SDN VNET subnet specify SNAT wan IP

w2vy

New Member
Feb 26, 2024
9
0
1
Tampa, FL, USA
I am trying replicate the solution in SDN VNet subnet specify SNAT interface/IP

I am using PVE 8.1.3

My first step is to get a single subnet working and then adding a second and third...

I understand networks and routing tables but I am new to SDN

I added a zone 'zone1' then created vnet185 in that zone and added subnet 10.10.0.0/24 default 10.10.0.1

I also created a VM (ubuntu desktop) using vnet185 and set ipv4 static 10.10.0.10/24 default 10.10.0.1

I can ping 10.10.0.1 and 1.2.3.185 but not 1.2.3.1 (it's gateway) or 8.8.8.8

en01 is my LAN and enx28ee521f14ff is a USB dongle to a unmanaged switch on the WAN port (outside the firewall)

Once I get this working that switch may go away...

Any suggestions?

Code:
root@pve40:~# ip r
default via 1.2.3.1 dev vmbr1 proto kernel onlink
10.10.0.0/24 dev vnet185 proto kernel scope link src 10.10.0.1
1.2.3.0/24 dev vmbr1 proto kernel scope link src 1.2.3.185
192.168.8.0/24 dev vmbr0 proto kernel scope link src 192.168.8.40

Here are the resulting network files

/etc/network/interfaces
Code:
auto lo
iface lo inet loopback

iface eno1 inet manual

auto enx28ee521f14ff
iface enx28ee521f14ff inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.8.40/24
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    address 1.2.3.185/24
    gateway 1.2.3.1
    bridge-ports enx28ee521f14ff
    bridge-stp off
    bridge-fd 0

source /etc/network/interfaces.d/*

/etc/network/interfaces.d/sdn
Code:
#version:28

auto vnet185
iface vnet185
    address 10.10.0.1/24
    post-up iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o vmbr1 -j SNAT --to-source 1.2.3.185
    post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o vmbr1 -j SNAT --to-source 1.2.3.185
    post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    ip-forward on
 
Is IP forwarding enabled properly?

Code:
cat /proc/sys/net/ipv4/ip_forward
 
No it is 0

Wondering why it is not enabled, I went looking for logs... no syslog but I did see /var/log/ifupdown2 but did not see any obvious failures
I do see a number of timestamped directories and they continue to be created, I attached the latest log file

And the config found in those subdirectories matched /etc/networks

I manually enabled ip_forward and did not see any change (tried ping 8.8.8.8)

I do see some loadmodule errors in the log, but those are not generally bad

Thank You for any help
Tom
 

Attachments

Sorry, seems like I confused the tab of the thread - I wanted to respond this to another thread. In your case it should work with ip_forward disabled.

How does the NAT table look like?

Code:
iptables -t nat -L
 
Sorry, seems like I confused the tab of the thread - I wanted to respond this to another thread. In your case it should work with ip_forward disabled.

How does the NAT table look like?

Code:
iptables -t nat -L
No problem, I am sure you are quite BUSY!

Code:
root@pve40:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.0.0.0/24          anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
SNAT       all  --  10.10.0.0/24         anywhere             to:1.2.3.185
root@pve40:~#

Tom
 
I recently tried again at getting this working to no avail.

I ended up using tcp_dump to monitor the traffic in and out and discovered

I was seeing ARP Request and Reply for the default gateway and saw my PING request but never received a reply

After talking to the ISP, is seems that even with 5 IP addresses I am still only allowed one customer MAC per port on the Fiber Modem.
I have asked them to enable the other 3 ports so see if that helps make things work.

I followed the example to the letter and the NAT rules even look right (showing the source NAT IP address)

I am hopeful
Tom
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!