:ff:ff:ff
21: tap101i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i3 state UNKNOWN group default qlen 1000
link/ether 8a:ef:67:55:95:49 brd ff:ff:ff:ff:ff:ff
22: fwbr101i3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ae:ce:b0:de:2f:bc brd ff:ff:ff:ff:ff:ff
23: fwpr101p3@fwln101i3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr3 state UP group default qlen 1000
link/ether 0e:f7:3d:b7:2f:f6 brd ff:ff:ff:ff:ff:ff
24: fwln101i3@fwpr101p3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i3 state UP group default qlen 1000
link/ether ae:ce:b0:de:2f:bc brd ff:ff:ff:ff:ff:ff
25: tap101i4: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i4 state UNKNOWN group default qlen 1000
link/ether d2:05:72:8b:94:86 brd ff:ff:ff:ff:ff:ff
26: fwbr101i4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9e:35:bb:ce:80:dc brd ff:ff:ff:ff:ff:ff
27: fwpr101p4@fwln101i4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr4 state UP group default qlen 1000
link/ether 62:7a:d5:64:e8:14 brd ff:ff:ff:ff:ff:ff
28: fwln101i4@fwpr101p4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i4 state UP group default qlen 1000
link/ether 9e:35:bb:ce:80:dc brd ff:ff:ff:ff:ff:ff
root@pve1:~#


root@pve1:~# ip route
default via 172.16.16.16 dev vmbr4 proto kernel onlink
10.0.0.0/24 dev vmbr3 proto kernel scope link src 10.0.0.3
172.16.16.0/24 dev vmbr0 proto kernel scope link src 172.16.16.153
172.16.16.0/24 dev vmbr2 proto kernel scope link src 172.16.16.13
172.16.16.0/24 dev vmbr4 proto kernel scope link src 172.16.16.14
root@pve1:~#

root@pve1:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual

auto enp8s0
iface enp8s0 inet manual

iface wlp15s0 inet manual

auto enp16s0f1
iface enp16s0f1 inet manual

auto enp16s0f0
iface enp16s0f0 inet manual

iface enp7s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 172.16.16.153/24
gateway 172.16.16.16
bridge-ports eno1
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
address 192.168.1.200
gateway 192.168.1.254
bridge-ports enp16s0f0
bridge-stp off
bridge-fd 0

auto vmbr2
iface vmbr2 inet static
address 172.16.16.13/24
gateway 172.16.16.16
bridge-ports enp7s0
bridge-stp off
bridge-fd 0
#10G Card LAN A

auto vmbr3
iface vmbr3 inet static
address 10.0.0.3/24
gateway 10.0.0.1
bridge-ports enp16s0f1
bridge-stp off
bridge-fd 0
#Comcast 2.5G

auto vmbr4
iface vmbr4 inet static
address 172.16.16.14/24
gateway 172.16.16.16
bridge-ports enp8s0
bridge-stp off
bridge-fd 0
#10G Card LAN B

source /etc/network/interfaces.d/*
root@pve1:~#


root@pve1:~# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 172.16.16.14 icmp_seq=1 Destination Host Unreachable
From 172.16.16.14 icmp_seq=2 Destination Host Unreachable
From 172.16.16.14 icmp_seq=3 Destination Host Unreachable

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2087ms
pipe 3
root@pve1:~#

 

[Onslow]

not sure I understand the "in the <CODE> tags" reference is.

Like in this example:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

You click and paste the output of the command.

 

[drwho351]

