[SOLVED] Proxmox 4 - LXC container + private IP + postrouting rule = internet access issue

M

michaelj

Renowned Member
Jun 30, 2016
57
0
71
37
Hi pve users,

I'm new to this mailing list, so hi everybody.

I'm running a new server with proxmox 4 (4.4.10-1-pve) , i want to migrate my containers from my proxmox 3 server.

I've followed this guide https://pve.proxmox.com/wiki/Convert_OpenVZ_to_LXC.

The migration for a container with two networks devices (eth0 = public ip and eth1 = private ip) works (switching venet to eth).


This is my server configuration :

*vmbr0* Link encap:Ethernet HWaddr 0c:c4:7a:c4:e1:3e
inet addr:164.x.x.x Bcast:164.x.x.x Mask:255.255.255.0
inet6 addr: 2001:41d0:1008:1911::/64 Scope:Global
inet6 addr: fe80::ec4:7aff:fec4:e13e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2083999 errors:0 dropped:0 overruns:0 frame:0
TX packets:1584895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9933515436 (9.2 GiB) TX bytes:270625982 (258.0 MiB)

*vmbr2* Link encap:Ethernet HWaddr 0c:c4:7a:c4:e1:3f
inet addr:172.25.x.x Bcast:172.25.x.x Mask:255.255.0.0
inet6 addr: fe80::ec4:7aff:fec4:e13f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:686889 errors:0 dropped:0 overruns:0 frame:0
TX packets:22767 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:36857076 (35.1 MiB) TX bytes:1714452 (1.6 MiB)


*route
*Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 164.x.x.x 0.0.0.0 UG 0 0 0 vmbr0
164.x.x.x * 255.255.255.0 U 0 0 0 vmbr0
172.25.0.0 * 255.255.0.0 U 0 0 0 vmbr2
224.0.0.0 * 240.0.0.0 U 0 0 0 vmbr2*
*

This is my CT configuration with two interfaces (works) :

*eth0* Link encap:Ethernet HWaddr 3a:32:64:31:37:37
inet addr:5.x.x.x Bcast:5.x.x.x Mask:255.255.255.224
inet6 addr: fe80::3832:64ff:fe31:3737/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:775974 errors:0 dropped:0 overruns:0 frame:0
TX packets:100616 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69195377 (65.9 MiB) TX bytes:39651385 (37.8 MiB)

*eth1* Link encap:Ethernet HWaddr 66:65:34:61:66:37
inet addr:172.25.x.x Bcast:172.25.x.x Mask:255.255.255.255
inet6 addr: fe80::6465:34ff:fe61:6637/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:679412 errors:0 dropped:0 overruns:0 frame:0
TX packets:22406 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44403026 (42.3 MiB) TX bytes:10242758 (9.7 MiB)

*route *
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 5.x.x.x 0.0.0.0 UG 0 0 0 eth0
5.x.x.x * 255.255.255.224 U 0 0 0 eth0
172.25.0.0 * 255.255.0.0 U 0 0 0 eth1

*ping private network > ok
ping google > ok
*

However when i have a container with only one interface eth1 (private ip) i can't reach internet while i have a postrouting rule like :

This is my CT configuration (not works) :

*eth1* Link encap:Ethernet HWaddr 32:61:65:34:30:31
inet addr:172.25.x.x Bcast:172.25.x.x Mask:255.255.255.255
inet6 addr: fe80::3061:65ff:fe34:3031/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:144622 errors:0 dropped:0 overruns:0 frame:0
TX packets:21624 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9773350 (9.3 MiB) TX bytes:3256302 (3.1 MiB)

*route*
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 eth1

*iptables postrouting rule *
iptables -t nat -A POSTROUTING -s 172.25.x.x/32 -o vmbr0 -j SNAT --to server_host_ip

*ping private network > ok
ping google > KO *
*
*But the same configuration works on proxmox 3 ....*

*Can someone please help me ?*

*Regards.*
 
michaelj said:
*iptables postrouting rule *
iptables -t nat -A POSTROUTING -s 172.25.x.x/32 -o vmbr0 -j SNAT --to server_host_ip
Click to expand...

Try

Code: 
iptables -t nat -A POSTROUTING -s 172.25.x.x/32 -o vmbr0 -j MASQUERADE

michaelj said:
*But the same configuration works on proxmox 3 ....*
Click to expand...

If venet0 has been used it cannot be compared.
 
Hi Richard,

Thanks for your reply.

Your rule "iptables -t nat -A POSTROUTING -s 172.25.x.x/32 -o vmbr0 -j MASQUERADE" is not working.

I don't know if it can help you :

Under Proxmox 3 the same virtual machine was using this network configuration, and i was able to ping my private network and outside (internet).

/etc/network/interfaces
# Auto generated lo interface
│auto lo
│iface lo inet loopback

│# Auto generated venet0 interface
│auto venet0
│iface venet0 inet manual
│ up ifconfig venet0 up
│ up ifconfig venet0 127.0.0.2
│ up route add default dev venet0
│ down route del default dev venet0
│ down ifconfig venet0 down


│iface venet0 inet6 manual
│ up route -A inet6 add default dev venet0
│ down route -A inet6 del default dev venet0

│auto venet0:0
│iface venet0:0 inet static
│ address 172.25.x.x
│ netmask 255.255.255.255

route
Kernel IP routing table
│Destination Gateway Genmask Flags Metric Ref Use Iface
│default * 0.0.0.0 U 0 0 0 venet

postrouting rule
iptables -t nat -A POSTROUTING -s 172.25.x.x/32 -o vmbr0 -j SNAT --to public_host_ip


Under Promox 4, i'm using ethX and not venetX, this is my configuration :

/etc/network/interfaces

auto eth1 │
iface eth1 inet static │
address 172.25.x.x │
netmask 255.255.255.255

route
Kernel IP routing table │
Destination Gateway Genmask Flags Metric Ref Use Iface │
default * 0.0.0.0 U 0 0 0 eth0

postrouting rule
iptables -t nat -A POSTROUTING -s 172.25.19.12/32 -o vmbr0 -j SNAT --to public_host_ip

With this configuration, i'm only able to ping my private network ..

Regards
 
Last edited:
michaelj said:
Under Promox 4, i'm using ethX and not venetX, this is my configuration :

/etc/network/interfaces

auto eth1 │
iface eth1 inet static │
address 172.25.x.x │
netmask 255.255.255.255

route
Kernel IP routing table │
Destination Gateway Genmask Flags Metric Ref Use Iface │
default * 0.0.0.0 U 0 0 0 eth0

postrouting rule
iptables -t nat -A POSTROUTING -s 172.25.19.12/32 -o vmbr0 -j SNAT --to public_host_ip

With this configuration, i'm only able to ping my private network ..
Click to expand...

Cannot work - since ethX in a container is also a "normal" interface a gateway has to be defined; the routing table has to look like (the address is only an example)


Code: 
Kernel IP routing table
Destination  Gateway     Genmask  Flags Metric Ref  Use Iface
default      172.25.1.1  0.0.0.0  UG    0      0    0   eth0
 
Hi,

I solved my issue by adding the private server host ip as the container's gateway.

Thanks.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back