PVE Cannot NAT LAN to WAN?

Discussion in 'Proxmox VE: Networking and Firewall' started by JBB, Feb 23, 2015.

  1. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    UPDATE: As a result of the research on this thread, it looks like like you cannot use private IPs behind your Proxmox host's true IP, and masquerade the traffic using NAT, as stated here

    [HR][/HR]
    Using Proxmox 3.4, I've given my (Linux) guest both public and private network addresses.

    How can I get the private addresses NAT-ed so that they can ping the public internet (they can ping each other, BTW)?

    Here's my PVE config:

    Screenshot from 2015-02-23 21:53:33.png

    And on the host, I have:

    Code:
    auto lo
    iface lo inet loopback
    
    iface eth0 inet manual
    
    auto vmbr0
    iface vmbr0 inet static
            address  62.x.x.102
            netmask  255.255.255.0
            gateway  62.x.x.1
            bridge_ports eth0
            bridge_stp off
            bridge_fd 0
    
    
    auto vmbr1
    iface vmbr1 inet static
            address  10.10.10.1
            netmask  255.255.255.0
            bridge_ports none
            bridge_stp off
            bridge_fd 0
    
    
            post-up echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
            post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
    
    on the guests:

    Code:
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet static
            address 89.x.x.5
            netmask 255.255.255.0
            network 89.x.x.0
            broadcast 89.x.x.255
            gateway 89.x.x.1
            # dns-* options are implemented by the resolvconf package, if installed
            dns-nameservers 8.8.8.8
            dns-search xxxxx
    
    auto eth1
    iface eth1 inet static
            address  10.10.10.101
            netmask  255.255.255.0
    
     
    #1 JBB, Feb 23, 2015
    Last edited: Feb 27, 2015
  2. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    35
    Re: How to NAT LAN to WAN?

    Can you show me yout bridge details (brctl show) ?
     
  3. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Hi - thanks for this! brctl show says:

    Code:
    bridge name    bridge id        STP enabled    interfaces
    vmbr0        8000.549f3517ee74    no        eth0
                                tap100i0
                                tap101i0
    vmbr1        8000.fef17c1ba4ca    no        tap100i1
                                tap101i1
    
     
  4. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    35
    Re: How to NAT LAN to WAN?

    You want to share Internet through vmbr1 for your VPS in lan and give others direct access through vmbr0 ?
     
  5. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Yes, so essentially have a private network available for things like rsync-ing between VMs, but to also allow those VMs to have separate public IP addresses.

    This is in fact working like that right now (the VMs can all ping each other on their LAN interfaces), but I'd like the LAN to be able to have a gateway to the internet as well. That would mean I could spin up a VM that only had a LAN address and for it still to have access the public internet.
     
  6. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    35
    Re: How to NAT LAN to WAN?

    iptables masquerade is enough for that. Check ip_forward setting
     
  7. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Thanks - I assume ip_forward needs to be on for the NAT to work, or do you mean I just need to check that it has in fact been set to one?
     
  8. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    35
    Re: How to NAT LAN to WAN?

    Yes, ip_forward have to bet set to 1
     
  9. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Great - thanks for you help on this. Much appreciated.
     
  10. rootkid

    rootkid Member

    Joined:
    Jul 2, 2010
    Messages:
    45
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Hi all,

    i've installed & configured PVE 3.3 on a fresh Host and try to find the "best" networking/routing setup to a scenario like JBB descripes here.

    I like the "proxmox integrated firewall" feature but can't really unterstand why the Proxmox webgui doesn't let me configure a private bridge that is natted to the outside world for outbound traffic (SNAT). I've been searching in the proxmox wiki and here but couldn't find a "built in" solution for this.

    I am planning to set up a cluster with another host node and have read, that in this case proxmox is able to manage firewall rules cluster-wide.

    If i simply add a masquerading rule on my host node now, providing NAT for VMs that don't have any external official IP, how will proxmox handle this if my cluster is up & running and one node dies?
    Or - generally: Does the cluster-firewall feature still work, if i extend iptables with own rules (like natting)?
    What is the easiest/best way to provide NAT for "local" VMs? I am one step before creating a firewall-VM running pfsense (or similar) just for natting...


