port forwarding on 5.2-2 does not work as 5.1.36

GGD_WI6LABS

New Member
Jun 13, 2018
4
0
1
49
Hi,

I use the proxmox interfaces configuration below in several version but it does not work with latest

Code:
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr1
iface vmbr1 inet static
        address  192.168.147.254
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.147.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.147.0/24' -o vmbr0 -j MASQUERADE

auto vmbr0
iface vmbr0 inet static
        address  xx.yy.zz.aa
        netmask  255.255.255.0
        gateway  xx.yy.zz.254
        broadcast  xx.yy.zz.255
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0
        network  xx.yy.zz.0

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2003 -j DNAT --to 192.168.147.3:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2003 -j DNAT --to 192.168.147.3:22
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2005 -j DNAT --to 192.168.147.5:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2005 -j DNAT --to 192.168.147.5:22

Remark : in previous version eno1 was eth0 (and it works fine)

with this configuration it is not possible to ping external IP from container (example 8.8.8.8)
it is not possible to access container from outside (example ssh -p 2003 user@xx.yy.zz.aa)

I notice that I have :
Code:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         5.135.187.254   0.0.0.0         UG    0      0        0 eno1
0.0.0.0         5.135.187.254   0.0.0.0         UG    0      0        0 vmbr0
5.135.187.0     0.0.0.0         255.255.255.0   U     0      0        0 eno1
5.135.187.0     0.0.0.0         255.255.255.0   U     0      0        0 vmbr0
192.168.147.0   0.0.0.0         255.255.255.0   U     0      0        0 vmbr1
when I remove eno1 interfaces lines I can ping 8.8.8.8

Regarding ssh I have
Code:
# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.147.0/24 -o vmbr0 -j MASQUERADE
=> the port forwarding rules are missing
When i set manually iptables rules I can ssh containers

One more point : if I take one old proxmox and upgrade it on V5.2-2, it works fine (in this case interface is not eno1 but stays eth0)

Then my question is: what is the right configuration to make new proxmox works as old one ?

Regards,
 
Your post-up/post-down rules seem not to have the correct indentation.
 
Your post-up/post-down rules seem not to have the correct indentation.
Hi Alwin,

Thank you for you answer, but could you be more precise ?
As I always used the same configuration with previous proxmox version, I don't see what is wrong.

With best regards,

Gildas.
 
network xx.yy.zz.0
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2003 -j DNAT --to 192.168.147.3:22
I am not sure that those rules are triggered if they do not have the right indentation (see your first post).
 
Ive found the issue.
OVH customized the installation and they put a /etc/systemd/network/50-* files that mount the main ip on the eth0. This is conflicting with the vmbr0 and this is why the routing table get strange. Removing this file seems to be ok. Also in /etc/udev/rules.d/70-per, they custom to force the interface to be mounted over eth0, I think because some of our insternal script always use eth0.
In any case OVH should be more transparent to what mosif they bring to the distrib
 
Hi,

I have new information about this issue.
We just test the 5.2-6 environment on OVH and there is no more route issue.

But we still have a problem with iptables rules.

If we place the rules after vmbr0, post-up rules are note added to iptables.
If we place them after vmbr1 it works well.

In syslog we see "ifup: failed to bring up vmbr0" even if vmbr0 seems to work

We have a workaround with rules declaration after vmbr1 but a correction will be better.

Any idea about that ?

Regards,

Gildas.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!