Environment
When i reboot, SNAT doesn't apply to containers running under VLAN for some reason.
When i send a ping from a container on normal linux bridge, IP is clearly rewritten.
When i ping from a container on VLAN, it's not, so it can't get the replies.
Moreover, when i do ifreload -a, SNAT starts working on VLAN containers too.
I've tried systemd drop-in that does ifreload -a after pve-firewall sets up but before guests start, but doesn't affect anything.
Only after guests start it has an effect.
It sucks that container start with broken networking though so I would like to fix the root cause.
What am i missing?
- Proxmox VE: 9.x (latest kernel at time of posting)
- pve-firewall (iptables backend
- Guests: LXC on a Linux VLAN, LXC on a Linux Bridge
Code:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
pre-up sysctl -w net.ipv4.ip_forward=1
auto nic0
iface nic0 inet manual
auto public
iface public inet static
address public.ip/26
gateway public.gateway
bridge-ports nic0
bridge-stp off
bridge-fd 0
post-up iptables -w -t nat -A POSTROUTING -s 10.0.0.0/8 -o public -j MASQUERADE
post-down iptables -w -t nat -D POSTROUTING -s 10.0.0.0/8 -o public -j MASQUERADE
post-up iptables -w -t raw -I PREROUTING -i fw+ -j CT --zone 1
post-down iptables -w -t raw -D PREROUTING -i fw+ -j CT --zone 1
auto vmbr0
iface vmbr0 inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
auto internal
iface internal inet manual
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10 11
mtu 1500
auto internal.10
iface internal.10 inet static
address 10.10.0.1/24
auto internal.11
iface internal.11 inet static
address 10.11.0.1/24When i reboot, SNAT doesn't apply to containers running under VLAN for some reason.
When i send a ping from a container on normal linux bridge, IP is clearly rewritten.
Code:
tcpdump -i public -n icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on public, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:14:59.890075 IP public.ip > 8.8.8.8: ICMP echo request, id 321, seq 1, length 64
15:14:59.894878 IP 8.8.8.8 > 10.0.0.10: ICMP echo reply, id 321, seq 1, length 64
15:15:00.892072 IP public.ip > 8.8.8.8: ICMP echo request, id 321, seq 2, length 64
15:15:00.896835 IP 8.8.8.8 > 10.0.0.10: ICMP echo reply, id 321, seq 2, length 64When i ping from a container on VLAN, it's not, so it can't get the replies.
Code:
tcpdump -i public -n icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on public, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:15:34.009964 IP 10.12.0.10 > 8.8.8.8: ICMP echo request, id 1409, seq 1, length 64
15:15:35.033320 IP 10.12.0.10 > 8.8.8.8: ICMP echo request, id 1409, seq 2, length 64Moreover, when i do ifreload -a, SNAT starts working on VLAN containers too.
I've tried systemd drop-in that does ifreload -a after pve-firewall sets up but before guests start, but doesn't affect anything.
Only after guests start it has an effect.
It sucks that container start with broken networking though so I would like to fix the root cause.
What am i missing?
