Hi,
I have tried upgrading environment on my host, runnning Proxmox 7.4-19. Went not too smoothly - I had troubles with accessing machine (ping replied but ssh or 8006 ports were unavailable), but after few reboots with cycling through various kernels I ended up on host being fully functional, on kernel 6.2.11-2-pve.
However, something bad happened with guests reachability. All guests are running, but can't be reached. I have all iptables rules loaded, both SNAT and DNAT, but it seems like something is blocking it.
I have a vmbr0 bridge with address 192.168.3.254/24, and all guests are in the same /24 network.
I tried checking with tcpdump, and it shows that traffic reaches the host, but does not go anywhere further.
What is even stranger, SNAT rule works but only partially. The packets leave guest, are translated, sent to the internet, reply is received... and then no translation to the guest:
03:07:58.325749 veth201i0 P IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325753 fwln201i0 Out IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325753 fwpr201p0 P IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325753 vmbr0 In IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325787 eno1 Out IP my_external_ip.49 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.331163 eno1 In IP 1.1.1.1 > my_external_ip: ICMP echo reply, id 48263, seq 1, length 64
Any idea what is going on? I am running out of ideas, it is 3 a.m. and in few hours I'll start getting calls
My iptables rules are quite simple (I included DNAT rules just for one guest):
# Generated by iptables-save v1.8.7 on Fri Jan 24 03:11:53 2025
*raw
REROUTING ACCEPT [26729:5199616]
:OUTPUT ACCEPT [9161:3771434]
COMMIT
# Completed on Fri Jan 24 03:11:53 2025
# Generated by iptables-save v1.8.7 on Fri Jan 24 03:11:53 2025
*filter
:INPUT ACCEPT [2601:218895]
:FORWARD ACCEPT [2138:129802]
:OUTPUT ACCEPT [9162:3771714]
-A INPUT -i eno1 -p tcp -m tcp --dport 111 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s my_home_ip/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 3128 -j DROP
COMMIT
# Completed on Fri Jan 24 03:11:53 2025
# Generated by iptables-save v1.8.7 on Fri Jan 24 03:11:53 2025
*nat
REROUTING ACCEPT [3172:176863]
:INPUT ACCEPT [1654:91348]
:OUTPUT ACCEPT [128:7704]
OSTROUTING ACCEPT [132:8004]
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.54:80
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.3.54:443
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.3.47:25
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.3.47:110
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.3.47:465
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.3.47:587
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.3.47:993
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.3.47:995
-A POSTROUTING -s 192.168.3.0/24 -o eno1 -j SNAT --to-source my_external_ip
COMMIT
# Completed on Fri Jan 24 03:11:53 2025
I have tried upgrading environment on my host, runnning Proxmox 7.4-19. Went not too smoothly - I had troubles with accessing machine (ping replied but ssh or 8006 ports were unavailable), but after few reboots with cycling through various kernels I ended up on host being fully functional, on kernel 6.2.11-2-pve.
However, something bad happened with guests reachability. All guests are running, but can't be reached. I have all iptables rules loaded, both SNAT and DNAT, but it seems like something is blocking it.
I have a vmbr0 bridge with address 192.168.3.254/24, and all guests are in the same /24 network.
I tried checking with tcpdump, and it shows that traffic reaches the host, but does not go anywhere further.
What is even stranger, SNAT rule works but only partially. The packets leave guest, are translated, sent to the internet, reply is received... and then no translation to the guest:
03:07:58.325749 veth201i0 P IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325753 fwln201i0 Out IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325753 fwpr201p0 P IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325753 vmbr0 In IP 192.168.3.201 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.325787 eno1 Out IP my_external_ip.49 > 1.1.1.1: ICMP echo request, id 48263, seq 1, length 64
03:07:58.331163 eno1 In IP 1.1.1.1 > my_external_ip: ICMP echo reply, id 48263, seq 1, length 64
Any idea what is going on? I am running out of ideas, it is 3 a.m. and in few hours I'll start getting calls
My iptables rules are quite simple (I included DNAT rules just for one guest):
# Generated by iptables-save v1.8.7 on Fri Jan 24 03:11:53 2025
*raw
REROUTING ACCEPT [26729:5199616]:OUTPUT ACCEPT [9161:3771434]
COMMIT
# Completed on Fri Jan 24 03:11:53 2025
# Generated by iptables-save v1.8.7 on Fri Jan 24 03:11:53 2025
*filter
:INPUT ACCEPT [2601:218895]
:FORWARD ACCEPT [2138:129802]
:OUTPUT ACCEPT [9162:3771714]
-A INPUT -i eno1 -p tcp -m tcp --dport 111 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s my_home_ip/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 3128 -j DROP
COMMIT
# Completed on Fri Jan 24 03:11:53 2025
# Generated by iptables-save v1.8.7 on Fri Jan 24 03:11:53 2025
*nat
REROUTING ACCEPT [3172:176863]:INPUT ACCEPT [1654:91348]
:OUTPUT ACCEPT [128:7704]
OSTROUTING ACCEPT [132:8004]-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.3.54:80
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.3.54:443
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.3.47:25
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.3.47:110
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.3.47:465
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.3.47:587
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.3.47:993
-A PREROUTING -d my_external_ip/32 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.3.47:995
-A POSTROUTING -s 192.168.3.0/24 -o eno1 -j SNAT --to-source my_external_ip
COMMIT
# Completed on Fri Jan 24 03:11:53 2025
