No internet access on fresh installation of VM (vmbr0)

[vojtechmares]

Hello Proxmox forums,

I am new to Proxmox. I get myself a dedicated server at Hetzner Cloud. I setup cloud-init template of Ubuntu 20.04, everything went fine.

I am using 192.168.100.1/24 vmbr0 network.

I am using NAT to forward traffic etc., unfortunately I am unable to access public internet from the inside of the VM. Everything is failing. curl, ping,..

After running a tcpdump on host machine, it seems that the VM can access the host machine so the traffic must be dropped there. (tcpdump -n -l -i vmbr0)

These are iptables rules I added manually:

-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 9900 -j DNAT --to-destination 192.168.100.101:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.101:443
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.101:80
-A POSTROUTING -s 192.168.0.0/24 -o vmbr0 -j MASQUERADE

Host machine /etc/network/interfaces:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
        address _REDACTED_/26
        gateway _REDACTED_
        up route add -net 94.130.136.64 netmask 255.255.255.192 gw _REDACTED_ dev enp0s31f6
# route _REDACTED_/26 via _REDACTED_

iface enp0s31f6 inet6 static
        address _REDACTED_/64
        gateway fe80::1 # hetzner gw

auto vmbr0
iface vmbr0 inet static
        address 192.168.100.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

I was googling for about two hours, but I give up for now.

I am not network admin or so, I may be lacking some knowledge in this area resulting in some stupid mistake. But, I can't find it myself.

Thanks

 

[ph0x]

Did you read the documentation?
https://pve.proxmox.com/wiki/Network_Configuration

Since I don't use the iptables way I can't tell if there's something wrong. But from what I usually see, there seem to be some iptables rules missing.

 

[vojtechmares]

Yes, I got to documentation, but I did not figure out what I am missing.

 

[ph0x]

Follow the section Masquerading and you should be fine. You lack some iptables rules from what I see.

 

[vojtechmares]

Allright, I added the iptables rules, I am getting access to the outer internet via ping and ICMP, but DNS resolving is not working. I updated the nameservers in /etc/resolv.conf to 1.1.1.1 and 1.0.0.1 (Cloudflare DNS), rebooted the machine with no success.

Unfortunately, I can't verify if I previously had access to the internet over ICMP or not (I didn't think of it tbh).

 

[vojtechmares]

In TCP dump on host machine, I see a lot of records towards Hetzner DNS asing for A and AAAA records, maybe this misconfiguration is there.

tcpdump:

