No host internet access - guests working fine

[cobalt27]

Hi, I know this has been asked a lot and ive been through previous similar threads, but I still dont know where im going wrong - I cannot get internet access for Proxmox host, even though my guests are all fine.

I have a fairly basic setup, a server with a quad nic card:

NIC 1 - enp6s0f3 - WAN - direct Ethernet connection from wall socket
NIC 2 - enp6s0f2 - LAN - out to switch
NIC 3 - enp6s0f1 - empty
NIC 4 - enp6s0f0 - empty

Prox is running Sophos XG, which is then handing out DHCP on 172.16.16.0/24 subnet. I have a couple VMs on the LAN, all with working internet access.

Proxmox is running on 192.168.1.200, however I cannot reach the internet from it to update.



My first thought was to connect NIC 3 enp6s0f1 to the LAN switch, and have prox into sitting behind the sophos and get some protection, almost like another LAN client. However, from what ive been reading, this seems to be a bad idea, and i cannot work out how to do it anyway.

I think there is a simple routing issue to solve this, but ive tried a few things but still can't get internet access for Proxmox.

Any advice much appreciated! Some extra info below:

Hosts

127.0.0.1 localhost.localdomain localhost
192.168.1.200 pve.hostserver.local pve

# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp10s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 60:a4:4c:60:c5:0f brd ff:ff:ff:ff:ff:ff
3: enp6s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether a0:36:9f:5f:95:9c brd ff:ff:ff:ff:ff:ff
4: enp6s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether a0:36:9f:5f:95:9d brd ff:ff:ff:ff:ff:ff
5: enp6s0f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
link/ether a0:36:9f:5f:95:9e brd ff:ff:ff:ff:ff:ff
6: enp6s0f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr1 state UP group default qlen 1000
link/ether a0:36:9f:5f:95:9f brd ff:ff:ff:ff:ff:ff
7: wlp7s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether f8:d1:11:a1:ee:2d brd ff:ff:ff:ff:ff:ff
8: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a0:36:9f:5f:95:9e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.200/24 brd 192.168.1.255 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fd14:166d:7a77:0:a236:9fff:fe5f:959e/64 scope global dynamic mngtmpaddr
valid_lft 7096sec preferred_lft 3496sec
inet6 fe80::a236:9fff:fe5f:959e/64 scope link
valid_lft forever preferred_lft forever
9: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a0:36:9f:5f:95:9f brd ff:ff:ff:ff:ff:ff
inet6 fe80::a236:9fff:fe5f:959f/64 scope link
valid_lft forever preferred_lft forever
10: tap101i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 72:fd:ec:5a:18:67 brd ff:ff:ff:ff:ff:ff
11: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether a6:64:06:05:48:1b brd ff:ff:ff:ff:ff:ff
12: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether b6:c1:04:2a:6b:a6 brd ff:ff:ff:ff:ff:ff
13: tap102i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr102i0 state UNKNOWN group default qlen 1000
link/ether 46:47:08:79:45:8f brd ff:ff:ff:ff:ff:ff
14: fwbr102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 3a:e8:ec:68:a3:50 brd ff:ff:ff:ff:ff:ff
15: fwpr102p0@fwln102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether 46:d3:e6:ec:7f:1d brd ff:ff:ff:ff:ff:ff
16: fwln102i0@fwpr102p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr102i0 state UP group default qlen 1000

 

[gmed]

Hi,

The Gateway-Settings for the Host led to 192.168.1.1 as Gateway.
So Proxmox is trying to get Updates and so on via 192.168.1.1.

If 192.168.1.1 Gateway-Address is a Dummy-Address, that's the reason for the host not beeing able to connect to the Internet.

1. Delete 192.168.1.1 Gateway Entry
2. Set up a free IP-Set from the 172.16.16.0/24 subnet to vmbr1 and add the Sophos-VM as Gateway.

Internet should be reachable from Host.

 

[cobalt27]

So, I have given vmrb0 172.16.16.101 with gateway 172.16.16.16 (the sophos vm). I now have internet access from host - great. But this puts my host on the same subnet as all my guests/LAN clients - I thought this was not best practice and the host should be on a completely different subnet?

 

[gmed]

But in your scenario it's the only way, because there is no other path to the internet.

Maybe you could set up as follows:

Within Sophos-VM add a second NIC.
Configure this NIC as DMZ for Subnet 192.168.1.0/24 (E.g. 192.168.1.1)
Attach this NIC to vmbr0
Configure routing and firewall in SoposVM for this new NIC
Remove actual gateway from vmbr1 and but gateway-entry back to vmbr0 with 192.168.1.1

This way your "HOST-Network" routes through Sophos-VM to WAN.
Don't ask me for infos about Sophos. I don't work with such machines.

 

[cobalt27]

That's really helpful - thank you for confirming what I thought. For a moment I was starting to question my own understanding! Thanks