root@pve1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
    link/ether 60:cf:84:7f:4e:1c brd ff:ff:ff:ff:ff:ff
    altname enp14s0
3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr2 state UP group default qlen 1000
    link/ether c4:62:37:05:b6:80 brd ff:ff:ff:ff:ff:ff
4: enp8s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master vmbr4 state DOWN group default qlen 1000
    link/ether c4:62:37:05:b6:81 brd ff:ff:ff:ff:ff:ff
5: enp16s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr1 state UP group default qlen 1000
    link/ether 1a:4b:24:a9:98:38 brd ff:ff:ff:ff:ff:ff
6: enp16s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr3 state UP group default qlen 1000
    link/ether 1a:4b:24:a9:98:39 brd ff:ff:ff:ff:ff:ff
7: enp17s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 1a:4b:24:b5:f2:a6 brd ff:ff:ff:ff:ff:ff
8: enp17s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 1a:4b:24:b5:f2:a7 brd ff:ff:ff:ff:ff:ff
9: wlp15s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether c0:bf:be:10:fc:48 brd ff:ff:ff:ff:ff:ff
10: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 60:cf:84:7f:4e:1c brd ff:ff:ff:ff:ff:ff
    inet 172.16.16.153/24 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::62cf:84ff:fe7f:4e1c/64 scope link
       valid_lft forever preferred_lft forever
11: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1a:4b:24:a9:98:38 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.200/32 scope global vmbr1
       valid_lft forever preferred_lft forever
    inet6 fe80::184b:24ff:fea9:9838/64 scope link
       valid_lft forever preferred_lft forever
12: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c4:62:37:05:b6:80 brd ff:ff:ff:ff:ff:ff
    inet 172.16.16.13/24 scope global vmbr2
       valid_lft forever preferred_lft forever
    inet6 fe80::c662:37ff:fe05:b680/64 scope link
       valid_lft forever preferred_lft forever
13: vmbr3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1a:4b:24:a9:98:39 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/24 scope global vmbr3
       valid_lft forever preferred_lft forever
    inet6 fe80::184b:24ff:fea9:9839/64 scope link
       valid_lft forever preferred_lft forever
14: vmbr4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c4:62:37:05:b6:81 brd ff:ff:ff:ff:ff:ff
    inet 172.16.16.14/24 scope global vmbr4
       valid_lft forever preferred_lft forever
    inet6 fe80::c662:37ff:fe05:b681/64 scope link
       valid_lft forever preferred_lft forever
15: tap101i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i1 state UNKNOWN group default qlen 1000
    link/ether 62:4a:3c:b9:ff:cc brd ff:ff:ff:ff:ff:ff
16: fwbr101i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ee:a2:1b:82:6b:92 brd ff:ff:ff:ff:ff:ff
17: fwpr101p1@fwln101i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1 state UP group default qlen 1000
    link/ether 36:90:7d:83:35:96 brd ff:ff:ff:ff:ff:ff
18: fwln101i1@fwpr101p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i1 state UP group default qlen 1000
    link/ether ee:a2:1b:82:6b:92 brd ff:ff:ff:ff:ff:ff
19: tap101i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i2 state UNKNOWN group default qlen 1000
    link/ether 56:fa:29:7e:f4:3a brd ff:ff:ff:ff:ff:ff
20: fwbr101i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 16:d6:41:be:fe:e0 brd ff:ff:ff:ff:ff:ff
21: fwpr101p2@fwln101i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000
    link/ether 66:7c:39:5d:3d:81 brd ff:ff:ff:ff:ff:ff
22: fwln101i2@fwpr101p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i2 state UP group default qlen 1000
    link/ether 16:d6:41:be:fe:e0 brd ff:ff:ff:ff:ff:ff
23: tap101i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i3 state UNKNOWN group default qlen 1000
    link/ether 12:d2:9f:6f:c4:bc brd ff:ff:ff:ff:ff:ff
24: fwbr101i3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether aa:c5:73:60:5b:47 brd ff:ff:ff:ff:ff:ff
25: fwpr101p3@fwln101i3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr3 state UP group default qlen 1000
    link/ether 1a:f1:3d:5d:e8:b2 brd ff:ff:ff:ff:ff:ff
26: fwln101i3@fwpr101p3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i3 state UP group default qlen 1000
    link/ether aa:c5:73:60:5b:47 brd ff:ff:ff:ff:ff:ff
27: tap101i4: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr101i4 state UNKNOWN group default qlen 1000
    link/ether de:e1:51:55:fb:75 brd ff:ff:ff:ff:ff:ff
28: fwbr101i4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1e:e1:5b:07:77:4e brd ff:ff:ff:ff:ff:ff
29: fwpr101p4@fwln101i4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr4 state UP group default qlen 1000
    link/ether 9e:14:14:33:f1:ce brd ff:ff:ff:ff:ff:ff
30: fwln101i4@fwpr101p4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr101i4 state UP group default qlen 1000
    link/ether 1e:e1:5b:07:77:4e brd ff:ff:ff:ff:ff:ff
root@pve1:~#

