ProxMox4 and Knockd

P

PaoloVIP

Active Member
Oct 8, 2015
27
0
41
Dear Sirs,
a curious thing is happening to me. I'm using Proxmox 4, and for security reasons I always used knockd in every my debian server. Also in ProxMox 3, where it worked fine.
In ProxMox4 it doesn't work anymore.
If I test it from the same subnet works fine. From any other network it doesn't. But if I inspect my packets coming on the network card where knockd daemon is listening with tcpdump, it works normally! I'm starting to became crazy. The Proxmox firewall was not used for the moment, while i'm in testing.

This is my network interfaces in Proxmox

Code: 
auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.10
        netmask 255.255.255.0
        gateway 192.168.1.254
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address xxx.11.2.1
        netmask 255.255.255.248
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

auto vmbr2
iface vmbr2 inet static
        address 192.168.0.254
        netmask 255.255.255.0
        bridge_ports eth2
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
        post-up iptables -A FORWARD -i vmbr0 -o vmbr2 -m state --state RELATED,ESTABLISHED -j ACCEPT
        post-up iptables -A FORWARD -i vmbr2 -o vmbr0 -j ACCEPT

Knockd was installed with apt-get and this is /etc/default/knockd

Code: 
################################################
#
# knockd's default file, for generic sys config
#
################################################

# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1

# command line options
KNOCKD_OPTS="-i vmbr1"

and his /etc/knockd.conf

Code: 
[options]
        logfile = /var/log/knockd.log

[open]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        tcpflags    = syn
        command     = sh /etc/open_p %IP%


[close]
        sequence    = 6000,6005,6010
        seq_timeout = 5
        tcpflags    = syn
        command     = sh /etc/close_p

This is one packet captured with tcpdump ( tcpdump -i vmbr1 dst xxx.11.2.1 -vvv ):

Code: 
13:55:40.122368 IP (tos 0x0, ttl 53, id 17708, offset 0, flags [none], proto TCP (6), length 44)
    host5-2-static.11-xxx-b.xxx.xxx.xx.37494 > host1-2-static.11-xxx-b.xxx.xxx.xx.4001: Flags [S], cksum 0x2397 (correct), seq 1758914948, win 1024, options [mss 1460], length 0

For knoking, on the client side. I use indifferently the knock client found in package (/usr/bin/knock) or a simple nmap script:
Code: 
#!/bin/bash
HOST=$1
echo "Elenco degli argomenti con \"\$@\":"
shift
for ARG in "$@"
do
        nmap -Pn --host_timeout 100 --max-retries 0 -p $ARG $HOST
sleep 1
done
 
Last edited:
Have you specified the network interface in /etc/sysconfig/knockd? It defaults to eth0. Should be something like:

OPTIONS="-i vmbr0" or OPTIONS="-i vmbr1" depending upon your public IP address. Then restart PortKnocker.
 
NerdUno said:
I think your syntax is wrong. OPTIONS is the new magic word. :cool:
Click to expand...

Yep!?

I'm using knockd version 0.5 of zeroflux.org which I found in the Debian Jessie repositories. Maybe is too old? I just see on zerflux site that the actual stable version is 0.7. But the syntax, for my version is correct. I go to try the last version. Thnak you
 
PaoloVIP said:
Code: 
        address xxx.11.2.1

Code: 
[open]
        sequence    = 7000,8000,9000
Click to expand...
Sorry that this is not a solution to your original question, but I'd still recommend changing your publicly posted knock code.

Finding your servers public IPv4 should take only tens of seconds with proper tools to scan only ~240 possible IPv4 addresses.
 
I wonder why it's not using the -n option by default. You should add that at least for debugging as you'll see the actual IP addresses in the tcpdump output rather than names like host5-2-static.11-xxx-b.xxx.xxx.xx

What do your /etc/open_p and /etc/open_c files do? They don't seem to be the standard the package ships with.
 
Nodefield said:
Sorry that this is not a solution to your original question, but I'd still recommend changing your publicly posted knock code.

Finding your servers public IPv4 should take only tens of seconds with proper tools to scan only ~240 possible IPv4 addresses.
Click to expand...

Thank you, but it is totally fake address.
 
Yes, usually I use -nnq switch, I don't know why I used extended form in my previous post. But I don't think it is important.
«What do your /etc/open_p and /etc/open_c files do? They don't seem to be the standard the package ships with.»
Click to expand...

