port forwarding on 5.2-2 does not work as 5.1.36

Discussion in 'Proxmox VE: Networking and Firewall' started by GGD_WI6LABS, Jun 13, 2018.

  1. GGD_WI6LABS

    GGD_WI6LABS New Member

    Joined:
    Jun 13, 2018
    Messages:
    4
    Likes Received:
    0
    Hi,

    I use the proxmox interfaces configuration below in several version but it does not work with latest

    Code:
    auto lo
    iface lo inet loopback
    
    iface eno1 inet manual
    
    auto vmbr1
    iface vmbr1 inet static
            address  192.168.147.254
            netmask  255.255.255.0
            bridge_ports none
            bridge_stp off
            bridge_fd 0
            post-up echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up iptables -t nat -A POSTROUTING -s '192.168.147.0/24' -o vmbr0 -j MASQUERADE
            post-down iptables -t nat -D POSTROUTING -s '192.168.147.0/24' -o vmbr0 -j MASQUERADE
    
    auto vmbr0
    iface vmbr0 inet static
            address  xx.yy.zz.aa
            netmask  255.255.255.0
            gateway  xx.yy.zz.254
            broadcast  xx.yy.zz.255
            bridge_ports eno1
            bridge_stp off
            bridge_fd 0
            network  xx.yy.zz.0
    
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2003 -j DNAT --to 192.168.147.3:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2003 -j DNAT --to 192.168.147.3:22
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2005 -j DNAT --to 192.168.147.5:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2005 -j DNAT --to 192.168.147.5:22
    
    Remark : in previous version eno1 was eth0 (and it works fine)

    with this configuration it is not possible to ping external IP from container (example 8.8.8.8)
    it is not possible to access container from outside (example ssh -p 2003 user@xx.yy.zz.aa)

    I notice that I have :
    Code:
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         5.135.187.254   0.0.0.0         UG    0      0        0 eno1
    0.0.0.0         5.135.187.254   0.0.0.0         UG    0      0        0 vmbr0
    5.135.187.0     0.0.0.0         255.255.255.0   U     0      0        0 eno1
    5.135.187.0     0.0.0.0         255.255.255.0   U     0      0        0 vmbr0
    192.168.147.0   0.0.0.0         255.255.255.0   U     0      0        0 vmbr1
    
    when I remove eno1 interfaces lines I can ping 8.8.8.8

    Regarding ssh I have
    Code:
    # iptables -t nat -S
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -A POSTROUTING -s 192.168.147.0/24 -o vmbr0 -j MASQUERADE
    
    => the port forwarding rules are missing
    When i set manually iptables rules I can ssh containers

    One more point : if I take one old proxmox and upgrade it on V5.2-2, it works fine (in this case interface is not eno1 but stays eth0)

    Then my question is: what is the right configuration to make new proxmox works as old one ?

    Regards,
     
  2. Alwin

    Alwin Proxmox Staff Member
    Staff Member

    Joined:
    Aug 1, 2017
    Messages:
    1,629
    Likes Received:
    140
    Your post-up/post-down rules seem not to have the correct indentation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. GGD_WI6LABS

    GGD_WI6LABS New Member

    Joined:
    Jun 13, 2018
    Messages:
    4
    Likes Received:
    0
    Hi Alwin,

    Thank you for you answer, but could you be more precise ?
    As I always used the same configuration with previous proxmox version, I don't see what is wrong.

    With best regards,

    Gildas.
     
  4. Alwin

    Alwin Proxmox Staff Member
    Staff Member

    Joined:
    Aug 1, 2017
    Messages:
    1,629
    Likes Received:
    140
    I am not sure that those rules are triggered if they do not have the right indentation (see your first post).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jcarnus

    jcarnus New Member

    Joined:
    Oct 23, 2015
    Messages:
    23
    Likes Received:
    0
  6. jcarnus

    jcarnus New Member

    Joined:
    Oct 23, 2015
    Messages:
    23
    Likes Received:
    0
    Ive found the issue.
    OVH customized the installation and they put a /etc/systemd/network/50-* files that mount the main ip on the eth0. This is conflicting with the vmbr0 and this is why the routing table get strange. Removing this file seems to be ok. Also in /etc/udev/rules.d/70-per, they custom to force the interface to be mounted over eth0, I think because some of our insternal script always use eth0.
    In any case OVH should be more transparent to what mosif they bring to the distrib
     
  7. jcarnus

    jcarnus New Member

    Joined:
    Oct 23, 2015
    Messages:
    23
    Likes Received:
    0
    Ps maybe I just wrote on bad thread on this forum
     
  8. GGD_WI6LABS

    GGD_WI6LABS New Member

    Joined:
    Jun 13, 2018
    Messages:
    4
    Likes Received:
    0
    Hi,

    I just tried Jcarnus's solution : it works.
    Thank you Jcarnus !

    Regards,

    Gildas.
     
  9. GGD_WI6LABS

    GGD_WI6LABS New Member

    Joined:
    Jun 13, 2018
    Messages:
    4
    Likes Received:
    0
    Hi,

    I have new information about this issue.
    We just test the 5.2-6 environment on OVH and there is no more route issue.

    But we still have a problem with iptables rules.

    If we place the rules after vmbr0, post-up rules are note added to iptables.
    If we place them after vmbr1 it works well.

    In syslog we see "ifup: failed to bring up vmbr0" even if vmbr0 seems to work

    We have a workaround with rules declaration after vmbr1 but a correction will be better.

    Any idea about that ?

    Regards,

    Gildas.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice