Private container network: outgoing traffic not working

E

elagil

Member
Jan 4, 2020
19
1
8
32
Hello!

I want to create a private network for my containers (IP range 10.10.200.0/24), and allow these containers to establish outbound connections.
pve is used in a local network, and my pve host connects to my network with a VLAN-aware bridge. I use various VLANs, and VLAN20 shall be used for the outbound connections of the container network.

According to the official tutorial on this topic, I set up the following. I use no firewall.

Host /etc/network/interfaces:
Code: 
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#Main VLAN-aware bridge

auto vmbr1
iface vmbr1 inet static
        address 10.10.200.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        # Enable forwarding
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        # Add rule to rewrite (masquerade) outoing packets from vmbr1
        # to appear as coming from the IP address of VLAN20
        post-up   iptables -t nat -A POSTROUTING -s '10.10.200.0/24' -o vlan20 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.200.0/24' -o vlan20 -j MASQUERADE
#Proxmox guests private network 10.10.200.0

auto vlan20
iface vlan20 inet manual
        vlan-raw-device vmbr0
#lan

# There are some more VLANs that are removed here.

source /etc/network/interfaces.d/*

Container network configuration (Ubuntu 22.04 LXC):
1702471043109.png

I can ping the host on 10.10.200.1, but not my network's router on VLAN20 which lives at 10.10.20.1.

What could I be missing? Thanks in advance!
 
Hello,
I would still give the outbound interface name rather than VLAN name. Traffic will anyway be forced into the VLAN you assigned, but IPtables may not recognize it as an interface to link outgoing traffic to, and expect a real interface name.
Try :

post-up iptables -t nat -A POSTROUTING -s '10.10.200.0/24' -o vmbr0 -j MASQUERADE
instead of your post-up rule.

Kind regards,



--
Guillaume Delanoy
 
Thanks for the suggestion! I tried it, but it doesn't work. I imagine that vmbr0 points to the trunk and not some particular VLAN.
I also tried vmbr0.20, but that did not work either.
 
hi, you got here in your example
Code: 
# Add rule to rewrite (masquerade) outoing packets from vmbr1
        # to appear as coming from the IP address of VLAN20
but your vlan20 interface has no ip address in the example ;-)
 
:D

Suddenly it works!

At least I get DNS resolution and I can ping the VLAN20 members. A ping to google does not respond yet.
 
  • Like
Reactions: ce3rd
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back