[SOLVED] Can't figure out what's blocking ports

C

charfix

New Member
Dec 2, 2022
15
1
3
I have a Debian11 container with the following definition:
Code: 
arch: amd64
cores: 1
features: nesting=1
hostname: onew
memory: 512
mp0: /mnt/bigdata,mp=/mnt/bigdata,mountoptions=noatime
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.2.1,hwaddr=16:CC:8E:8E:1F:CA,ip=192.168.2.49/32,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-103-disk-0,size=6G
swap: 512
unprivileged: 1
lxc.mount.entry: /dev/ttyUSB0 dev/ttyUSB0 none bind,optional,create=file
lxc.mount.entry: /dev/ttyUSB1 dev/ttyUSB1 none bind,optional,create=file

Nmap says only port 22 is open. And indeed I can successfully connect to it.
But I can't understand why none of the other ports are reachable. The firewall is disabled.

Finally here's what tcpdump says when I try to reach port 3000 from the PVE node (only have one).
Code: 
root@onew:~# tcpdump -i any port 3000 -n
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
06:22:49.444842 eth0  In  IP 192.168.2.112.35150 > 192.168.2.49.3000: Flags [S], seq 20292202, win 64240, options [mss 1460,sackOK,TS val 694071067 ecr 0,nop,wscale 7], length 0
06:22:49.444860 eth0  Out IP 192.168.2.49.3000 > 192.168.2.112.35150: Flags [R.], seq 0, ack 20292203, win 0, length 0

I know the port is open because:
Code: 
root@onew:~# netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      450/master         
tcp        0      0 127.0.0.53:domain       0.0.0.0:*               LISTEN      82/systemd-resolved
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      82/systemd-resolved
tcp        0      0 localhost:3000          0.0.0.0:*               LISTEN      467/node

Can anyone suggest a next step?
 
Last edited:
keeka said:
The container PID 467 (port 3000) is listening on loopback interface.
Click to expand...
I see it now. Thank you.

I don't understand the implication of the /32 netmask? My container has a fixed IP, which is specified down to the 32nd bit. What's wrong with having /32 there?
 
charfix said:
I see it now. Thank you.

I don't understand the implication of the /32 netmask? My container has a fixed IP, which is specified down to the 32nd bit. What's wrong with having /32 there?
Click to expand...
There's nothing wrong with it. I pointed it out because it is less usual and may not have been intentional.
 
charfix said:
I don't understand the implication of the /32 netmask? My container has a fixed IP, which is specified down to the 32nd bit. What's wrong with having /32 there?
Click to expand...
The netmask is usually related to the size of the local subnet, not the single IP (which is always 32 bits in IPV4). /32 implies that that container is not part of any subnet, which is rather uncommon for an IP address in the 192.168.0.0/16 private subnet range (which is often subdivided into 192.168.x.0/24 subnets). But I'm no expert on networking, so I could be enitrely wrong.
 
Last edited:
leesteken said:
The netmask is usually related to the size of the local subnet, not the single IP (which is always 32 bits in IPV4). /32 implies that that container is not part of any subnet, which is rather uncommon for an IP address in the 192.168.0.0/16 private subnet range (which is often subdivided into 192.168.x.0/24 subnets). But I'm no expert on networking, so I could be enitrely wrong.
Click to expand...
What are the implications of the container being alone in a subnet? Is there some connection it can't form?
 
The host/network address determines routing. With a /32 subnet, the host will expect all traffic to go via the gateway. This is fine for hosts that are the other side of the gateway but will/may impact its communications with neighbouring hosts. You have the perfect tool to test all this!
Create two guests on your proxmox bridge and assign them various host/network addresses. For each config, see if you can reach the hosts on the same bridge (including gateway) and beyond (including WAN).
EDIT: Just to add, if your intention by using a /32 network was to isolate a host, convention would be top create a new bridge and route traffic accordingly.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back