Hello,
I'm observing a routing behavior on a proxmox server (at its Debian 11 host level) that I can't explain. Maybe somebody can help me to better understand or had already observed the same and has a solution.
Below the configuration:
Proxmox VE 7.3-6 hosting two VMs:
- VM1 (10.0.10.1/254) connected to vmbr1 (10.0.10.254/24)
- VM2 (10.0.11.1/24) connected to vmbr2 (10.0.11.254/24)
- vmbr0 is the WAN interface (let's say its IP is 192.168.1.1)
I configured netfilter (with iptables command) on the host to:
- Forward TCP ports 80,443 to VM1 (10.0.10.1)
- Forward UDP ports 500,4500 to VM2 (10.0.11.1)
- Forward TCP ports 8888 to VM2 (10.0.11.1)
- Netfilter allows all forwarding packet (nothing is blocked for simplicity). Also all firewalls are disabled from the Proxmox GUI at all levels (DC, Host, NIC...)
- All outgoing traffic from the vmbr0 are source NAT with the WAN IP 192.168.1.1
I use an external port scanner to check ports states on the Proxmox host . What I observe is as follows :
State 1: I scan the UDP port 500 and I can see that it is closed while it should be open because nothing is supposed to block it : a tcpdump on vmbr0 shows that UDP packets arrive on the Proxmox host. But a tcpdump on vmbr2 shows nothing --> UPD port forwarding does not work (or there is a routing issue or ???).
State 2: now I scan the TCP addresses 92.168.1.1:80 (forwarded to VM1) or 192.168.1.1:8888 (forwarded to VM2). Those ports are opened as expected.
State 3: I immediately re-scan the UDP port 500 on 92.168.1.1 and guess what! This time that port is open. But not for ever. If i wait some time, it closes again.
This behavior is maybe something related to routing with Linux bridges. I never observed this with physical NIC. Why the routing/forwarding of UDP packets is dependent on the routing of TCP packets? Something should happen on vmbrx...
Your help would be greatly appreciated.
Regards
I'm observing a routing behavior on a proxmox server (at its Debian 11 host level) that I can't explain. Maybe somebody can help me to better understand or had already observed the same and has a solution.
Below the configuration:
Proxmox VE 7.3-6 hosting two VMs:
- VM1 (10.0.10.1/254) connected to vmbr1 (10.0.10.254/24)
- VM2 (10.0.11.1/24) connected to vmbr2 (10.0.11.254/24)
- vmbr0 is the WAN interface (let's say its IP is 192.168.1.1)
I configured netfilter (with iptables command) on the host to:
- Forward TCP ports 80,443 to VM1 (10.0.10.1)
- Forward UDP ports 500,4500 to VM2 (10.0.11.1)
Code:
iptables -t nat -A PREROUTING -i vmbr0 -p udp -d 192.168.1.1 -m multiport --dports 500,4500 -j DNAT --to-destination 10.0.11.1- Forward TCP ports 8888 to VM2 (10.0.11.1)
- Netfilter allows all forwarding packet (nothing is blocked for simplicity). Also all firewalls are disabled from the Proxmox GUI at all levels (DC, Host, NIC...)
- All outgoing traffic from the vmbr0 are source NAT with the WAN IP 192.168.1.1
Code:
iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT --to 192.168.1.1I use an external port scanner to check ports states on the Proxmox host . What I observe is as follows :
State 1: I scan the UDP port 500 and I can see that it is closed while it should be open because nothing is supposed to block it : a tcpdump on vmbr0 shows that UDP packets arrive on the Proxmox host. But a tcpdump on vmbr2 shows nothing --> UPD port forwarding does not work (or there is a routing issue or ???).
State 2: now I scan the TCP addresses 92.168.1.1:80 (forwarded to VM1) or 192.168.1.1:8888 (forwarded to VM2). Those ports are opened as expected.
State 3: I immediately re-scan the UDP port 500 on 92.168.1.1 and guess what! This time that port is open. But not for ever. If i wait some time, it closes again.
This behavior is maybe something related to routing with Linux bridges. I never observed this with physical NIC. Why the routing/forwarding of UDP packets is dependent on the routing of TCP packets? Something should happen on vmbrx...
Your help would be greatly appreciated.
Regards
Last edited:
The netcat command that I used to check the UDP 500 port is: