[SOLVED] The PVE virtual machine cannot access the external network through IPV4, but it can access it unimpeded through IPV6.

L

LandC77

New Member
May 7, 2025
3
0
1
您好,先生、女士。

这个问题大概是4月29号左右开始出现的,当时我在Proxmox虚拟机上打开Chrome访问网站,就报连接超时。昨天同一时间还能连接。

随后,我开始了一系列网络故障排除操作,包括重新配置全局网络配置、重新初始化 DHCP 服务器(PVE 虚拟机使用 DHCPv4,IPv6 是手动设置的)。然而,连接超时仍然清晰地显示在我面前。

经过这样的操作,我大致找到了问题的根源。在proxmox上,curl访问只有ipv4地址的网站,都能够正常连接并获取到;在虚拟机上,curl也访问了,结果陷入了无限黑洞,试图连接这个网站,已经超过了设定的最大连接尝试时间,但是如果访问google.com,则可以正常获取到,因为curl先发现了ipv6地址,并先连接上了。我的想法是,虚拟机的ipv4对外访问的进程不知为何陷入了无限黑洞,而ipv6却完全没有影响。主机与虚拟机连接正常(telnet 10.0.0.1 8006),虚拟机想通过主机的网桥连接到公网进行http访问,但是这个想法被未知原因强烈“拒绝”,导致无法访问公网。

由于宿主机所在机房自带防火墙且工作正常,Proxmox无需开启防火墙,且只有单一公网IPv4,因此采用NAT搭建内网,因此使用了iptables和isc-dhcp-server。(例如10.0.0.5为邮箱服务,10.0.0.6为web服务。)

有人有什么建议吗?这种奇怪的失败太折磨人了。
 
Last edited:
My INTERFACES configuration:
### BSX05 interfaces ###

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp5s0
iface enp5s0 inet manual
# post-up /sbin/ethtool -K enp5s0 tx off rx off
iface enp5s0 inet6 manual

auto vmbr0
iface vmbr0 inet static
address 65.108.196.220
netmask 255.255.255.192
gateway 65.108.196.193
# hwaddress ether 60:cf:84:5f:55:bc
bridge_ports enp5s0
bridge_stp off
bridge_fd 0
# bridge_maxwait 0
# post-up /sbin/ethtool -K vmbr0 tx off rx off

iface vmbr0 inet6 static
address 2a01:4f9:1a:98f0::2
netmask 64
gateway fe80::1
bridge_ports enp5s0
bridge_stp off
bridge_fd 0
up ip -6 route del 2a01:4f9:1a:98f0::/64 dev vmbr0

auto vmbr1
iface vmbr1 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

iface vmbr1 inet6 static
address 2a01:4f9:1a:98f0::3
netmask 64
# gateway fe80::1
bridge_ports none
bridge_stp off
bridge_fd 0
up ip -6 route add 2a01:4f9:1a:98f0::/64 dev vmbr1
post-down ip -6 route del 2a01:4f9:1a:98f0::/64 dev vmbr1

My IPTABLES rule settings:
# Generated by iptables-save v1.8.9 on Thu May 8 17:40:40 2025
*nat
:PREROUTING ACCEPT [67:4314]
:INPUT ACCEPT [52:3321]
:OUTPUT ACCEPT [3:201]
:POSTROUTING ACCEPT [11:633]
-A PREROUTING -p tcp -m tcp --dport 3395 -j DNAT --to-destination 10.0.0.8:3389
-A PREROUTING -p tcp -m tcp --dport 20022 -j DNAT --to-destination 10.0.0.7:22
-A PREROUTING -p tcp -m tcp --dport 20023 -j DNAT --to-destination 10.0.0.7:3389
-A PREROUTING -p tcp -m tcp --dport 20024 -j DNAT --to-destination 10.0.0.7:3390
-A PREROUTING -p tcp -m tcp --dport 22032 -j DNAT --to-destination 10.0.0.7:22032
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.7:80
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.7:443
-A PREROUTING -p tcp -m tcp --dport 888 -j DNAT --to-destination 10.0.0.7:888
-A PREROUTING -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.0.0.8:80
-A PREROUTING -p tcp -m tcp --dport 444 -j DNAT --to-destination 10.0.0.8:443
-A PREROUTING -p tcp -m tcp --dport 6080 -j DNAT --to-destination 10.0.0.8:6080
-A PREROUTING -p tcp -m tcp --dport 6443 -j DNAT --to-destination 10.0.0.8:6443
-A PREROUTING -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.8:21
-A PREROUTING -p tcp -m tcp --dport 23 -j DNAT --to-destination 10.0.0.7:21
-A PREROUTING -p tcp -m tcp --dport 20025 -j DNAT --to-destination 10.0.0.9:22
-A PREROUTING -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.8:25
-A PREROUTING -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.8:110
-A PREROUTING -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.0.0.8:143
-A PREROUTING -p tcp -m tcp --dport 465 -j DNAT --to-destination 10.0.0.8:465
-A PREROUTING -p tcp -m tcp --dport 587 -j DNAT --to-destination 10.0.0.8:587
-A PREROUTING -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.0.0.8:993
-A PREROUTING -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.8:995
-A POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Thu May 8 17:40:40 2025
# Generated by iptables-save v1.8.9 on Thu May 8 17:40:40 2025
*filter
:INPUT ACCEPT [5251:355788]
:FORWARD ACCEPT [47056:6056308]
:OUTPUT ACCEPT [238:16538]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu May 8 17:40:40 2025
# Generated by iptables-save v1.8.9 on Thu May 8 17:40:40 2025
*raw
:PREROUTING ACCEPT [344:24930]
:OUTPUT ACCEPT [168:21947]
-A PREROUTING -i fwbr+ -j CT --zone 1
-A PREROUTING -i fwbr+ -j CT --zone 1
-A PREROUTING -i fwbr+ -j CT --zone 1
COMMIT
# Completed on Thu May 8 17:40:40 2025
 
Solved, some errors in iptables rules were found and corrected.
Internet access on the virtual machine is normal.

Error location:
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.7:80
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.7:443

Correction method:
-A PREROUTING -d <externalip>/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.7:80
-A PREROUTING -d <externalip>/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.7:443

or

-A PREROUTING -p tcp -m tcp --dport <Another port> -j DNAT --to-destination 10.0.0.7:80
-A PREROUTING -p tcp -m tcp --dport <Another port> -j DNAT --to-destination 10.0.0.7:443
 
Last edited:
You must log in or register to reply here.
Top Bottom