Proxmox VM and host machine cannot make outgoing requests

[Swackles]

I have setup proxmox on a dedicated server. I currently have one vm running on a dedicated IP address that works as expected. But I had to setup few more VM's that do not need to be accessed from the outside and for this I decided to use a NAT.

While setting up the VM behind a NAT I discovered that the VM while having access to the network it doesn't have complete access to the internet. It can successfully ping the outside world and resolve hostnames, but it is not able to make outgoing requests (as an example) by using wget. These requests just time out. After a bit of debugging I also discovered that my host machine has the same exact issue.

My initial guess was that this was due to a firewall rule. After a bit of debugging I discovered that by default firewall is off on proxmox, so ended up enabling that. Although it changed nothing. I also thought that maybe it's a NAT config issues so ended up taking out vmbr1 interface and everything under it. This also didn't change anything, so I'm fairly certain that this is indeed a firewall issue, but unable to figure out what.

Does anyone have any ideas on what might be causing this?

Possibly relevant configs:

/etc/network/interfaces

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp41s0
iface enp41s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address <ip>
        gateway <gateway>
        bridge-ports enp41s0
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address 10.10.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward

post-up   iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

/etc/pve/nodes/<name>/host.fw

[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -p tcp -log nolog
OUT ACCEPT -p tcp -log nolog

 

[vherrlein]

Hi,

Your `/etc/network/interfaces` definition is not valid.
Attention to the indentation.

Test it with the following command.

ifup --no-act -a

You should see errors and warnings

I strongly encourage you to follow up Proxmox documentation.
Proxmox Network Configuration - Masquerading (NAT) with iptables

In addition, make the following line is at the end of the file.
`source /etc/network/interfaces.d/*`

Below a working sample

auto lo
iface lo inet loopback

iface lo inet6 loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
 address 192.168.10.2/24
 gateway 192.168.10.1
 bridge-ports eno1
 bridge-stp off
 bridge-fd 0

auto vmbr1
iface vmbr1 inet static
 address 10.10.0.1/24
 bridge-ports none
 bridge-stp off
 bridge-fd 0

 post-up echo 1 > /proc/sys/net/ipv4/ip_forward
 post-up   iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE
 post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o vmbr0 -j MASQUERADE

post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

source /etc/network/interfaces.d/*

 

[Swackles]

<span>ifup</span> --no-act -a

This returns nothing

Been staring at that file for so long, didn't notice the broken indentation, fixed it now. But this hasn't fixed the issue.

 

[vherrlein]

This returns nothing

Been staring at that file for so long, didn't notice the broken indentation, fixed it now. But this hasn't fixed the issue.

Your PVE server is hosted on a cloud provider ?

 

[Swackles]

yes, hetzner

 

[vherrlein]

If you search in that forum, allot of people (mostly Germans) have issues with that cloud provider.

Check out the official network settings approaches according to your cloud setup:

https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve

In your tries, it seems you want to use the NAT approach only.
Make sure IP forwarding is enabled.
To check the following commands should return 1.

sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding

 

[Swackles]

Yea, that was one of the guides I used for setting things up, along with proxmox docs and pleanty of forum searching.

I have another Vm that is running on it's own IP through vmbr0 and that one works fine. It's just the host machine and vm behind NAT that cause problems.

sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding

Both of these return 1

 

[vherrlein]

Humm, I think it's because of the strict IP/MAC association policy that hetzner have in place.
My guess, the MAC address of your VM took the ownership of your public IP.

May be you could change it through hetzner customer portal?

In that circumstance, I would

1. Ensure PVE NIC is isolated from any bridge.
2. Fix the MAC address to the PVE NIC
3. Make a standalone bridge for public access to internet
4. Make another standalone bridge for private VM networking

The interfaces config file would looks like the following

auto lo
iface lo inet loopback

iface lo inet6 loopback

iface eno1 inet manual
  address <PUBLIC_IP/MASK>
  gateway <PUBLIC_GW>
  hwaddress ether 00:11:22:33:44:55

auto vmbr0
iface vmbr0 inet static
  address 10.0.0.1/24
  bridge-ports off
  bridge-stp off
  bridge-fd 0

auto vmbr1
iface vmbr1 inet static
  address 10.10.0.1/24
  bridge-ports none
  bridge-stp off
  bridge-fd 0
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up  iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o eno1 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o eno1 -j MASQUERADE

source /etc/network/interfaces.d/*

Replace the MAC address 00:11:22:33:44:55 by the one of your working VM and change the VM by another random one.

Ensure the default route of your PVE Host point to your <PUBLIC_GW>, the following command should look like so.

ip route list
# default via <PUBLIC_GW> dev eno1 proto kernel onlink

Complete with an

ifreload -a

Then for VMs which requires internet access, add to them a vNIC attached onto the bridge vmbr1 then assign an IP within that range and set the gateway 10.10.0.1.

 

[Swackles]

Replace the MAC address 00:11:22:33:44:55 by the one of your working VM and change the VM by another random one.

Unfortunetly cannot do that as MAC address is explicitly associated with an IP address.

My guess, the MAC address of your VM took the ownership of your public IP.

I wonder though, if this was an issue, wouldn't I be able to access the host system either? Currently it's only outbound traffic that's being blocked.

 

[vherrlein]

Unfortunetly cannot do that as MAC address is explicitly associated with an IP address.

Perfect, if you know it, set it statically into the config file.

I wonder though, if this was an issue, wouldn't I be able to access the host system either? Currently it's only outbound traffic that's being blocked.

We never know how cloud providers manage their FW rules :/
May be you can still access to your PVE host by SSH because of a static rule (eg. a non-blocking rule) from their side, or their contrack is still alive, I dont know.

Another check, clear your iptables just to make sure nothing interferes before reloading interfaces.

 

[Swackles]

That didn't work, led the server to become unaccessible.

 

[vherrlein]

That's weird!

By looking their : https://docs.hetzner.com/robot/dedi...onfig-debian-ubuntu/#etcnetworkinterfaces-eni

it seems pointopoint must be added too and the netmask /32.

iface eno1 inet manual
  address <PUBLIC_IP>
  netmask 255.255.255.255
  gateway <PUBLIC_GW>
  pointopoint <PUBLIC_GW>
  hwaddress ether <MAC_ASSIGNED_TO_THE_PUBLIC_IP>

I don't have any more ideas.
The next step is opening a support ticket.

 

[Swackles]

thank you for all the ideas, but I think it is indeed time to contact Hetzner customer support.