Traefik behind NAT in VM - connection problem from inside the VM over public IP

D

DominikH

Member
Feb 25, 2016
6
0
21
37
Hi,
i have a Proxmox Setup with one Public-IP Adress. The traffic to the VMs is forwardet via NAT, they are all in a local network seperated in a virtual bridge see following config:

Bash: 
bridge name     bridge id               STP enabled     interfaces
vmbr0           8000.0cc47a7d3f40       no              eno4
vmbr1           8000.12634c191f22       no              tap100i0
                                                        tap101i0

vmbr0 has public ip with dedicated nic en04
vmbr1 has two VMs with private IP "10.10.10.1x"

See iptable rules as following:

Code: 
Chain PREROUTING (policy ACCEPT 2659 packets, 402K bytes)
 pkts bytes target     prot opt in     out     source               destination
 141K 8431K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1022 to:10.10.10.10:22
25344 1523K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1122 to:10.10.10.11:22
42419 2144K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.10.10.10:80
55506 2980K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.10.10.10:443
 2426  104K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:10.10.10.10:8080
 1854  105K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25565 to:10.10.10.11:25565
   31  1492 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25575 to:10.10.10.11:25575
   10   440 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2456 to:10.10.10.11:2456
    0     0 DNAT       udp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            udp dpt:2456 to:10.10.10.11:2456
 1321 74536 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:10.10.10.10:995
 5787  364K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:10.10.10.10:993
  950 52260 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:10.10.10.10:143
 1179 65724 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:10.10.10.10:465
 284K   17M DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:10.10.10.10:25
  873 47784 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:10.10.10.10:110
10632  569K DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:10.10.10.10:587
   84  4368 DNAT       tcp  --  vmbr0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9980 to:10.10.10.10:9980
  106  6360 DNAT       tcp  --  vmbr1  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9980 to:10.10.10.10:9980

Chain INPUT (policy ACCEPT 934 packets, 101K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 490 packets, 28808 bytes)
 pkts bytes target     prot opt in     out     source               destination
 956K   80M MASQUERADE  all  --  *      vmbr0   10.10.10.0/24        0.0.0.0/0
   66  3960 MASQUERADE  all  --  *      vmbr1   10.10.10.0/24        0.0.0.0/0

On the VM:10.10.10.10 there is a traefik reverse proxy running, listening on the ports 443,80,9980 with different docker containers as target.
The VM´s can connect to the internet without problems. Also connections from outside (internet --> external-ip --> VM--> traefik --> docker) are working perfect.

In the VM 10.10.10.10 there are running a nextcloud Server and a collabora Server both reachable from an external Client via public ip and public domain.
The problem ist when the nextcloud-server want to access collabora from inside the vm.

I would expect the following connection path:

Nextcloud (10.10.10.10) --> Proxmox-Host (public-ip) --> back-to-vm (10.10.10.10.) --> traefik --> collabora

I seem to have a problem with the iptable rules on the proxmox server cause the connection here gets dropped on the proxmox-host and never finds the way back to the vm.

I hope the problem is proper described and someone has a idea how to fix this.

Thanks for every help!

Greetings
Dominik
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back