No matter what open_p and close_p are doing (the problem is before), but yes, it is a standard form. You can use the "start_command" to activate a single iptables rule or, if you need, to launch a bash script (like in my case) with multiple iptables rules or any other command you need.
 
But if I inspect my packets coming on the network card where knockd daemon is listening with tcpdump, it works normally!
Click to expand...
Could you elaborate on that - are you saying that while you are using tcpdump on the interface knockd is running on, it is working, as in knockd is actually doing its job, but if you stop tcpdump it stops working?
Or do you just mean that you see the packets you're looking for but nothing's happening?
I thought knockd uses tcpdump? Does it pass any more options other than the ones you specify? Like -p a.k.a. --no-promiscuous-mode? Have you changed any of the interface settings (sysctl variables or whatnot)?
 
wbumiller said:
Could you elaborate on that - are you saying that while you are using tcpdump on the interface knockd is running on, it is working, as in knockd is actually doing its job, but if you stop tcpdump it stops working?

Yes, exactly

Or do you just mean that you see the packets you're looking for but nothing's happening?
I thought knockd uses tcpdump? Does it pass any more options other than the ones you specify? Like -p a.k.a. --no-promiscuous-mode? Have you changed any of the interface settings (sysctl variables or whatnot)?
Click to expand...

Only ipv4 forwarding is active.

Anyway, the problem is not related to proxmox, knockd or nothing else. The problem is caused because the ip associated to virtual bridge and ethernet card is not like I planned to be. Look at my network configuration (only the first two vlans):

Code: 
auto vmbr0
iface vmbr0 inet static
        address 192.168.1.10
        netmask 255.255.255.0
        gateway 192.168.1.254
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address xxx.3.2.1
        netmask 255.255.255.248
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

Well, it can be normal to suppose that starting to listen on vmbr1, will find any traffic from or to xxx.3.2.1. No, for some reason, in some (for me) criptic case, the traffic for xxx.3.2.1 go through vmbr0.
With ProxMox 4 it is possible to assign to a virtual bridge the "Vlan Aware" option, and if I have understud correctly, this will work to route the packets through ip, instead mac address. But this change nothing for my case.
I simply solved reversing the bridge_ports for this vlans:

Code: 
auto vmbr0
bridge_ports eth1

auto vmbr1
bridge_ports eth0

But I don't know why this happened, maybe for the router and some strange tcp/ip forwarding/assignment decision taken at the moment when the network card and the switch of the router made the first uplink.
 
Do you maybe have conflicting mac addresses? (Some of the randomly generated ones...) Or conflicting IP addresses in the network? (If you use vlans... maybe some vlan tags get dropped in places they shouldn't be dropped causing the IP and mac addresses to get mixed and mess up routing?)
 
wbumiller said:
Do you maybe have conflicting mac addresses? (Some of the randomly generated ones...) Or conflicting IP addresses in the network? (If you use vlans... maybe some vlan tags get dropped in places they shouldn't be dropped causing the IP and mac addresses to get mixed and mess up routing?)
Click to expand...

There are some duplicated mac address, but I thought it was the right thing: the same mac is used for the network card and the correspondent vlan. Is not right? I post my ifconfig (with fake addresses) and route tables. Maybe some kind soul could look at it :)

Code: 
eth0      Link encap:Ethernet  HWaddr 14:dd:a9:4f:0a:f2  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4564 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:638649 (623.6 KiB)  TX bytes:29590701 (28.2 MiB)
          Memory:f7d00000-f7d7ffff 

eth1      Link encap:Ethernet  HWaddr 14:dd:a9:4f:0a:f3  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:169503 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:35798797 (34.1 MiB)  TX bytes:19494098 (18.5 MiB)
          Memory:f7c00000-f7c7ffff 

eth2      Link encap:Ethernet  HWaddr 90:e2:ba:94:f5:7c  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:693903 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4025347 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:94093418 (89.7 MiB)  TX bytes:5545051569 (5.1 GiB)

fwbr100i1 Link encap:Ethernet  HWaddr ce:55:ec:95:cc:b5  
          inet6 addr: fe80::604e:daff:fe50:dcc9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:587 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:50298 (49.1 KiB)  TX bytes:648 (648.0 B)

fwbr101i1 Link encap:Ethernet  HWaddr 4a:5c:3f:fe:dd:05  
          inet6 addr: fe80::18d3:ccff:fe01:bddc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:568 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:48670 (47.5 KiB)  TX bytes:648 (648.0 B)

