Proxmox SO vmbr internal comunication

backkherozzo1985

New Member
Mar 25, 2014
12
0
1
Hi, I installed Proxmox on top of a Debian installation and after I created 4 vmbr for the 4 internal lan. I also installed NGINX to the Debian for accept https request on port 443 and forward to the Proxmox GUI port (I’ve also configured lets encrypt certificate on NGINX). Now I would configure NGINX for sending syslog log to an internal vm configured to the vmbr1. I can’t understand why Debian operating system where I installed Proxmox can’t reach internal vms connected to the vmbrX. Can someone help me? Thank you
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
1,444
133
63
* Please post the network config of your proxmox node and the network config of the VM which proxmox cannot reach
* can you ping the vm?
* do you have a firewall enabled?
* can the vm reach the internet its gateway?
 

backkherozzo1985

New Member
Mar 25, 2014
12
0
1
Hi, thank you for your quick answer.

This is the Proxmox interfaces config:

# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

iface enp2s0 inet static
address public ip
netmask 255.255.255.224
up route add -net public broadcast ip netmask 255.255.255.224 gw public ip dev enp2s0
# route X.X.X.X/27 via X.X.X.X

auto vmbr0
iface vmbr0 inet static
address public ip
netmask 255.255.255.0
gateway public gateway
bridge-ports enp2s0
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

auto vmbr1
iface vmbr1 inet static
address 192.168.1.0
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
#inside LAN1

auto vmbr2
iface vmbr2 inet static
address 192.168.2.0
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/24' -o vmbr0 -j MASQUERADE
#inside LAN2

auto vmbr3
iface vmbr3 inet static
address 192.168.3.0
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
#inside LAN3

auto vmbr4
iface vmbr4 inet static
address 192.168.4.0
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
#inside LAN4

auto vmbr200
iface vmbr200 inet static
address 192.168.200.0
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up iptables -t nat -A POSTROUTING -s '192.168.200.254/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.200.254/24' -o vmbr0 -j MASQUERAD
#wan VPN

The vm network is configured to vmbr1 and I configured the following static ip

Ip address 192.168.1.5
Netmask 255.255.255.0
Gw 192.168.1.1

I can’t ping the vm, for testing I disabled the firewall to the vm and also from Proxmox

The vm che reach vmbr gateway 192.168.1.1 and also internet
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
1,444
133
63
Please check the reference documentation - the setup there should work: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#_masquerading_nat_with_span_class_monospaced_iptables_span

Things that seem odd on a first look:
* don't configure an ip on an interface which you put in a bridge (enp2s0)
* the `route` command does not make sense (even if I replace the placeholders) - you just set the link-local route again (which happens if you configure the IP and netmask in the interfaces file)
* using the .0 address of a /24 is odd - AFAIK this is the network-address, and I'm not too sure that the network stack works with that as IP - use the .1 on the node and the same address as gateway for your guests

hope this helps!
 

backkherozzo1985

New Member
Mar 25, 2014
12
0
1
Hi, I modified all vmbr addresses and now I can reach internal vms from the operating system where I installed Proxmox. Before this change the default gateway of the internal networks was configured on pfsense (vm by proxmox) instead so the default gateways are the vmbr (192.168.X.1). Now this addresses are configured to the vmbr for managing internal lan as I previous configure I can change vmbr addresses for example 192.168.X.254 and maintain 192.168.X.1 as a Pfsense gateway? Thank you for your help
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
1,444
133
63
Before this change the default gateway of the internal networks was configured on pfsense
This should also work? (it would have helped if you mentioned that before)

just configure a different ip on the PVE-node (not the .0, .254 should work probably as well).

It would also work if you do the NAT on the pfsense..

just think of the vmbr as switches - whatever you plug in there should be able to communicate with the other ports on layer 2

make sure that you've configured the pfsense to forward ip traffic and to allow pings etc.

hope this helps!
 

backkherozzo1985

New Member
Mar 25, 2014
12
0
1
This should also work? (it would have helped if you mentioned that before)

just configure a different ip on the PVE-node (not the .0, .254 should work probably as well).

It would also work if you do the NAT on the pfsense..

just think of the vmbr as switches - whatever you plug in there should be able to communicate with the other ports on layer 2

make sure that you've configured the pfsense to forward ip traffic and to allow pings etc.

hope this helps!
Thank you for your support after vmbr change it seems that everythings work as expected. What function does the ip that is configured on the vmbr have? Because from the internal LAN if I try to access that from the browser I see the Proxmox GUI so I think it becomes a management ip. Thank you
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!