 

[drwho351]

root@pve1:~# ip route
default via 172.16.16.16 dev vmbr4 proto kernel onlink
10.0.0.0/24 dev vmbr3 proto kernel scope link src 10.0.0.3
172.16.16.0/24 dev vmbr0 proto kernel scope link src 172.16.16.153
172.16.16.0/24 dev vmbr2 proto kernel scope link src 172.16.16.13
172.16.16.0/24 dev vmbr4 proto kernel scope link src 172.16.16.14
root@pve1:~#

 

[drwho351]

root@pve1:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual

auto enp8s0
iface enp8s0 inet manual

iface wlp15s0 inet manual

auto enp16s0f1
iface enp16s0f1 inet manual

auto enp16s0f0
iface enp16s0f0 inet manual

iface enp7s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 172.16.16.153/24
        gateway 172.16.16.16
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
        address 192.168.1.200
        gateway 192.168.1.254
        bridge-ports enp16s0f0
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet static
        address 172.16.16.13/24
        gateway 172.16.16.16
        bridge-ports enp7s0
        bridge-stp off
        bridge-fd 0
#10G Card LAN A

auto vmbr3
iface vmbr3 inet static
        address 10.0.0.3/24
        gateway 10.0.0.1
        bridge-ports enp16s0f1
        bridge-stp off
        bridge-fd 0
#Comcast 2.5G

auto vmbr4
iface vmbr4 inet static
        address 172.16.16.14/24
        gateway 172.16.16.16
        bridge-ports enp8s0
        bridge-stp off
        bridge-fd 0
#10G Card LAN B

source /etc/network/interfaces.d/*
root@pve1:~#

 

[drwho351]

root@pve1:~# ping -c 3 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 172.16.16.14 icmp_seq=1 Destination Host Unreachable
From 172.16.16.14 icmp_seq=2 Destination Host Unreachable
From 172.16.16.14 icmp_seq=3 Destination Host Unreachable

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2075ms
pipe 3
root@pve1:~#

 

[BobhWasatch]

This is kind of a mess. You should not have gateways specified for all the bridges, and you should not have a gateway that's on a different network than the bridge, and you should not have the same /24 on multiple interfaces unless they really are connected to the same network (and even that is iffy unless you know what you are doing).

What is the intent here? Is it to have private networks for some things? In that case those nets don't need/shouldn't have a gateway, only the one that really connects to the Internet should.

If some nets are for VM's only, not for the host, those don't need an IP on the bridge at all.

 

[UdoB]

You can not have multiple "gateway 1.2.3.4" entries. Only ONE Default Gateway can exist at any given point in time.

Clean up that mess, only the one pointing to "the internet" should be left. ;-)

After that look at ip route show to verify a sane routing.

(( Of course you can have as many routing entries and as many networks as you want. But your declaration is over-simplifying this. ))

 

[drwho351]

This is kind of a mess. You should not have gateways specified for all the bridges, and you should not have a gateway that's on a different network than the bridge, and you should not have the same /24 on multiple interfaces unless they really are connected to the same network (and even that is iffy unless you know what you are doing).

What is the intent here? Is it to have private networks for some things? In that case those nets don't need/shouldn't have a gateway, only the one that really connects to the Internet should.

If some nets are for VM's only, not for the host, those don't need an IP on the bridge at all.

Thank you ! So, this was built in a hurry, only with guidance from a couple of YT videos for building the virtual container for SOPHOS - and what appeared in the two videos was building the physical interface AND the bridge with IP addressing and gateways.

What I observed (either right or wrong) is that the native Ethernet port either on the MB or on a NIC, was not visible to the Sophos VM unless I set it up on the hypervisor.

The goal here really - is the eno1 being a separate hypervisor LAN connection that I can reach from my network. For the VM (Sophos FW) I have two WAN connections that are each behind the vendor router (protected) as well as a 10G LAN port. Overall part of my reason for the FW is failover routing between two WAN ISP (consumer) networks.

I did install a new 10G 2 port NIC card today - and I did nothing to make its two ports active. Accordingly, I cannot see them as available to the VM (Sophos) to use.

My next dumb question becomes - do I only need to make them active and NOT add them into a bridge?

 

[drwho351]

You can not have multiple "gateway 1.2.3.4" entries. Only ONE Default Gateway can exist at any given point in time.

