Postrouting / NAT : very strange issue

[Hyperman]

Hello,

Sorry if my question is stupid : I'm new on promox environnement.

I'm trying to make a new installation with a Firewall VM (and not use promox FW). But I only have 1 Public Ip Adresss (OVH lowcost contrainst)

You can found some information (schema, screenshot, and config File) in attachment. Ask for other information.

I found many discussion about this kind of configuration on Internet => So I think it's possible...

My firewall VM (PFSENSE) working fine, can be reachable from internet, and can reached the internet (DNS resolution, package download, ...). So SNAT and DNAT are OK on promox server.
FYI, This firewall make SNAT for all outbound traffic (comming from LAN 192.168.50.0/24) with its "WAN" Interface (192.168.51.254)

My Debian VM have an issue : it can't reach the internet. After several hours of debug, my analysis shows me this:

• When paquet is sent (created) by the FW VM, postrouting iptable (for SNAT) on proxmox server working fine.
  
• When paquet is sent (created) by my debian VM, the paquet is SNAT by pfsense VM but postrouting iptable (for SNAT) on proxmox server is not applied (postrouting seem not applied at all). My paquet stayed with 192.168.51.254 source IP on vmbr0 interface.
  
• In theses 2 cases, source IP address is 192.168.51.254, in proxmox point of view

Someone know why ??

Thank you !

 

[Hyperman]

No idea ?

 

[Hyperman]

In some case (I don't know why) ping flows are working... Ex :
Ping to 8.8.8.8 is OK and is SNAT by PFSense and Proxmox host
Nslookup with 8.8.8.8 is KO : SNAT by PFSense but not by Proxmox host

Other information : I have same issue with input flow (ex: input flow are DNAT to my VM, but answer is not SNAT on proxmox host)