19:12:35.150122 IP 192.168.100.101.33172 > ns3-coloc.hetzner.com.domain: 17998+ AAAA? api.snapcraft.io. (34)
19:12:35.150296 IP 192.168.100.101.48453 > ns3-coloc.hetzner.com.domain: 19662+ A? ntp.ubuntu.com. (32)
19:12:35.150407 IP 192.168.100.101.47682 > ns1-coloc.hetzner.de.domain: Flags [S], seq 4159456518, win 64240, options [mss 1460,sackOK,TS val 320850325 ecr 0,nop,wscale 7], length 0
19:12:35.150443 IP 192.168.100.101.44274 > ns2-coloc.hetzner.net.domain: Flags [S], seq 3725264625, win 64240, options [mss 1460,sackOK,TS val 1947354644 ecr 0,nop,wscale 7], length 0
19:12:36.160094 IP 192.168.100.101.44274 > ns2-coloc.hetzner.net.domain: Flags [S], seq 3725264625, win 64240, options [mss 1460,sackOK,TS val 1947355653 ecr 0,nop,wscale 7], length 0
19:12:36.160129 IP 192.168.100.101.47682 > ns1-coloc.hetzner.de.domain: Flags [S], seq 4159456518, win 64240, options [mss 1460,sackOK,TS val 320851334 ecr 0,nop,wscale 7], length 0
19:12:38.176258 IP 192.168.100.101.47682 > ns1-coloc.hetzner.de.domain: Flags [S], seq 4159456518, win 64240, options [mss 1460,sackOK,TS val 320853350 ecr 0,nop,wscale 7], length 0
19:12:38.176306 IP 192.168.100.101.44274 > ns2-coloc.hetzner.net.domain: Flags [S], seq 3725264625, win 64240, options [mss 1460,sackOK,TS val 1947357669 ecr 0,nop,wscale 7], length 0
19:12:42.336306 IP 192.168.100.101.44274 > ns2-coloc.hetzner.net.domain: Flags [S], seq 3725264625, win 64240, options [mss 1460,sackOK,TS val 1947361829 ecr 0,nop,wscale 7], length 0
19:12:42.336343 IP 192.168.100.101.47682 > ns1-coloc.hetzner.de.domain: Flags [S], seq 4159456518, win 64240, options [mss 1460,sackOK,TS val 320857510 ecr 0,nop,wscale 7], length 0
19:12:45.158760 IP 192.168.100.101.57244 > ns3-coloc.hetzner.com.domain: Flags [S], seq 2003002506, win 64240, options [mss 1460,sackOK,TS val 3562322704 ecr 0,nop,wscale 7], length 0
19:12:46.176410 IP 192.168.100.101.57244 > ns3-coloc.hetzner.com.domain: Flags [S], seq 2003002506, win 64240, options [mss 1460,sackOK,TS val 3562323721 ecr 0,nop,wscale 7], length 0
19:12:48.192451 IP 192.168.100.101.57244 > ns3-coloc.hetzner.com.domain: Flags [S], seq 2003002506, win 64240, options [mss 1460,sackOK,TS val 3562325737 ecr 0,nop,wscale 7], length 0
19:12:52.320513 IP 192.168.100.101.57244 > ns3-coloc.hetzner.com.domain: Flags [S], seq 2003002506, win 64240, options [mss 1460,sackOK,TS val 3562329865 ecr 0,nop,wscale 7], length 0
19:12:55.169328 IP 192.168.100.101.47688 > ns1-coloc.hetzner.de.domain: Flags [S], seq 863332522, win 64240, options [mss 1460,sackOK,TS val 320870343 ecr 0,nop,wscale 7], length 0
19:12:55.169357 IP 192.168.100.101.44280 > ns2-coloc.hetzner.net.domain: Flags [S], seq 2663379609, win 64240, options [mss 1460,sackOK,TS val 1947374662 ecr 0,nop,wscale 7], length 0
19:12:56.192600 IP 192.168.100.101.44280 > ns2-coloc.hetzner.net.domain: Flags [S], seq 2663379609, win 64240, options [mss 1460,sackOK,TS val 1947375685 ecr 0,nop,wscale 7], length 0
19:12:56.192636 IP 192.168.100.101.47688 > ns1-coloc.hetzner.de.domain: Flags [S], seq 863332522, win 64240, options [mss 1460,sackOK,TS val 320871366 ecr 0,nop,wscale 7], length 0
19:12:58.208615 IP 192.168.100.101.47688 > ns1-coloc.hetzner.de.domain: Flags [S], seq 863332522, win 64240, options [mss 1460,sackOK,TS val 320873382 ecr 0,nop,wscale 7], length 0
19:12:58.208651 IP 192.168.100.101.44280 > ns2-coloc.hetzner.net.domain: Flags [S], seq 2663379609, win 64240, options [mss 1460,sackOK,TS val 1947377701 ecr 0,nop,wscale 7], length 0
19:13:00.173933 IP 192.168.100.101.56662 > ns3-coloc.hetzner.com.domain: 2434+ A? ntp.ubuntu.com. (32)
19:13:02.304695 IP 192.168.100.101.44280 > ns2-coloc.hetzner.net.domain: Flags [S], seq 2663379609, win 64240, options [mss 1460,sackOK,TS val 1947381797 ecr 0,nop,wscale 7], length 0
19:13:02.304732 IP 192.168.100.101.47688 > ns1-coloc.hetzner.de.domain: Flags [S], seq 863332522, win 64240, options [mss 1460,sackOK,TS val 320877478 ecr 0,nop,wscale 7], length 0
19:13:05.179853 IP 192.168.100.101.44282 > ns2-coloc.hetzner.net.domain: Flags [S], seq 401098385, win 64240, options [mss 1460,sackOK,TS val 1947384673 ecr 0,nop,wscale 7], length 0