    Hope this doesn't sound too confusing and somebody can help me here!

    BR,
    Heiner
     
  11. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,279
    Likes Received:
    279
    Re: How to NAT LAN to WAN?

    see section masquerading in:

    https://pve.proxmox.com/wiki/Network_Model

    firewall should work.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rootkid

    rootkid Member

    Joined:
    Jul 2, 2010
    Messages:
    45
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Many thanks for the fast answer, Dietmar!

    I have seen that part in wiki. If configured like that and s.th. in /etc/network/interfaces is changed via web-gui, it deletes those 3 lines as the diff shows in gui:

    Code:
    [COLOR=#000000]-        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    [/COLOR]-        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE 
    [COLOR=#000000]-        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE[/COLOR]
    Because of that i thought: "Proxmox GUI doesn't support NAT in network config, so it won't work in the firewall, too!"

    Is this behavior a bug or is it a feature that i didn't understand by now? I really don't have any problem with editing configs, but i know how easy it is to f*** up perfectly working config files with one wrong click in the GUI*. That's why i always check out GUI features of a software/product and see how manual entries in configs are handled. In a case like this, if there's no way to get NAT working within the GUI, i don't really want to have it configured within /etc/network/interfaces.

    If you say, that NAT is no problem for pve-firewall (even if clustered), i'll try it out and look for another file for those config lines (maybe in rc.local or crontab?) so i can't accidentally delete them within the GUI.

    Thx and BR,
    Heiner


    PS: (*) Please don't get me wrong: I don't think proxmox GUI is crap: As far as i can say by now it is brilliant. Especially if compared to v1.x's GUIs :) It's just my general experience with many GUIs i have seen in the 10 years of my linux history. You guys do a great job! :cool:
     
    #12 rootkid, Feb 25, 2015
    Last edited: Feb 25, 2015
  13. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    @rootkid Maybe best to put those lines in files in /etc/network/if-up.d and if-post-down.d accordingly?

    Meanwhile, I've just tried getting all this to work, but it's not happening :-(

    I think I need to add the appropriate routes for each interface on the guest. At least, if I add "gateway 10.10.10.1" for eth1, it works, but then I can't ping the outside from eth0.

    So - looking at how to hack the routing tables now.
     
    #13 JBB, Feb 26, 2015
    Last edited: Feb 26, 2015
  14. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,279
    Likes Received:
    279
    Re: How to NAT LAN to WAN?

    We try hard to keep that information, but it gets deleted when you change the IP assignment of the interface.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. rootkid

    rootkid Member

    Joined:
    Jul 2, 2010
    Messages:
    45
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Caution: Long Post!

    Short version for the lazy guys:
    I tried everything i know about NAT to get it going on my proxmox node but had to give up.
    As long as nobody has another clue what else to try, i'll keep using a KVM firewall system for managing VM traffic


    That's all, so here comes the long version of what i tried to get it done:

    I stopped pve-firewall to ensure iptables is clean:
    Code:
    root@proxmox2:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    root@proxmox2:~# 
    root@proxmox2:~# 
    root@proxmox2:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    root@proxmox2:~# 
    



    NAT at private bridge doesn't work (odoo is host name of VM's private IP, vmbr0 is public net - official routed 195.71.x.x IP accessable from www, vmbr1 is private net 10.0.0.1/8):
    Code:
    root@proxmox2:~# cat /proc/sys/net/ipv4/ip_forward
    1
    root@proxmox2:~# iptables -t nat -A POSTROUTING -o vmbr1 -j MASQUERADE
    root@proxmox2:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    MASQUERADE  all  --  anywhere             anywhere            
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    root@proxmox2:~# 
    
    
    root@proxmox2:~# tcpdump -i vmbr0 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
    11:46:27.824973 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 8, length 64
    11:46:28.824960 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 9, length 64
    11:46:29.824962 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 10, length 64
    ^C
    3 packets captured
    3 packets received by filter
    0 packets dropped by kernel
    root@proxmox2:~#
    


