Hi,
i have a Proxmox Setup with one Public-IP Adress. The traffic to the VMs is forwardet via NAT, they are all in a local network seperated in a virtual bridge see following config:
vmbr0 has public ip with dedicated nic en04
vmbr1 has two VMs with private IP "10.10.10.1x"
See iptable rules as following:
On the VM:10.10.10.10 there is a traefik reverse proxy running, listening on the ports 443,80,9980 with different docker containers as target.
The VM´s can connect to the internet without problems. Also connections from outside (internet --> external-ip --> VM--> traefik --> docker) are working perfect.
In the VM 10.10.10.10 there are running a nextcloud Server and a collabora Server both reachable from an external Client via public ip and public domain.
The problem ist when the nextcloud-server want to access collabora from inside the vm.
I would expect the following connection path:
Nextcloud (10.10.10.10) --> Proxmox-Host (public-ip) --> back-to-vm (10.10.10.10.) --> traefik --> collabora
I seem to have a problem with the iptable rules on the proxmox server cause the connection here gets dropped on the proxmox-host and never finds the way back to the vm.
I hope the problem is proper described and someone has a idea how to fix this.
Thanks for every help!
Greetings
Dominik
i have a Proxmox Setup with one Public-IP Adress. The traffic to the VMs is forwardet via NAT, they are all in a local network seperated in a virtual bridge see following config:
Bash:
bridge name bridge id STP enabled interfaces
vmbr0 8000.0cc47a7d3f40 no eno4
vmbr1 8000.12634c191f22 no tap100i0
tap101i0vmbr0 has public ip with dedicated nic en04
vmbr1 has two VMs with private IP "10.10.10.1x"
See iptable rules as following:
Code:
Chain PREROUTING (policy ACCEPT 2659 packets, 402K bytes)
pkts bytes target prot opt in out source destination
141K 8431K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1022 to:10.10.10.10:22
25344 1523K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 to:10.10.10.11:22
42419 2144K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.10.10.10:80
55506 2980K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.10.10.10:443
2426 104K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.10.10.10:8080
1854 105K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25565 to:10.10.10.11:25565
31 1492 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25575 to:10.10.10.11:25575
10 440 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2456 to:10.10.10.11:2456
0 0 DNAT udp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:2456 to:10.10.10.11:2456
1321 74536 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 to:10.10.10.10:995
5787 364K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:10.10.10.10:993
950 52260 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 to:10.10.10.10:143
1179 65724 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 to:10.10.10.10:465
284K 17M DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.10.10.10:25
873 47784 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 to:10.10.10.10:110
10632 569K DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 to:10.10.10.10:587
84 4368 DNAT tcp -- vmbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9980 to:10.10.10.10:9980
106 6360 DNAT tcp -- vmbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9980 to:10.10.10.10:9980
Chain INPUT (policy ACCEPT 934 packets, 101K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 490 packets, 28808 bytes)
pkts bytes target prot opt in out source destination
956K 80M MASQUERADE all -- * vmbr0 10.10.10.0/24 0.0.0.0/0
66 3960 MASQUERADE all -- * vmbr1 10.10.10.0/24 0.0.0.0/0On the VM:10.10.10.10 there is a traefik reverse proxy running, listening on the ports 443,80,9980 with different docker containers as target.
The VM´s can connect to the internet without problems. Also connections from outside (internet --> external-ip --> VM--> traefik --> docker) are working perfect.
In the VM 10.10.10.10 there are running a nextcloud Server and a collabora Server both reachable from an external Client via public ip and public domain.
The problem ist when the nextcloud-server want to access collabora from inside the vm.
I would expect the following connection path:
Nextcloud (10.10.10.10) --> Proxmox-Host (public-ip) --> back-to-vm (10.10.10.10.) --> traefik --> collabora
I seem to have a problem with the iptable rules on the proxmox server cause the connection here gets dropped on the proxmox-host and never finds the way back to the vm.
I hope the problem is proper described and someone has a idea how to fix this.
Thanks for every help!
Greetings
Dominik