[SOLVED] Can't figure out what's blocking ports

[charfix]

I have a Debian11 container with the following definition:

arch: amd64
cores: 1
features: nesting=1
hostname: onew
memory: 512
mp0: /mnt/bigdata,mp=/mnt/bigdata,mountoptions=noatime
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.2.1,hwaddr=16:CC:8E:8E:1F:CA,ip=192.168.2.49/32,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-103-disk-0,size=6G
swap: 512
unprivileged: 1
lxc.mount.entry: /dev/ttyUSB0 dev/ttyUSB0 none bind,optional,create=file
lxc.mount.entry: /dev/ttyUSB1 dev/ttyUSB1 none bind,optional,create=file

Nmap says only port 22 is open. And indeed I can successfully connect to it.
But I can't understand why none of the other ports are reachable. The firewall is disabled.

Finally here's what tcpdump says when I try to reach port 3000 from the PVE node (only have one).

root@onew:~# tcpdump -i any port 3000 -n
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
06:22:49.444842 eth0  In  IP 192.168.2.112.35150 > 192.168.2.49.3000: Flags [S], seq 20292202, win 64240, options [mss 1460,sackOK,TS val 694071067 ecr 0,nop,wscale 7], length 0
06:22:49.444860 eth0  Out IP 192.168.2.49.3000 > 192.168.2.112.35150: Flags [R.], seq 0, ack 20292203, win 0, length 0

I know the port is open because:

root@onew:~# netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      450/master         
tcp        0      0 127.0.0.53:domain       0.0.0.0:*               LISTEN      82/systemd-resolved
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      82/systemd-resolved
tcp        0      0 localhost:3000          0.0.0.0:*               LISTEN      467/node

Can anyone suggest a next step?

 

[keeka]

The container PID 467 (port 3000) is listening on loopback interface.

 

[keeka]

Also note the netmask in your container config: ip=192.168.2.49/32

 

[charfix]

The container PID 467 (port 3000) is listening on loopback interface.

I see it now. Thank you.

I don't understand the implication of the /32 netmask? My container has a fixed IP, which is specified down to the 32nd bit. What's wrong with having /32 there?

 

[keeka]

I see it now. Thank you.

I don't understand the implication of the /32 netmask? My container has a fixed IP, which is specified down to the 32nd bit. What's wrong with having /32 there?

There's nothing wrong with it. I pointed it out because it is less usual and may not have been intentional.

 

[leesteken]

I don't understand the implication of the /32 netmask? My container has a fixed IP, which is specified down to the 32nd bit. What's wrong with having /32 there?

The netmask is usually related to the size of the local subnet, not the single IP (which is always 32 bits in IPV4). /32 implies that that container is not part of any subnet, which is rather uncommon for an IP address in the 192.168.0.0/16 private subnet range (which is often subdivided into 192.168.x.0/24 subnets). But I'm no expert on networking, so I could be enitrely wrong.

 

[charfix]

The netmask is usually related to the size of the local subnet, not the single IP (which is always 32 bits in IPV4). /32 implies that that container is not part of any subnet, which is rather uncommon for an IP address in the 192.168.0.0/16 private subnet range (which is often subdivided into 192.168.x.0/24 subnets). But I'm no expert on networking, so I could be enitrely wrong.

What are the implications of the container being alone in a subnet? Is there some connection it can't form?

 

[keeka]

The host/network address determines routing. With a /32 subnet, the host will expect all traffic to go via the gateway. This is fine for hosts that are the other side of the gateway but will/may impact its communications with neighbouring hosts. You have the perfect tool to test all this!
Create two guests on your proxmox bridge and assign them various host/network addresses. For each config, see if you can reach the hosts on the same bridge (including gateway) and beyond (including WAN).
EDIT: Just to add, if your intention by using a /32 network was to isolate a host, convention would be top create a new bridge and route traffic accordingly.