IP 192.168.100.101 is IP of my VM in PVE.

 

[vojtechmares]

Well, dig resolves to domains ok, so it is NOT DNS (for now)

The issue might be at a firewall level not allowing http and other traffic.

There is a reason why I am not a network admin

 

[ph0x]

Maybe it has to do with your iptables prerouting for port 80 and 443? Does email, for example, work in your VM?

 

[vojtechmares]

I rebooted the VM again and it is back to broken. DNS is just super weird.

The prerouting for http and https is from Ondrej Sika's Proxmox Training course https://github.com/ondrejsika/proxmox-training#port-forward

Unfortunately, copy-pasting does not work.

 

[vojtechmares]

These are all my iptables rules

# Generated by iptables-save v1.8.2 on Wed Mar 31 23:45:58 2021
*filter
:INPUT DROP [1756:93617]
:FORWARD DROP [7492:450394]
:OUTPUT ACCEPT [383:15752]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8006 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Mar 31 23:45:58 2021
# Generated by iptables-save v1.8.2 on Wed Mar 31 23:45:58 2021
*raw
:PREROUTING ACCEPT [88429:18871536]
:OUTPUT ACCEPT [78688:25440502]
-A PREROUTING -i fwbr+ -j CT --zone 1
COMMIT
# Completed on Wed Mar 31 23:45:58 2021
# Generated by iptables-save v1.8.2 on Wed Mar 31 23:45:58 2021
*nat
:PREROUTING ACCEPT [13118:762129]
:INPUT ACCEPT [3043:175488]
:OUTPUT ACCEPT [2506:150603]
:POSTROUTING ACCEPT [2506:150603]
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 9900 -j DNAT --to-destination 192.168.100.101:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.100.101:443
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.101:80
-A POSTROUTING -s 192.168.100.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 192.168.100.0/24 -o enp0s31f6 -j MASQUERADE
COMMIT
# Completed on Wed Mar 31 23:45:58 2021

 

[vojtechmares]

Maybe it has to do with your iptables prerouting for port 80 and 443? Does email, for example, work in your VM?

I am not planning on using mail, I will disable those rules and try again.

 

[ph0x]

The rules are probably in place to reach the Proxmox GUI, though. It was just a guess ... But it probably doesn't hurt to try without them, anyways.

 

[vojtechmares]

Tried, didn't work.

The HTTP/HTTPS rules are for forwarding all HTTP(S) traffic toward the VM, since this is ment to run HAProxy, to send traffic to other VMs, since I have only one public IP.

Proxmox GUI is still running on default 8006 - I will change that, but later, when setup is done.

 

[ph0x]

I see, you're right. Again had a twist in my mind about the web ports.
I'm done with my suggestions, to be honest. Hetzner is a big issue for most, but usually can be solved with the natting part of the documentation that I provided above.
Sorry for that.

 

[vojtechmares]

No worries, thank you for trying. I will get back to this after the Easter holidays.

I also got some contacts from friends to people who build larger Proxmox clusters for production, so I hope I will get it moving from there.

 

[vojtechmares]

With deeper look and consulting this issue with other people more experienced with Proxmox than me, we did not find the source of the issue. We believe that it is at the host machine.

After some more time, I just gave up. Reinstalled the server with Ubuntu 20.04 and I just run everything in docker instead of a VM.