No Internet on brigded network using firewall

Jun 15, 2021
3
0
1
22
47533 Kleve,DE
Hello,

I can´t figure out how to get this done.

What i have:
I have one public IP on a Rootserver connected to PVE via ens3 bridged to vmbr0 where Gateway and IP are set.

I also created a new network to masquerade vmbr0 to vmbr1 for connection between Containers on Subnet 10.10.10.1/24

Code:
auto lo
iface lo inet loopback

iface ens3 inet manual

auto vmbr0
iface vmbr0 inet static
        address 202.61.228.211/22
        gateway 202.61.228.1
        bridge-ports ens3
        bridge-stp off
        bridge-fd 0
auto vmbr1
iface vmbr1 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Now i can assign CT100 to IP 10.10.10.2 and it´s connected to the Internet.

Problem:
As soon as i enable the Firewall on the node Level allowing Port 80,443,8006,22 i´m no longer able to ping from out the CT100 or any other container using vmbr1.

All three Firewalls are set to Allow outgoing and Drop incoming Traffic and the Rules mentioned above.


Could someone tell me what i´m doing wrong?

Kind Regards
Mergim
 

Lorenz.S

Proxmox Staff Member
Staff member
Apr 12, 2021
97
16
8
20
Hi,

If you don't allow incoming ICMP traffic, pings will be blocked. As you did not mention that you allowed ICMP traffic, I assume this is the problem. If, however, you are unable to connect via a allowed port, I'll have a closer look :)
 
Jun 15, 2021
3
0
1
22
47533 Kleve,DE
Hi,

If you don't allow incoming ICMP traffic, pings will be blocked. As you did not mention that you allowed ICMP traffic, I assume this is the problem. If, however, you are unable to connect via a allowed port, I'll have a closer look :)
Hey, Sorry for the late answer. You are completely right on this one. But Ping was only half the Problem. I tried this now on different machines and Proxmox Appliances, after setting up the NAT i have to reboot the Host Machine. Doing service networking restart does not work as i still have no connection inside my CT´s.

Maybe there´s a fault on my side, but i don´t get it.
Thanks in advance
 

Lorenz.S

Proxmox Staff Member
Staff member
Apr 12, 2021
97
16
8
20
I don't quite understand your current problem...

Is your only issue, that you need to reboot the hypervisor? If yes, try instead to set the bridge down and then up again. The post-up statement is only executed after the interface goes up—if it is already up, noting happens.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!