VM Can't Browse From Internet

[mhakim]

Hi all,

I need to escalate this to the forum since I've tried and still confusing.
My network configuration like this :



I can ping the domain name from the internet and also can browse the web from the LAN :



Anyone can help?

 

[oguz]

hi,

Anyone can help?

sure... but what is your question?

 

[mhakim]

the question is, why I can't connect to my vm from internet?

 

[oguz]

the question is, why I can't connect to my vm from internet?

what do you mean exactly?

do you want to access the PVE interface from outside?
or you want to access a service running on your VM?
if your VM has a public IP address then you should be able to connect there from outside. otherwise you'll have to do NAT [0] on your PVE to allow access to the VM.

[0]: https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt

 

[mhakim]

I want to access my vm from outside.

my proxmox has ip public, and every vm in my proxmox using local ip. I've done the port forwarding using iptables, but still can't access the vm

 

[oguz]

my proxmox has ip public, and every vm in my proxmox using local ip. I've done the port forwarding using iptables, but still can't access the vm

please show your /etc/network/interfaces file.

I want to access my vm from outside.

which service of your VM are you trying to access? have you forwarded the necessary port for that service to your VM's internal IP address using iptables?

how are you checking the connection to your VM? what error are you getting?

have you checked your firewall configuration?

 

[mhakim]

this is my /etc/network/interface :

auto lo
iface lo inet loopback

auto enp1s0
iface enp1s0 inet manual

auto enp2s0
iface enp2s0 inet manual

iface enp3s0 inet manual

iface enp4s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.100.122/24
        bridge-ports enp1s0
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address 202.56.163.123/29
        gateway 202.56.163.122
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0

and this is my iptables rules :

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8181 to:192.168.100.5:8181
2    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:22222 to:192.168.100.5:22
3    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:2022 to:192.168.100.7:22
4    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8484 to:192.168.100.7:8083
5    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8282 to:192.168.100.7:80
6    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8585 to:192.168.100.7:443
7    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8989 to:192.168.100.9:443
8    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8182 to:192.168.100.9:80
9    DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:12321 to:192.168.100.9:12321
10   DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:22223 to:192.168.100.9:22
11   DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:2222 to:192.168.100.4:2222
12   DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8883 to:192.168.100.4:8883
13   DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:3128 to:192.168.100.4:3128
14   DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:2222 to:192.168.100.4:2223
15   DNAT       udp  --  anywhere             host.56.163.123.varnion.com  udp dpt:2222 to:192.168.100.4:2222
16   DNAT       udp  --  anywhere             host.56.163.123.varnion.com  udp dpt:2222 to:192.168.100.4:2223
17   DNAT       udp  --  anywhere             host.56.163.123.varnion.com  udp dpt:8883 to:192.168.100.4:8883
18   DNAT       tcp  --  anywhere             host.56.163.123.varnion.com  tcp dpt:8443 to:192.168.100.4:8443

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  host.56.163.120.varnion.com/29  anywhere
2    MASQUERADE  all  --  192.168.100.0/24     anywhere

I didnt'use any firewall, since the proxmox using public ip and connected to my mikrotik

 

[mhakim]

when I'm trying to akses the vm from the internet, I got error_connection_reset

 

[oguz]

so when you try to say reach port 8282 from outside with curl like curl your.ip.address.here:8282 you should be reaching your VM on 192.168.100.7:80. does that work?

i also see you have multiple rules for the same destination port on udp 2222 (can be conflicting).

how/where did you add your iptables rules?
you can try following the wiki example, and add your forwarding rules in /etc/network/interfaces into post-up of the interface.
maybe something like:

...
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.100.0/24' -o enp1s0 -j MASQUERADE
    ...
    post-up iptables -t nat -A PREROUTING -i enp35s0 -p tcp --dport 8282 -j DNAT 192.168.100.7:80
    ...

 

[mhakim]

so when you try to say reach port 8282 from outside with curl like curl your.ip.address.here:8282 you should be reaching your VM on 192.168.100.7:80. does that work?

not work

i also see you have multiple rules for the same destination port on udp 2222 (can be conflicting).

I've fixed it :

how/where did you add your iptables rules?

this is how I add the rule :
iptables -t nat -A PREROUTING -p udp -d 202.56.163.123 --dport 2223 -i vmbr1 -j DNAT --to-destination 192.168.100.4:2223

 

[oguz]

iptables -t nat -A PREROUTING -p udp -d 202.56.163.123 --dport 2223 -i vmbr1 -j DNAT --to-destination 192.168.100.4:2223

try using the enp2s0 interface instead of vmbr1 (since it's bridged to that)

 

[mhakim]

i've tried that, but now I get err_connection_refused
i tried access https://cloud.jaklingkoindonesia.com:8989

btw.. how do i apply iptables rules without restart the proxmox?

 

[oguz]

btw.. how do i apply iptables rules without restart the proxmox?

if you have ifupdown2 installed you can try: ifreload -a (will reload the interface, if you have the post-up it should work)

 

[mhakim]

thanks, I got it installed.

so, i've tried change the interface based on ur guide, but still, i can't access my vm from the outside (internet).
there're https://vm.jaklingkoindonesia.com:8006 , https://cloud.jaklingkoindonesia.com:8989 , http://ithd.jaklingkoindonesia.com