No internet access for vmbr0

papanito

New Member
Feb 20, 2017
11
2
1
44
There are plenty of thready regarding this topic, however I don't find the solution to the problem with my setup. I cannot access the internet form within a container nor a vm. I can trace the ping I issue form within the container/vm on my host machine which looks like this
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:36:13.824830 IP 10.10.10.73.34570 > 8.8.8.8.53: 24507+ A? google.com. (28)
18:36:18.829967 IP 10.10.10.73.55784 > 8.8.4.4.53: 24507+ A? google.com. (28)
18:36:19.061335 ARP, Request who-has 10.10.10.2 tell 10.10.10.73, length 28
18:36:19.061383 ARP, Reply 10.10.10.2 is-at 4c:72:b9:25:28:95, length 28
18:36:23.835099 IP 10.10.10.73.34570 > 8.8.8.8.53: 24507+ A? google.com. (28)
18:36:28.840238 IP 10.10.10.73.55784 > 8.8.4.4.53: 24507+ A? google.com. (28)
18:36:33.845419 IP 10.10.10.73.58293 > 8.8.8.8.53: 1877+ A? google.com. (28)
18:36:38.850568 IP 10.10.10.73.34700 > 8.8.4.4.53: 1877+ A? google.com. (28)
18:36:43.855705 IP 10.10.10.73.58293 > 8.8.8.8.53: 1877+ A? google.com. (28)

My guest hast ip 10.10.10.73 received via dhcp. I have configured dnsmasq on the host as follows
Code:
interface=vmbr0
dhcp-range=10.10.10.10,10.10.10.150,12h
dhcp-option=6,8.8.8.8,8.8.4.4

Here is my network configuration in /etc/network/interfaces
Code:
# Loopback device:
auto lo
iface lo inet loopback
#
# device: eth0
auto  eth0
iface eth0 inet static
    address   xx.xx.xx.177
    netmask   255.255.255.224
    gateway   xx.xx.xx.161
     
# for a subnet
auto vmbr0
iface vmbr0 inet static
    address 10.10.10.2
    netmask 255.255.255.0
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

    up route add -net 10.10.10.0/24 gw xx.xx.xx.177
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

I currently don't see what I am missing.
 
in the dnsmasq config, add:
Code:
dhcp-option=option:router,10.10.10.2

change nat rule; output interface to eth0

Code:
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

you don't need to add route add line as well.
 
Thank @engin did the suggested changes and restarted services 'dnsmasq', 'networking' and the container. Still nothing though guest has require route set:
Code:
default via 10.10.10.2 dev eth0
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.73

Now also when pinging google.com I do not capture any packages on the host
Code:
 sudo tcpdump -n -l -i vmbr0 -n "src host 10.10.10.73 or dst host 10.10.10.73"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
4 packets received by filter
0 packets dropped by kernel
 
@papanito can you share your proxmox interfaces file as well as the;
bridge info for the vmbr0
Code:
brctl show vmbr0
and routes on the host
Code:
route -n
 
Here you go
Code:
bridge name   bridge id       STP enabled   interfaces
vmbr0       8000.4c72b9252895   no       eth0
                           tap102i0
                           tap103i0
                           veth101i0

Code:
sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         static.161.74.7 0.0.0.0         UG    0      0        0 eth0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 vmbr0
xx.xx.xx.160   0.0.0.0         255.255.255.224 U     0      0        0 eth0
 
bridge and routing seem okay.

what about nat postrouting rules on the host:
Code:
iptables -t nat -S

btw, you should be pinging both from / to 10.10.10.2 / 10.10.10.73 right?
 
Yes pinging from and to 10.10.10.2 / 10.10.10.73 works fine

Code:
sudo iptables -t nat -S │
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-7451d442554d -j MASQUERADE
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 9980 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-7451d442554d -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 9980 -j DNAT --to-destination 172.17.0.1:9980
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 9980 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-7451d442554d -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 9980 -j DNAT --to-destination 172.17.0.1:9980
 
@papanito sorry mate; but all diagnostic outputs seem okay.

if you still couldn't find any solution, i can help you troubleshooting with ssh access.. (if you want)

or you might go with subscription to get support as well.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!