[SOLVED] [P] Public IP on host - NAT - LXC containers in private network: access to containers

C

cmonty14

Well-Known Member
Mar 4, 2014
343
5
58
Hi,

I have configured Proxmox VE 4 with public IP 192.168.178.1 on host + NAT resulting all LXC containers have an IP of a private network 10.0.0.0/24.
There is no restriction to access the containers from host. The communication in between the containers is also feasible.

But I cannot access the containers from any other client in 192.168.178.0/24.

Question:
How should I configure the network to allow access from 192.168.178.0/24 to 10.0.0.0/24?
I believe this gets relevant for accessing Nginx webserver running in LXC container with IP 10.0.0.1.

THX
 
Last edited:
Re: [P] Public IP on host - NAT - LXC containers in private network: access to contai

If NAT otherwise works and nothing between the 192* and the 10* network is being blocked by a firewall, you might only be missing routes on the machines in your 192.168.178.0/24 network. Unless your ….1 is their default gateway already.
(ip route add 10.0.0.0/24 via 192.168.178.1)
 
Re: [P] Public IP on host - NAT - LXC containers in private network: access to contai

wbumiller said:
If NAT otherwise works and nothing between the 192* and the 10* network is being blocked by a firewall, you might only be missing routes on the machines in your 192.168.178.0/24 network. Unless your ….1 is their default gateway already.
(ip route add 10.0.0.0/24 via 192.168.178.1)
Click to expand...

Thanks for your reply.
Please allow me to ask some follow up questions:
Should I modify /etc/network/interfaces on host for defining routes?
And with regards to the webserver, my understanding is that I need to define a port forward rule. If yes, could I configure this rule in /etc/network/interfaces, or must I use a firewall?
For the later, should I enable Proxmox Firewall, or is this an overhead (not needed)?
 
Re: [P] Public IP on host - NAT - LXC containers in private network: access to contai

What is the recommended way to provide access for container to Internet:
SNAT configuration on hardware node (host) using iptables
Code: 
[/FONT][/COLOR][COLOR=black][FONT=Liberation Mono]iptables -t nat -A POSTROUTING -s src_net -o eth0 -j SNAT --to ip_address[/FONT][/COLOR][COLOR=#252525][FONT=sans-serif]
or NAT configuration in /etc/network/interfaces according to Wiki page "Network Model"?

THX
 
Re: [P] Public IP on host - NAT - LXC containers in private network: access to contai

c.monty said:
Should I modify /etc/network/interfaces on host for defining routes?
Click to expand...
In order to communicate between two separate networks, the systems need to know how to route packets, and both networks need to have access to some gateway capable of routing between the two networks.
This means that (to make it easy) your host also needs an IP in the 10.0.0.0/24 network and become the default gateway for its containers, that way they'll route packets to the 192 LAN and to the internet over the host.
(You could also instead provide a static route to the host's IP but that's less common).
Your host needs to have ip-forwarding set to 1 (as you did in the network config), and not block forwarding traffic in the FORWARD chain, or in the nat table.
For your 192 LAN to send to your 10 LAN, your 192 machines need to route over your host's 192.*.1 ip address (this must be configured on each of the 192*/24 machines, or provided via DHCP as an additional route)
For your 10 LAN to send to your 192 LAN, your 10 machines need to route over your host's 10.*.X ip address (if this is chosen as default gateway you don't need an extra route for the 192… network, only the default gateway entry)
If both conditions are satisfied they should be able to communicate with each other.

c.monty said:
And with regards to the webserver, my understanding is that I need to define a port forward rule. If yes, could I configure this rule in /etc/network/interfaces, or must I use a firewall?
For the later, should I enable Proxmox Firewall, or is this an overhead (not needed)?
Click to expand...
c.monty said:
(…)(or NAT configuration in /etc/network/interfaces according to Wiki page "Network Model"?
Click to expand...
The firewall GUI currently doesn't provide a way to configure the nat table, so you'll need to add post-up commands to your /etc/network/interfaces to enable port forwarding and/or masquerading (or use any other means of configuring the NAT iptable).
So this doesn't affect the decision of whether or not to use the proxmox firewall.
 
Re: [P] Public IP on host - NAT - LXC containers in private network: access to contai

wbumiller said:
In order to communicate between two separate networks, the systems need to know how to route packets, and both networks need to have access to some gateway capable of routing between the two networks.
This means that (to make it easy) your host also needs an IP in the 10.0.0.0/24 network and become the default gateway for its containers, that way they'll route packets to the 192 LAN and to the internet over the host.
(You could also instead provide a static route to the host's IP but that's less common).
Your host needs to have ip-forwarding set to 1 (as you did in the network config), and not block forwarding traffic in the FORWARD chain, or in the nat table.
For your 192 LAN to send to your 10 LAN, your 192 machines need to route over your host's 192.*.1 ip address (this must be configured on each of the 192*/24 machines, or provided via DHCP as an additional route)
[...]
Click to expand...

Hello Wolfgang,
many thanks for your detailed reply.

In case I would prefer to provide an additional route via DHCP, do I need to run this DHCP service on the host?
Or can I configure this in another server that offers Gateway, DHCP, Firewall and other network services (e.g. IPFire or Nethserver)?

THX
 
Re: [P] Public IP on host - NAT - LXC containers in private network: access to contai

If you're using a static IP configuration it'll be easier to just add the route manually, otherwise you'll also have to configure your dhcp clients on all your LAN machines to only fetch routes and not ip addresses / gateways.
If you're already using DHCP for your LAN then you'll have to check your DHCP server for available configuration options.
(dhcpcd and dhclient AFAIK can be configured to only fetch specific data, but for this you have to see their corresponding documentation)

Another alternative might be to add the 10.0.0.0/24 route to your actual router. If you can do that it'll be by far the easiest to setup.
 
Last edited:
The firewall GUI currently doesn't provide a way to configure the nat table, so you'll need to add post-up commands to your /etc/network/interfaces to enable port forwarding and/or masquerading (or use any other means of configuring the NAT iptable).
Click to expand...

What is the alternative management tool for nat in proxmox, besides post-up/post-down? Ufw or other tools have high probability to interfere with built-in proxmox firewall
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back