No ping within the Container, why?

[dima1002]

Why can't I ping the router from the Container? (DHCP, SSH, etc. don't work either)

The Seceurpoint firewall has the following IP: 172.16.250.1

Proxmox: 172.16.250.5

Debian VM (test4) 172.16.250.201

 

[sb-jw]

This isn't a VM, it's a container. Please do pct config 103.

 

[dima1002]

oh sorry


root@DIM03PVE01:~# pct config 103

arch: amd64
cores: 2
features: nesting=1
hostname: Test4
memory: 512
net0: name=eth0,bridge=vmbr0,gw=172.16.250.1,hwaddr=BC:24:11:A3:65:FE,ip=172.16.250.201/24,type=veth
ostype: debian
rootfs: local-zfs:subvol-103-disk-0,size=8G
searchdomain: 172.16.250.1
swap: 512
unprivileged: 1
root@DIM03PVE01:~#

 

[sb-jw]

Please also from the node /etc/network/interfaces.

You can basically remove the search domain, you don't need it and it can cause problems with DNS resolution.

 

[dima1002]

here more Configuration

 

[sb-jw]

I guess you can read minds

Can you ping the node from the container and vice versa? DHCP says you don't work in the container? Could it also be that your firewall does not accept multiple MAC addresses on one port and is therefore blocking communication?

 

[dima1002]

Please also from the node /etc/network/interfaces.

You can basically remove the search domain, you don't need it and it can cause problems with DNS resolution.

Yes, I'll remove it, but I'll be happy if I can ping 8.8.8.8 from the container or the firewall itself.


Here more Info:

root@DIM03PVE01:~# ifreload --syntax-check --all --debug


debug: args = Namespace(all=True, currentlyup=False, CLASS=None, iflist=[], noact=False, verbose=False, debug=True, withdepends=False, perfmode=False, nocache=False, excludepats=None, usecurrentconfig=False, syslog=False, systemd=False, force=False, syntaxcheck=True, version=None, nldebug=False)
debug: creating ifupdown object ..
info: requesting link dump
info: requesting address dump
info: requesting netconf dump
debug: nlcache: reset errorq
debug: {'enable_persistent_debug_logging': 'yes', 'use_daemon': 'no', 'template_enable': '1', 'template_engine': 'mako', 'template_lookuppath': '/etc/network/ifupdown2/templates', 'default_interfaces_configfile': '/etc/network/interfaces', 'disable_cli_interfacesfile': '0', 'addon_syntax_check': '0', 'addon_scripts_support': '1', 'addon_python_modules_support': '1', 'multiple_vlan_aware_bridge_support': '1', 'ifquery_check_success_str': 'pass', 'ifquery_check_error_str': 'fail', 'ifquery_check_unknown_str': '', 'ifquery_ifacename_expand_range': '0', 'link_master_slave': '1', 'delay_admin_state_change': '0', 'ifreload_down_changed': '0', 'addr_config_squash': '0', 'ifaceobj_squash': '0', 'adjust_logical_dev_mtu': '1', 'state_dir': '/run/network/'}
info: loading builtin modules from ['/usr/share/ifupdown2/addons']
info: module openvswitch not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: module openvswitch_port not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: module ppp not loaded (module init failed: no /usr/bin/pon found)
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found)
debug: bridge: using reserved vlan range (0, 0)
debug: bridge: init: warn_on_untagged_bridge_absence=False
debug: bridge: init: vxlan_bridge_default_igmp_snooping=None
debug: bridge: init: arp_nd_suppress_only_on_vxlan=False
debug: bridge: init: bridge_always_up_dummy_brport=None
info: executing /sbin/sysctl net.bridge.bridge-allow-multiple-vlans
debug: bridge: init: multiple vlans allowed True
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found)
info: executing /bin/ip rule show
info: executing /bin/ip -6 rule show
info: address: using default mtu 1500
info: address: max_mtu undefined
info: executing /sbin/sysctl net.ipv6.conf.all.accept_ra
info: executing /sbin/sysctl net.ipv6.conf.all.autoconf
info: executing /usr/sbin/ip vrf id
info: mgmt vrf_context = False
debug: dhclient: dhclient_retry_on_failure set to 0
info: executing /bin/ip addr help
info: address metric support: OK
info: module ppp not loaded (module init failed: no /usr/bin/pon found)
info: module mstpctl not loaded (module init failed: no /sbin/mstpctl found)
info: module batman_adv not loaded (module init failed: no /usr/sbin/batctl found)
info: module openvswitch_port not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: module openvswitch not loaded (module init failed: no /usr/bin/ovs-vsctl found)
info: looking for user scripts under /etc/network
info: loading scripts under /etc/network/if-pre-up.d ...
info: loading scripts under /etc/network/if-up.d ...
info: loading scripts under /etc/network/if-post-up.d ...
info: loading scripts under /etc/network/if-pre-down.d ...
info: loading scripts under /etc/network/if-down.d ...
info: loading scripts under /etc/network/if-post-down.d ...
info: 'link_master_slave' is set. slave admin state changes will be delayed till the masters admin state change.
info: using mgmt iface default prefix eth
debug: reloading interface config ..
info: processing interfaces file /etc/network/interfaces
debug: processing sourced line ..'source /etc/network/interfaces.d/*'
debug: vmbr0: evaluating port expr '['eth0']'
debug: eth0: marking interface with mgmt flag
info: exit status 0