fwbr102i1 Link encap:Ethernet  HWaddr e6:5a:fd:1a:be:8d  
          inet6 addr: fe80::3c33:64ff:fec8:71bc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:542 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:46938 (45.8 KiB)  TX bytes:648 (648.0 B)

fwbr103i1 Link encap:Ethernet  HWaddr f6:1b:eb:44:4e:53  
          inet6 addr: fe80::a47c:9cff:fead:bdde/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:526 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:45946 (44.8 KiB)  TX bytes:648 (648.0 B)

fwln100i1 Link encap:Ethernet  HWaddr ce:55:ec:95:cc:b5  
          inet6 addr: fe80::cc55:ecff:fe95:ccb5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2135 errors:0 dropped:0 overruns:0 frame:0
          TX packets:279 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:162395 (158.5 KiB)  TX bytes:12294 (12.0 KiB)

fwln101i1 Link encap:Ethernet  HWaddr 4a:5c:3f:fe:dd:05  
          inet6 addr: fe80::485c:3fff:fefe:dd05/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3341 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1506 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:347905 (339.7 KiB)  TX bytes:107361 (104.8 KiB)

fwln102i1 Link encap:Ethernet  HWaddr e6:5a:fd:1a:be:8d  
          inet6 addr: fe80::e45a:fdff:fe1a:be8d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2620 errors:0 dropped:0 overruns:0 frame:0
          TX packets:788 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:196337 (191.7 KiB)  TX bytes:76006 (74.2 KiB)

fwln103i1 Link encap:Ethernet  HWaddr f6:1b:eb:44:4e:53  
          inet6 addr: fe80::f41b:ebff:fe44:4e53/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:74632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64792 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11673463 (11.1 MiB)  TX bytes:12341251 (11.7 MiB)

fwpr100p1 Link encap:Ethernet  HWaddr 7a:02:7f:61:b1:2d  
          inet6 addr: fe80::7802:7fff:fe61:b12d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:279 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2135 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12294 (12.0 KiB)  TX bytes:162395 (158.5 KiB)

fwpr101p1 Link encap:Ethernet  HWaddr 82:7c:01:db:58:0b  
          inet6 addr: fe80::807c:1ff:fedb:580b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1506 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:107361 (104.8 KiB)  TX bytes:347905 (339.7 KiB)

fwpr102p1 Link encap:Ethernet  HWaddr 5a:2b:38:37:b8:ad  
          inet6 addr: fe80::582b:38ff:fe37:b8ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:788 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2620 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:76006 (74.2 KiB)  TX bytes:196337 (191.7 KiB)

fwpr103p1 Link encap:Ethernet  HWaddr 6e:74:a2:06:d7:35  
          inet6 addr: fe80::6c74:a2ff:fe06:d735/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64792 errors:0 dropped:0 overruns:0 frame:0
          TX packets:74632 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12341251 (11.7 MiB)  TX bytes:11673463 (11.1 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:26212 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26212 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:21643950 (20.6 MiB)  TX bytes:21643950 (20.6 MiB)

veth100i1 Link encap:Ethernet  HWaddr fe:1f:51:42:62:ef  
          inet6 addr: fe80::fc1f:51ff:fe42:62ef/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:264 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1002 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11088 (10.8 KiB)  TX bytes:62252 (60.7 KiB)

veth100i2 Link encap:Ethernet  HWaddr fe:aa:df:9f:88:ef  
          inet6 addr: fe80::fcaa:dfff:fe9f:88ef/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:525 (525.0 B)  TX bytes:154153 (150.5 KiB)

veth101i1 Link encap:Ethernet  HWaddr fe:18:ca:a0:46:5f  
          inet6 addr: fe80::fc18:caff:fea0:465f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1491 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:106155 (103.6 KiB)  TX bytes:248863 (243.0 KiB)

veth101i2 Link encap:Ethernet  HWaddr fe:36:4e:8a:b7:e8  
          inet6 addr: fe80::fc36:4eff:fe8a:b7e8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:204 errors:0 dropped:0 overruns:0 frame:0
          TX packets:879 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:42985 (41.9 KiB)  TX bytes:111353 (108.7 KiB)

veth102i1 Link encap:Ethernet  HWaddr fe:84:e9:5c:f9:e4  
          inet6 addr: fe80::fc84:e9ff:fe5c:f9e4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:773 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1670 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:74800 (73.0 KiB)  TX bytes:109845 (107.2 KiB)

