PVE firewall with NAT not working

5

5k7

New Member
Sep 28, 2022
16
0
1
Hello,

I set fresh Proxmox on dedicated server with Hetzner. I have only one IPv4 and IPv6 subnet. Everything is working fine means:
- 3 interfaces: eno1, vmbr0 routed and vmbr1 with NAT.
- I can reach VM directly through ipv6
- VM can reach ipv4 network through NAT

/etc/network/interfaces

Code: 
### LOOPBACK ###
auto lo
iface lo inet loopback
iface lo inet6 loopback

### IPv4 ###
# Main IPv4 from Host
auto eno1
iface eno1 inet static
  address <MAIN IP>
  netmask 255.255.255.255 
  gateway <GATEWAY_IP>
  pointopoint <GATEWAY_IP>

### IPv6 ###
# Main IPv6
iface eno1 inet6 static
  address <ipv6 addr from subnet>::2
  netmask 128
  gateway <gateway>
  up sysctl -p


### VM-Routed IPv4
auto vmbr0
iface vmbr0 inet static
  address <MainIP>
  netmask 255.255.255.255
  bridge_ports none
  bridge_stp off
  bridge_fd 0

#VM-Routed IPv6
iface vmbr0 inet6 static
  address <ipv6>::3
  netmask 64
  up ip -6 route add <ipv6>::/64 dev vmbr0

### Private NAT used by Proxmox
auto vmbr1
iface vmbr1 inet static
  address  10.10.10.1
  netmask  255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  bridge_maxwait 0
  post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

VM configuration:

Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet6 static
        address <ipv6>::4/64
        gateway <ipv6>::3

auto eth1
iface eth1 inet dhcp

For now at least at point I am everything is working like expected. Problem is when I turn on firewall I cannot longer use IPv4 from VM. I have firewall enabled only at datacenter level with entries for SSH and 8006 port for GUI. IPv6 seems to be working fine.

Should I add some special entry for vmbr1 with NAT to keep connection initiated from VM?
 
See 3.3.6 in the docs: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration
Code: 
In some masquerade setups with firewall enabled, conntrack zones might be needed for outgoing connections. Otherwise the firewall could block outgoing connections since they will prefer the POSTROUTING of the VM bridge (and not MASQUERADE).
And the solution mentioned in the docs:
Code: 
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

See if that fixes the issue for you.
 
Indeed that fixed the problem. Now everything is working like a charm. Thank you very much.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back