UDP port forwarding depending on TCP connection

cacheguard

Active Member
Sep 28, 2014
6
0
41
Paris
Hello,

I'm observing a routing behavior on a proxmox server (at its Debian 11 host level) that I can't explain. Maybe somebody can help me to better understand or had already observed the same and has a solution.

Below the configuration:

Proxmox VE 7.3-6 hosting two VMs:

- VM1 (10.0.10.1/254) connected to vmbr1 (10.0.10.254/24)
- VM2 (10.0.11.1/24) connected to vmbr2 (10.0.11.254/24)
- vmbr0 is the WAN interface (let's say its IP is 192.168.1.1)

I configured netfilter (with iptables command) on the host to:

- Forward TCP ports 80,443 to VM1 (10.0.10.1)

- Forward UDP ports 500,4500 to VM2 (10.0.11.1)
Code:
iptables -t nat -A PREROUTING -i vmbr0 -p udp -d 192.168.1.1 -m multiport --dports 500,4500 -j DNAT --to-destination 10.0.11.1

- Forward TCP ports 8888 to VM2 (10.0.11.1)

- Netfilter allows all forwarding packet (nothing is blocked for simplicity). Also all firewalls are disabled from the Proxmox GUI at all levels (DC, Host, NIC...)

- All outgoing traffic from the vmbr0 are source NAT with the WAN IP 192.168.1.1
Code:
iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT --to 192.168.1.1

I use an external port scanner to check ports states on the Proxmox host . What I observe is as follows :

State 1: I scan the UDP port 500 and I can see that it is closed while it should be open because nothing is supposed to block it : a tcpdump on vmbr0 shows that UDP packets arrive on the Proxmox host. But a tcpdump on vmbr2 shows nothing --> UPD port forwarding does not work (or there is a routing issue or ???).

State 2: now I scan the TCP addresses 92.168.1.1:80 (forwarded to VM1) or 192.168.1.1:8888 (forwarded to VM2). Those ports are opened as expected.

State 3: I immediately re-scan the UDP port 500 on 92.168.1.1 and guess what! This time that port is open. But not for ever. If i wait some time, it closes again.

This behavior is maybe something related to routing with Linux bridges. I never observed this with physical NIC. Why the routing/forwarding of UDP packets is dependent on the routing of TCP packets? Something should happen on vmbrx...


Your help would be greatly appreciated.
Regards
 
Last edited:
I answer to myself : actually the problem was coming from my testing tool. I was using nmap, but maybe with wrong arguments. I replaced it by netcat and noticed that there is no issues in my configuration :) The netcat command that I used to check the UDP 500 port is:

Code:
nc -vz -u 192.168.1.1 500
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!