Clean up that mess, only the one pointing to "the internet" should be left. ;-)

After that look at ip route show to verify a sane routing.

(( Of course you can have as many routing entries and as many networks as you want. But your declaration is over-simplifying this. ))

I responded to another post with some details.

Much of this was build in a hurry with my only guidance from two YT guys showing how to build the framework for the Sophos FW VM environment. What I need to figure out is how to have these ports available to the VM, - Basically the VM needs to see two ports that connect to my ISP connections (two different ISPs) and then a LAN port for traffic behind the FW.

The Ethernet connection visible to my Hypervisor - today is really connected to the LAN, which when traffic is destined for the Internet would route back thru the VM Sophos FW LAN connection, thru the FW, then to the appropriate ISP WAN connection.

YES, it is a mess. I know I'm missing some fundamentals of setting up and managing networking in this environment.

Thank you for your guidance!

 

[BobhWasatch]

You are setting up a very complex scenario. I don't have time this morning to walk you through all the complexities of what you are trying to do with regard to the dual ISP setup. It is called "multi-homing" and you can look it up. That is not a trivial thing to get working and depending on what you want to do may be impossible with a consumer account (e.g ISP's won't do BGP with random small customers). I would suggest getting one of them to work first.

See for example https://en.wikipedia.org/wiki/Multihoming

I do not virtualize my firewall, it runs on a separate mini-PC so that when I break PVE it doesn't affect the rest of the network. I consider virtual routers a bad plan unless the PVE host is dedicated to a bunch of virtual routers or something like that. For a home user it just makes things complicated for no good reason.

Some general advice:

• DRAW A PICTURE of what you are trying to do. Label it. Imagine yourself as a packet and think through how it would be routed. Maybe refresh your memory of how IP routing works. Routers don't know your intent, only the source and destination addresses and the routing table. Everything is based on prefixes.
• A "gateway" is just a default route. Where packets are sent when the router has no other option. It generally doesn't make sense to have more than one of these.
• Yes, you need a bridge (or pass-through the NIC) to access a port from a VM. But it is not required to set an IP address on a bridge when you create it. The only reason to do so is to enable host access to that network. A bridge is basically a switch. Unmanaged switches don't have IP addresses.
• In the case of the WAN side of your firewall, you do NOT want the host to access that, only the firewall VM. So no IP on that bridge (the firewall will handle addressing).
• On the LAN side, you probably do want the PVE host to access that, so it needs an IP that is in the LAN range of the firewall, but not in the DHCP range. This one should have a gateway set if you want PVE to access the Internet (e.g. for updates). The gateway should be the LAN IP of the firewall.
• If you don't want the PVE host to have access to the LAN (why?) you need to figure out how you're going to access it. Dedicated port? Separate network? Add that to the picture.

Good luck!

 

[drwho351]

Just a quick update - and a THANK YOU for the guidance.,

I was able to edit the ProxMox interfaces to remove all IP addressing except for eno1, which is my admin LAN link for the hypervisor. I was then able to update the proxmox to 8.4.14. I'm thankful for that.

I am amazed at what the original YT channels had me doing, but glad I got it corrected as well as making it a little more secure and stable with updates.

FYI the entire reason I moved this to a VM platform for the firewall was supporting speeds above 1G, which SOPHOS doesn't support on their standard platform. Alternatively, I could forgo the failover - and at some point I will. I also have everything set up with instructions that my wife can unplug one cable and plug in another and remove all of this architecture, should something happen to me.

Thank you again.

 

[BobhWasatch]

Glad to hear you got it sorted. Please mark the thread solved by editing your first post.

 

[drwho351]

Glad to hear you got it sorted. Please mark the thread solved by editing your first post.

Done.

 

[Onslow]

Done.

BobhWasatch meant editing not the contents of the first post, but the topic .

You should be able from the drop-down menu to select the prefix "[SOLVED]" there.
So it reads "[SOLVED] Newbie - Updates not going well."

Thank you in advance!

 

[drwho351]

BobhWasatch meant editing not the contents of the first post, but the topic .

You should be able from the drop-down menu to select the prefix "[SOLVED]" there.
So it reads "[SOLVED] Newbie - Updates not going well."

Thank you in advance!