    NAT at public bridge doesn't work, too:
    Code:
    root@proxmox2:~# iptables -t nat -D POSTROUTING -o vmbr1 -j MASQUERADE
    root@proxmox2:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    root@proxmox2:~# iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
    root@proxmox2:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    MASQUERADE  all  --  anywhere             anywhere
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    root@proxmox2:~# tcpdump -i vmbr0 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:01:03.834960 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 884, length 64
    12:01:04.834981 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 885, length 64
    12:01:05.834949 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2320, seq 886, length 64
    12:01:11.842103 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 1, length 64
    12:01:12.842010 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 2, length 64
    12:01:13.842008 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 3, length 64
    12:01:14.841988 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 4, length 64
    12:01:15.841950 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 5, length 64
    12:01:16.841962 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 6, length 64
    12:01:17.841998 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2499, seq 7, length 64
    ^C
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel
    root@proxmox2:~# 
    


    ... and even if i NAT at the bond0 interface (which contains eth0 and eth1 in active/backup mode):
    Code:
    root@proxmox2:~# tcpdump -i eth0 icmp
    tcpdump: WARNING: eth0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:16:34.262020 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 22, length 64
    12:16:35.261975 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 23, length 64
    12:16:36.262013 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 24, length 64
    12:16:37.262023 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2687, seq 25, length 64
    


    just testing:
    Code:
    root@proxmox2:~# iptables -t nat -D POSTROUTING -o bond0 -j MASQUERADE
    root@proxmox2:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    root@proxmox2:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    root@proxmox2:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    MASQUERADE  all  --  anywhere             anywhere
    MASQUERADE  all  --  anywhere             anywhere
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    root@proxmox2:~#
    root@proxmox2:~# tcpdump -i eth0 icmp
    tcpdump: WARNING: eth0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:19:15.500957 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 9, length 64
    12:19:16.501134 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 10, length 64
    12:19:17.500958 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 11, length 64
    12:19:18.500957 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 12, length 64
    12:19:19.500955 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2727, seq 13, length 64
    ^C
    5 packets captured
    5 packets received by filter
    0 packets dropped by kernel
    root@proxmox2:~# 
    
    ... and ...
    Code:
    root@proxmox2:~# iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT --to-source 195.71.90.123
    root@proxmox2:~# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    SNAT       all  --  anywhere             anywhere             to:195.71.90.123
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    root@proxmox2:~# tcpdump -i eth0 icmp
    tcpdump: WARNING: eth0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:24:51.652974 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2795, seq 7, length 64
    12:24:52.652946 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2795, seq 8, length 64
    12:24:53.652968 IP odoo > google-public-dns-a.google.com: ICMP echo request, id 2795, seq 9, length 64
    ^C
    3 packets captured
    3 packets received by filter
    0 packets dropped by kernel
    root@proxmox2:~# 
    

    I set up a brand new debian KVM, eth0 -> vmbr0 (public IP/Net), eth1 -> vmbr1 (private IP/Net):
    Code:
    root@brabebo-gw:~# cat /proc/sys/net/ipv4/ip_forward
    1
    root@brabebo-gw:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    root@brabebo-gw:~# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    root@brabebo-gw:~# 



    setting up the nat rule:
    Code:
    root@brabebo-gw:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    root@brabebo-gw:~# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    MASQUERADE  all  --  anywhere             anywhere            
    root@brabebo-gw:~# 
    


    and it works!
    Code:
    root@brabebo-gw:~# tcpdump -i eth0 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    12:13:27.422129 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 8, length 64
    12:13:27.428679 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 8, length 64
    12:13:28.422944 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 9, length 64
    12:13:28.429469 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 9, length 64
    12:13:29.423731 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 10, length 64
    12:13:29.430151 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 10, length 64
    12:13:30.424390 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 11, length 64
    12:13:30.430830 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 11, length 64
    12:13:31.425061 IP brabebo-gw > google-public-dns-a.google.com: ICMP echo request, id 2650, seq 12, length 64
    12:13:31.431484 IP google-public-dns-a.google.com > brabebo-gw: ICMP echo reply, id 2650, seq 12, length 64
    ^C
    10 packets captured
    10 packets received by filter
    0 packets dropped by kernel
    root@brabebo-gw:~#
    




