Throubles enabling ipv4 forwarding

Jun 11, 2019
41
2
13
52
Hi all,
I have two fully virtualized guests, both debian 10.
The first guest has two nic, one with a public ip and the second with an internal only network (10.10.10.10/8) both on different vmbr: first eth0 with public ip on vmbr0 and second eth1 - local only on vmbr1.
The second guest has just one nic eth0 with a local only ip address (10.10.10.11/8).
On first machine I've enabled the ip_forwarding flag on sysctl.conf and I'm sure that is enabled (several reboots, cat /proc/sys/net/ipv4/ip_forwarding says 1).
Of course the first guest is online and network activity is ok!

The problem: On the second guest trying a simple ping to google dns 8.8.8.8 (same for 1.1.1.1) doesn't receive any answer and of course any network activity is down, except pinging the router guest (ping 10.10.10.10 is ok).

I dig further on the router guest (the guest with two nics) making a tcpdump and the result is:

Schermata 2020-05-10 alle 15.28.36.png

So it seems that the ping request leave the machine but google simply drop the request because he doesn't know where to send back the answer... this is my thought!

On my mac I did the same and you know the result:

Code:
15:15:06.991296 IP 192.168.1.22 > dns.google: ICMP echo request, id 35842, seq 3, length 64
15:15:07.012605 IP dns.google > 192.168.1.22: ICMP echo reply, id 35842, seq 3, length 64
15:15:07.993347 IP 192.168.1.22 > dns.google: ICMP echo request, id 35842, seq 4, length 64
15:15:08.016326 IP dns.google > 192.168.1.22: ICMP echo reply, id 35842, seq 4, length 64

Any hint is welcome. Here follows some useful informations like the configurations of both guests (192.168.1.240 is the lan address then routed to public network via ADSL router):

ip addr router.png
ip route router.png

Offline guest:

ip addr offline.png
ip route offline.png

EDIT:
I make a tcpdump also on the host and I can confirm that the packets leave the host machine:

Code:
root@vmhost00:~# tcpdump -i enp0s8 dst 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes
18:23:32.572916 IP 10.10.10.11 > dns.google: ICMP echo request, id 386, seq 64, length 64
18:23:33.596736 IP 10.10.10.11 > dns.google: ICMP echo request, id 386, seq 65, length 64
18:23:34.620752 IP 10.10.10.11 > dns.google: ICMP echo request, id 386, seq 66, length 64
18:23:35.644697 IP 10.10.10.11 > dns.google: ICMP echo request, id 386, seq 67, length 64
18:23:36.668670 IP 10.10.10.11 > dns.google: ICMP echo request, id 386, seq 68, length 64

...but nothing is returned!

Thank you very much for any hint.

Francesco
 
Last edited:
Adding these three lines at the local interface on the router machine seems to be enough.

Bash:
post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
 
did that solve your problem?

if yes please mark the thread as 'SOLVED'

Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!