root@DIM03PVE01:~# ifreload --syntax-check --all --debug

 

[dima1002]

I guess you can read minds

Can you ping the node from the container and vice versa? DHCP says you don't work in the container? Could it also be that your firewall does not accept multiple MAC addresses on one port and is therefore blocking communication?

Here my Tests:

root@DIM03PVE01:~#
root@DIM03PVE01:~#
root@DIM03PVE01:~#
root@DIM03PVE01:~# ping 172.16.250.1

PING 172.16.250.1 (172.16.250.1) 56(84) bytes of data.
64 bytes from 172.16.250.1: icmp_seq=1 ttl=64 time=0.807 ms
^C

--- 172.16.250.1 ping statistics ---


1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.807/0.807/0.807/0.000 ms

root@DIM03PVE01:~# ping 172.16.250.201


PING 172.16.250.201 (172.16.250.201) 56(84) bytes of data.
64 bytes from 172.16.250.201: icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from 172.16.250.201: icmp_seq=2 ttl=64 time=0.028 ms

^C

--- 172.16.250.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1022ms
rtt min/avg/max/mdev = 0.028/0.042/0.056/0.014 ms

root@DIM03PVE01:~# ssh -l root 172.16.250.201
root@172.16.250.201's password:


Linux Test4 6.5.11-4-pve #1 SMP PREEMPT_DYNAMIC PMX 6.5.11-4 (2023-11-20T10:19Z) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Sat Jan 20 13:05:30 2024 from 172.16.250.5
root@Test4:~# ping 172.16.250.5
PING 172.16.250.5 (172.16.250.5) 56(84) bytes of data.
64 bytes from 172.16.250.5: icmp_seq=1 ttl=64 time=0.026 ms

^C

--- 172.16.250.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms

root@Test4:~# ping 172.16.250.1
PING 172.16.250.1 (172.16.250.1) 56(84) bytes of data.
^C

--- 172.16.250.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1014ms


root@Test4:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:a3:65:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.16.250.201/24 brd 172.16.250.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fea3:65fe/64 scope link
       valid_lft forever preferred_lft forever

root@Test4:~# exit
logout
Connection to 172.16.250.201 closed.

root@DIM03PVE01:~# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
    link/ether 00:1d:d8:df:09:c2 brd ff:ff:ff:ff:ff:ff
3: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1d:d8:df:09:c2 brd ff:ff:ff:ff:ff:ff
    inet 172.16.250.5/24 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::21d:d8ff:fedf:9c2/64 scope link
       valid_lft forever preferred_lft forever
4: veth103i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether fe:a4:fc:b9:41:2b brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: vmbr0v1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1d:d8:df:09:c2 brd ff:ff:ff:ff:ff:ff
9: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0v1 state UP group default qlen 1000
 link/ether 00:1d:d8:df:09:c2 brd ff:ff:ff:ff:ff:ff


root@DIM03PVE01:~#

 

[dima1002]

There isn´t a firewall:

root@DIM03PVE01:~# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination       

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination       

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       


root@DIM03PVE01:~# ssh -l root 172.16.250.201
root@172.16.250.201's password:


Linux Test4 6.5.11-4-pve #1 SMP PREEMPT_DYNAMIC PMX 6.5.11-4 (2023-11-20T10:19Z) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.


Last login: Sat Jan 20 13:31:18 2024 from 172.16.250.5

root@Test4:~# iptables -L
-bash: iptables: command not found
root@Test4:~# ufs status
-bash: ufs: command not found
root@Test4:~# ufw status
-bash: ufw: command not found
root@Test4:~#

 

[sb-jw]

There isn´t a firewall:

The Seceurpoint firewall has the following IP: 172.16.250.1

 

[dima1002]

Yes, that firewall, I suspected that too and reset it, etc.
But there's probably no Securepoint Eperte here, is there?
or should I post?

 

[dima1002]

The error is very annoying I have no idea what's going on. But the IP doesn't even appear in the entire log in the firewall, so nothing comes through defensively.