    So all i can say now, is that somewhere/somehow on my proxmox node natting doesn't work like it works on "normal" and clean debian:
    root@brabebo-gw:~# cat /etc/debian_version
    7.8
    root@brabebo-gw:~#


    I think i'll keep my new firewall KVM (because this way i have the option for DNAT, too).
    But if someone knows the reason why my proxmox doesn't NAT, or has some idea what else i could check to maybe find the reason, that would be really kind!

    BR,
    Heiner
     
  16. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Thanks for working this through. I too have since tried various permutations, but without success.

    I notice that the docs on this show eth0 being used as the output interface and not vrmb0 (https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29)

    Code:
    iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o [B]eth0 [/B]-j MASQUERADE
    Is there a possibility that eth0 could be configured as the bridge in some way? The docs don't mention it, but is that implied?

    Incidentally, it's a great pity that PVE doesn't appear to be able to do this, since simply NATed LAN would seem to be a very useful feature of a "bare metal" virtualization package.
     
  17. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    35
    Re: How to NAT LAN to WAN?

    https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29

    Code:
    auto vmbr0
    iface vmbr0 inet static
            address  10.10.10.1
            netmask  255.255.255.0
            bridge_ports [B]none[/B]
            bridge_stp off
            bridge_fd 0
    
            post-up echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
            post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
    As you can see this bridge have not attached any eth NIC by default. So they left eth as usually.


    rootkid can you use tcpdump with -n option ? Your NIC configuration will be cool to see.
     
  18. rootkid

    rootkid Member

    Joined:
    Jul 2, 2010
    Messages:
    45
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    My current network design:

    proxmox node:
    - eth0 connected to switch with internet access (world-reachable)
    - eth1 connected to switch with internet access (world-reachable)
    - bond0 includes both in active/backup mode
    - vmbr0 includes bond0 and has public IP
    - vmbr1 has private IP 10.0.0.1 (no direct access to the world, only to provide private net 10.0.0.0/8 for VMs)

    Code:
    iface eth0 inet manual
    
    
    iface eth1 inet manual
    
    
    auto bond0
    iface bond0 inet manual
            slaves eth0 eth1
            bond_miimon 100
            bond_mode active-backup
            bond_downdelay 200
            bond_updelay 200
    
    
    auto vmbr0
    iface vmbr0 inet static
            address  195.71.xxx.xxx
            netmask  255.255.255.128
            gateway  195.71.xxx.xxx  # this is the GW IP of my provider 
            bridge_ports bond0
            bridge_stp off
            bridge_fd 0
    
    auto vmbr1
    iface vmbr1 inet static
            address  10.0.0.1
            netmask  255.0.0.0
            bridge_ports none
            bridge_stp off
            bridge_fd 0
    
    brabebo-gw (kvm with eth0 -> vmbr0 and eth1 -> vmbr1):
    Code:
    root@brabebo-gw:~# cat /etc/network/interfaces 
    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).
    
    
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    
    # The public network interface
    auto eth0
    iface eth0 inet static
            hwaddress CA:52:B4:15:94:6B
            address 195.71.xxx.xxx
            netmask 255.255.xxx.xxx
            network 195.71.xxx.xxx
            broadcast 195.71.xxx.xxx
            gateway 195.71.xxx.xxx
            # dns-* options are implemented by the resolvconf package, if installed
            dns-nameservers 195.71.xxx.xxx
    
    
    # The private network interface
    auto eth1
    iface eth1 inet static
            hwaddress d2:ba:6b:50:08:1d
            address 10.1.0.1
            netmask 255.255.0.0
            network 10.1.0.0
            broadcast 10.1.254.254
    root@brabebo-gw:~# 
    

    odoo has a veth network device as eth0 connected to bridge vmbr1:
    Code:
    auto eth0
    iface eth0 inet static
            address  10.1.2.1
            netmask  255.0.0.0
    (i am setting default gw manually as long as i'm testing.)

