The usual, No internet in Guest VM's

[FuriousRage]

Hi.
I just re-did my networking on my hetzner server.
I need to do the NAT setup so guest VMs MAC-addresses are hidden.
But with post-up iptables -t nat -A POSTROUTING -s '10.10.20.0/24' -o eno1 -j MASQUERADE
It does not work.
I cannot ping host-guest vm, i cannot ping guest vm-host.

PVE interfaces:

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
        address a.b.c.91/26
        gateway a.b.c.65
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
#        bridge-ports eno1
#        bridge-stp off
#        bridge-fd 0

iface eno1 inet6 static
        address "ipv6"::/64

auto vmbr0
iface vmbr0 inet static
        address 10.10.20.1/28
#       netmask 255.255.255.0
#       gateway 10.10.20.1
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up  iptables -t nat -A POSTROUTING -s '10.10.20.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.20.0/24' -o eno1 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

The current VM im trying to setup to work is a Windows Server.
There i have set manual ip to 10.10.20.101, netmask 255.255.255.0, gateway 10.10.20.1. DNS 10.10.20.1 / 1.1.1.1.

qm guest vm config

root@pve:/etc/network# qm config 101
bios: ovmf
boot: order=ide0;ide2
cores: 2
cpu: host
efidisk0: vms:vm-101-disk-0,efitype=4m,pre-enrolled-keys=1,size=1M
ide0: vms:vm-101-disk-1,size=256G
ide2: none,media=cdrom
machine: pc-q35-6.1
memory: 16384
meta: creation-qemu=6.1.0,ctime=1644063483
name: WindowsServer2022
net1: virtio=DE:D5:CD:C7:33:86,bridge=vmbr0,firewall=1
numa: 0
onboot: 0
ostype: win11
scsihw: virtio-scsi-pci
smbios1: uuid=3b03d66f-fe4f-435d-ab55-64c3a2aa653a
sockets: 1
spice_enhancements: videostreaming=all
startup: order=2,up=30
tpmstate0: vms:vm-101-disk-2,size=4M,version=v2.0
vcpus: 2
vga: qxl,memory=48
vmgenid: 6ca629e6-da63-4178-8063-1c6a0d672ce2

What am i missing here?

 

[oguz]

hi,

What am i missing here?

have you tried putting

hwaddress aa:bb:cc:dd:ee:ff

under the bridge config? replace the mac address with yours (you can find it in the output from ip a)

afterwards do ifreload -a to restart the interfaces

 

[FuriousRage]

hi,

have you tried putting

hwaddress aa:bb:cc:dd:ee:ff

under the bridge config? replace the mac address with yours (you can find it in the output from ip a)

afterwards do ifreload -a to restart the interfaces

The eno1 is my physical port. Or did you men put hwaddress on the vmbr0?

ip a tells this about the eno1:

2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether b4:2e:99:c9:b0:74 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6

 

[oguz]

Or did you men put hwaddress on the vmbr0?

yes, under the bridge config, you should put the mac address of your physical port

 

[FuriousRage]

yes, under the bridge config, you should put the mac address of your physical port

I did that and ran ifreload -a.
VM's still cannot ping the host nor be pinged by the host, and no internet access
the windows VM has these settings on the network card:

 

[oguz]

try putting the line post-up echo 1 > /proc/sys/net/ipv4/ip_forward also under the bridge.

also why do you use a /28 mask instead of a /24 for the interface?

 

[FuriousRage]

try putting the line post-up echo 1 > /proc/sys/net/ipv4/ip_forward also under the bridge.

also why do you use a /28 mask instead of a /24 for the interface?

Might been a type-o, or one of the guide ive followed had 28.
Changed to /24 and added ip_forward under the vmbr0.
ifreload -a and still nothing seems to be able to come out from the guest VM.

 

[oguz]

can you show the current state of your network config?

 

[FuriousRage]

can you show the current state of your network config?

Nothing much changed, hdaddress added to vmbr0, adress chanrged /24 on vmbr0. and ip_forward added to vmbr0.

auto eno1
iface eno1 inet static
        address x.x.x.91/26
        gateway z.z.z.65
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
#       post-up   echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
#        bridge-ports eno1
#        bridge-stp off
#        bridge-fd 0

iface eno1 inet6 static
        address <ipv6>::/64
        gateway fe80::1

auto vmbr0
iface vmbr0 inet static
        address 10.10.20.1/24
        hwaddress b4:2e:99:c9:b0:74
#       netmask 255.255.255.0
#       gateway 10.10.20.1
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.20.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.20.0/24' -o eno1 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

 

[oguz]

could you take a look here [0], it's a similar thread

[0]: https://forum.proxmox.com/threads/multiple-vms-with-only-1-public-ip-on-hetzner.97405/#post-485583

 

[FuriousRage]

could you take a look here [0], it's a similar thread

[0]: https://forum.proxmox.com/threads/multiple-vms-with-only-1-public-ip-on-hetzner.97405/#post-485583

I changed nothing from my last post.
But decided to reboot the whole PVE, because i read *somewhere on the internet* that this sometimes was needed with proxmox.
Lo and behold, after reboot, my current config works, can ping anything, can get dns resolves from 1.1.1.1 / 1.1.4.4 dns-servers (cloudflare).