No Internet on brigded network using firewall

A

Astoria Systems

New Member
Proxmox Subscriber
Jun 15, 2021
3
0
1
25
47533 Kleve,DE
Hello,

I can´t figure out how to get this done.

What i have:
I have one public IP on a Rootserver connected to PVE via ens3 bridged to vmbr0 where Gateway and IP are set.

I also created a new network to masquerade vmbr0 to vmbr1 for connection between Containers on Subnet 10.10.10.1/24

Code: 
auto lo
iface lo inet loopback

iface ens3 inet manual

auto vmbr0
iface vmbr0 inet static
        address 202.61.228.211/22
        gateway 202.61.228.1
        bridge-ports ens3
        bridge-stp off
        bridge-fd 0
auto vmbr1
iface vmbr1 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Now i can assign CT100 to IP 10.10.10.2 and it´s connected to the Internet.

Problem:
As soon as i enable the Firewall on the node Level allowing Port 80,443,8006,22 i´m no longer able to ping from out the CT100 or any other container using vmbr1.

All three Firewalls are set to Allow outgoing and Drop incoming Traffic and the Rules mentioned above.


Could someone tell me what i´m doing wrong?

Kind Regards
Mergim
 
Hi,

If you don't allow incoming ICMP traffic, pings will be blocked. As you did not mention that you allowed ICMP traffic, I assume this is the problem. If, however, you are unable to connect via a allowed port, I'll have a closer look :)
 
Lorenz.S said:
Hi,

If you don't allow incoming ICMP traffic, pings will be blocked. As you did not mention that you allowed ICMP traffic, I assume this is the problem. If, however, you are unable to connect via a allowed port, I'll have a closer look :)
Click to expand...
Hey, Sorry for the late answer. You are completely right on this one. But Ping was only half the Problem. I tried this now on different machines and Proxmox Appliances, after setting up the NAT i have to reboot the Host Machine. Doing service networking restart does not work as i still have no connection inside my CT´s.

Maybe there´s a fault on my side, but i don´t get it.
Thanks in advance
 
I don't quite understand your current problem...

Is your only issue, that you need to reboot the hypervisor? If yes, try instead to set the bridge down and then up again. The post-up statement is only executed after the interface goes up—if it is already up, noting happens.
 
You must log in or register to reply here.
Top Bottom