    ... and now i just found out:
    Even if pve-firewall is stopped and no rules are left in iptables: somehow the proxmox firewall will still run:
    If i disable the firewall checkbox in "edit: network device (veth)" for odoo in proxmox gui, then NAT will work inside my proxmox node (at vmbr0)!

    So everyone else having this issue: make sure that "firewall" is unchecked:

    click the container, then click "edit" (or simply double-click the container)
    edit-nw-dev1.png


    uncheck "firewall"
    edit-nw-dev2.png

    ... then, please let me know if this works for you, too.

    And @proxmox staff: Is this "wanted behavior"? I would assume if there are no iptables rules (only default policy "accept"), then nothing should be blocking any traffic...

    EDIT: I tried this with venet address instead of veth device for my test container: there is no "edit" and it behaves as one would assume: if NAT rule in iptables it works, else not.


    regarding tcpdump -n: I am too lazy to fire every command again, but i can translate hostnames for you:
    - odoo = 10.1.2.1 (openvz)
    - brabebo-gw = 10.1.0.1 (kvm)
    - google-public-dns-a.google.com = 8.8.8.8 # any external IP that responds to ping would do the job, but i was to lazy to type in the IP of my provider's GW ;)
     

    Attached Files:

    #18 rootkid, Feb 27, 2015
    Last edited: Feb 27, 2015
  19. rootkid

    rootkid Member

    Joined:
    Jul 2, 2010
    Messages:
    45
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    BTW: because proxmox webgui will overwrite post-up/post-down lines in /etc/network/interfaces when you change networking in webgui (see "Pending changes" area after editing in GUI) i wrote this little buddys:

    Code:
    root@proxmox2:~# cat /etc/network/if-up.d/enable-nat
    #!/bin/bash
    #
    # enables NAT for private VMs
    # see also: http://forum.proxmox.com/threads/21122-How-to-NAT-LAN-to-WAN?p=107853#post107853
    
    
    nat_if="vmbr0"
    # $IFACE is provided by system
    [[ "$IFACE " == "$nat_if " ]] &&
      (
        echo -n "$0: ";
        echo -n "activating NAT @ $nat_if: ";
        echo 1 > /proc/sys/net/ipv4/ip_forward &&
        /sbin/iptables -t nat -A POSTROUTING -s '10.0.0.0/8' -o $nat_if -j MASQUERADE &&
        echo "done"  || echo "$0: Error starting NAT for $nat_if"
      ) || true # we don't care for any other IFACE...
    root@proxmox2:~#
    
    Code:
    root@proxmox2:~# cat /etc/network/if-down.d/disable-nat
    #!/bin/bash
    #
    # disables NAT for private VMs
    # see also: http://forum.proxmox.com/threads/21122-How-to-NAT-LAN-to-WAN?p=107853#post107853
    
    
    nat_if="vmbr0"
    # $IFACE is provided by system
    [[ "$IFACE " == "$nat_if " ]] &&
      (
        echo; echo -n "$0: ";
        echo -n "deactivating NAT @ $nat_if: ";
        /sbin/iptables -t nat -D POSTROUTING -s '10.0.0.0/8' -o $nat_if -j MASQUERADE &&
        echo "done"  || echo "$0: Error stopping NAT for $nat_if"
      ) || true # we don't care for any other IFACE...
    root@proxmox2:~#
    
    Use at your own risk! Any feedback appreciated! :)
     
  20. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    78
    Likes Received:
    1
    Re: How to NAT LAN to WAN?

    Wow - thanks rootkid!

    Unfortunately, this doesn't NAT the packets coming from my guest's NIC attached to the LAN. But at least it removes some entropy from things.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice