Some LXC with internet access, others without

[andre78]

Hi,

I have installed Proxmox on a root server at netcup. I want to use this server for services like Pi-Hole, wireguard, Nextcloud, Caddy etc. First I had a setup with another (smallest config) server running OPNSense in front of it which worked but was very slow. So I have removed the OPNSense and connected the Proxmox server directly to the internet again. I followed the NAT configuration at https://pve.proxmox.com/wiki/Network_Configuration to set up vmbr0 (192.168.5.0/24) and created a vmbr1 network (192.168.6.0/24) for internal communication that shall not be exposed to the internet, for example to be routed though the caddy reverse proxy.

The problem: On one LXC (wireguard, created after disconnecting the OPNSense) I can access the internet, another LXC (PiHole, created and when OPNsense was used) is not able to connect to / ping anything outside the Proxmox host. The network configuration on both containers is similar.

Proxmox host setup:

/etc/network/interfaces:

auto lo
iface lo inet loopback

auto ens3
iface ens3 inet static
        address 45.157.XXX.YYY/22
        gateway 45.157.ZZZ.1
        dns-nameservers 46.38.225.230 212.60.61.246

auto vmbr0
iface vmbr0 inet static
        address 192.168.5.10/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#extern, ROT

auto vmbr1
iface vmbr1 inet static
        address 192.168.6.10/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#intern, GRÜN

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.5.0/24' -o ens3 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.5.0/24' -o ens3 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

Wireguard LXC (has internet access):

/etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.5.23/24
        gateway 192.168.5.10
        dns-nameservers 192.168.5.20

auto eth1
iface eth1 inet static
        address 192.168.6.23/24

PiHole LXC (no internet access):

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.5.20/24
        gateway 192.168.5.10
        dns-nameservers 46.38.225.230 212.60.61.246

auto eth1
iface eth1 inet static
        address 192.168.6.20/24

My config:

uname -r: 5.4.65-1-pve
lxc-ls --version: 4.0.3
cat /proc/sys/net/ipv4/ip_forward: 1

ping test:

root@phdns:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.5.20 icmp_seq=1 Destination Host Unreachable
From 192.168.5.20 icmp_seq=2 Destination Host Unreachable
From 192.168.5.20 icmp_seq=3 Destination Host Unreachable
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 95ms
pipe 4

root@wireguard:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=9 ttl=119 time=3.72 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=119 time=3.57 ms
64 bytes from 8.8.8.8: icmp_seq=11 ttl=119 time=3.61 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=119 time=3.63 ms
^C
--- 8.8.8.8 ping statistics ---
12 packets transmitted, 4 received, 66.6667% packet loss, time 202ms
rtt min/avg/max/mdev = 3.569/3.631/3.716/0.091 ms

EDIT: I just realised there is packet loss on the wireguard machine. Doing the same ping some seconds later there is no packet loss so I assume it's the first packets only.

EDIT2: all machines can ping each other and the Proxmox host.

Thanks in advance for your help!

 

[andre78]

SOLVED:

despite the settings in the Proxmox GUI and the /etc/network/interfaces, the default route was still set to the old OPNSense IP. I added a new default route and now everything works fine:

ip route add default via 192.168.5.10