veth102i2 Link encap:Ethernet  HWaddr fe:47:88:c9:ca:a7  
          inet6 addr: fe80::fc47:88ff:fec9:caa7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1019 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:525 (525.0 B)  TX bytes:146563 (143.1 KiB)

veth103i1 Link encap:Ethernet  HWaddr fe:bc:e1:fe:88:45  
          inet6 addr: fe80::fcbc:e1ff:fefe:8845/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64778 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12340174 (11.7 MiB)  TX bytes:11572084 (11.0 MiB)

veth103i2 Link encap:Ethernet  HWaddr fe:9b:98:5d:d6:56  
          inet6 addr: fe80::fc9b:98ff:fe5d:d656/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1005 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1215 (1.1 KiB)  TX bytes:144861 (141.4 KiB)

veth104i0 Link encap:Ethernet  HWaddr fe:28:0a:b1:b6:3f  
          inet6 addr: fe80::fc28:aff:feb1:b63f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:58 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1053 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4752 (4.6 KiB)  TX bytes:171223 (167.2 KiB)

veth105i2 Link encap:Ethernet  HWaddr fe:64:75:2f:c2:84  
          inet6 addr: fe80::fc64:75ff:fe2f:c284/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5408 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5769 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:456595 (445.8 KiB)  TX bytes:802217 (783.4 KiB)

vmbr0     Link encap:Ethernet  HWaddr 14:dd:a9:4f:0a:f2  
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::16dd:a9ff:fe4f:af2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4563 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44804 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:568379 (555.0 KiB)  TX bytes:29243475 (27.8 MiB)

vmbr1     Link encap:Ethernet  HWaddr 14:dd:a9:4f:0a:f3  
          inet addr:172.16.2.1  Bcast:172.16.2.7  Mask:255.255.255.248
          inet6 addr: fe80::16dd:a9ff:fe4f:af3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:262709 errors:0 dropped:0 overruns:0 frame:0
          TX packets:434 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:51460549 (49.0 MiB)  TX bytes:28393 (27.7 KiB)

vmbr2     Link encap:Ethernet  HWaddr 90:e2:ba:94:f5:7c  
          inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::92e2:baff:fe94:f57c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:699272 errors:0 dropped:0 overruns:0 frame:0
          TX packets:604422 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:84805311 (80.8 MiB)  TX bytes:5318974796 (4.9 GiB)

ip route show table main
Code: 
default via 192.168.1.254 dev vmbr0 
172.16.2.0/29 dev vmbr1  proto kernel  scope link  src 172.16.2.1 
192.168.0.0/24 dev vmbr2  proto kernel  scope link  src 192.168.0.254 
192.168.1.0/24 dev vmbr0  proto kernel  scope link  src 192.168.1.10

ip route show table local
Code: 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast 172.16.2.0 dev vmbr1  proto kernel  scope link  src 172.16.2.1 
local 172.16.2.1 dev vmbr1  proto kernel  scope host  src 172.16.2.1 
broadcast 172.16.2.7 dev vmbr1  proto kernel  scope link  src 172.16.2.1 
broadcast 192.168.0.0 dev vmbr2  proto kernel  scope link  src 192.168.0.254 
local 192.168.0.254 dev vmbr2  proto kernel  scope host  src 192.168.0.254 
broadcast 192.168.0.255 dev vmbr2  proto kernel  scope link  src 192.168.0.254 
broadcast 192.168.1.0 dev vmbr0  proto kernel  scope link  src 192.168.1.10 
local 192.168.1.10 dev vmbr0  proto kernel  scope host  src 192.168.1.10 
broadcast 192.168.1.255 dev vmbr0  proto kernel  scope link  src 192.168.1.10
 
You said ipv4 forwarding is active - on the interfaces, too? Ie check tcpdump output of the eth* interfaces against the vmbr* interfaces. Maybe they come in through the right eth but get routed away somehow? (While running tcpdump on the bridge puts it in promiscuous mode (which it might have lost somehow before) causing it to still receive the package even if it's routed away?)

It would be a simpler testcase without the VMs/CTs running. (also `ip addr` is much more useful than `ifconfig` as it also shows which bridge each interface is connected to).
As for conflicting MACs - sure it's fine in those cases, but I meant like two VMs getting the same mac or VMs from different physical machines or something.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back