[SOLVED] VMs can ping Internet, but Proxmox host cannot

[bryanbr23]

Hi All,
I have tried for multiple days to figure this out, but still hitting a wall.

VM's (3) can ping Internet, but host cannot. Host can ping other devices on same subnet, so network appears to be working.

My end-goal is to update packages to remain current as I'm falling behind running Proxmox 7.0-11.

**** /etc/network/interfaces shows
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.178.32/24
gateway 192.168.178.30
bridge-ports eno1
bridge-stp off
bridge-fd 0

**** /etc/resolv.conf
nameserver 192.168.178.94 (I can ping nameserver as well)

Can anyone guide me on what I might be doing wrong?

Thank you in advance,
~Bryan

 

[Chris]

Hi All,
I have tried for multiple days to figure this out, but still hitting a wall.

VM's (3) can ping Internet, but host cannot. Host can ping other devices on same subnet, so network appears to be working.

My end-goal is to update packages to remain current as I'm falling behind running Proxmox 7.0-11.

**** /etc/network/interfaces shows
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.178.32/24
gateway 192.168.178.30
bridge-ports eno1
bridge-stp off
bridge-fd 0

**** /etc/resolv.conf
nameserver 192.168.178.94 (I can ping nameserver as well)

Can anyone guide me on what I might be doing wrong?

Thank you in advance,
~Bryan

Hi,
can you ping the gateway? Do you have host firewall rules interfering with traffic?

 

[bryanbr23]

Hi Chris,
Thank you for the response. I run Unifi DreamMachine SE as wifi controller/router (192.168.178.30).

When trying to ping, I do NOT get responses. I can ping other devices on local/same subnet.

I do not have any firewall rules configured within Proxmox.

My gut tells me I should be looking at my Unifi gear.

Thanks in Advance,
~Bryan

 

[Chris]

Hi Chris,
Thank you for the response. I run Unifi DreamMachine SE as wifi controller/router (192.168.178.30).

When trying to ping, I do NOT get responses. I can ping other devices on local/same subnet.

I do not have any firewall rules configured within Proxmox.

My gut tells me I should be looking at my Unifi gear.

Thanks in Advance,
~Bryan

Maybe your router is filtering ICMP?

 

[bryanbr23]

I was thinking same, but other devices (VM's in Proxmox, Windows and Mac clients) can ping router (192.168.178.30).

So, I've got something preventing me on my Proxmox host.

My goal again is to update packages on Proxmox.

Thanks in Advance,
~Bryan

 

[micko]

add "auto eno1" above "iface eno1 inet manual".

 

[Chris]

I was thinking same, but other devices (VM's in Proxmox, Windows and Mac clients) can ping router (192.168.178.30).

So, I've got something preventing me on my Proxmox host.

My goal again is to update packages on Proxmox.

Thanks in Advance,
~Bryan

Is the PVE firewall enabled?

Please post the output of cat /etc/pve/firewall/cluster.fw and iptables-save. You can also check connectivity with tools such as mtr, which can be installed via apt install mtr-tiny.

 

[bryanbr23]

Hi Chris,
Apologies for delayed response. I did not see message until today. Firewall has nothing.

cat: /etc/pve/firewall/cluster.fw: No such file or directory
root@proxmox:~#

root@proxmox:~# iptables-save
# Generated by iptables-save v1.8.7 on Tue May  9 09:40:43 2023
*raw
:PREROUTING ACCEPT [27160:6590187]
:OUTPUT ACCEPT [7688:4444646]
COMMIT
# Completed on Tue May  9 09:40:43 2023
# Generated by iptables-save v1.8.7 on Tue May  9 09:40:43 2023
*filter
:INPUT ACCEPT [9204:2928951]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7692:4445100]
COMMIT
# Completed on Tue May  9 09:40:43 2023

I was unable to install mtr-tiny due to no Internet access on the host.

Thank you in advance,
~Bryan

 

[JeanBro]

I already have this problem and it was from my bridge vmbr0 and I delete it and after it works so maybe try to do the same and see if it works
Jean

 

[Chris]

Hi Chris,
Apologies for delayed response. I did not see message until today. Firewall has nothing.

cat: /etc/pve/firewall/cluster.fw: No such file or directory
root@proxmox:~#

root@proxmox:~# iptables-save
# Generated by iptables-save v1.8.7 on Tue May  9 09:40:43 2023
*raw
:PREROUTING ACCEPT [27160:6590187]
:OUTPUT ACCEPT [7688:4444646]
COMMIT
# Completed on Tue May  9 09:40:43 2023
# Generated by iptables-save v1.8.7 on Tue May  9 09:40:43 2023
*filter
:INPUT ACCEPT [9204:2928951]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7692:4445100]
COMMIT
# Completed on Tue May  9 09:40:43 2023

I was unable to install mtr-tiny due to no Internet access on the host.

Thank you in advance,
~Bryan

Okay, strange that you have no pve cluster firewall config. What PVE version are you running pveversion -v?
Please post your current ip config ip addr; ip route; ip neigh show. And try to reload the config by running ifreload -a. Maybe you have some duplicate IP address?

 

[bryanbr23]

Thanks for your continued help. Here are the details you requested.

In advance, as an aside, this host machine is an Intel NUC ( Intel NUC - NUC8i5BEH ). It can ping peers, but just can route through default GW 192.168.178.30 -- my Unifi Dreammachine SE). I can ping my router (192.168.178.30) from other machines (Windows). NSLookup's work from proxmox host.

############################
# pveversion -v
proxmox-ve: 7.0-2 (running kernel: 5.11.22-4-pve)
pve-manager: 7.0-11 (running version: 7.0-11/63d82f4e)
pve-kernel-5.11: 7.0-7
pve-kernel-helper: 7.0-7
pve-kernel-5.11.22-4-pve: 5.11.22-8
ceph-fuse: 15.2.14-pve1
corosync: 3.1.2-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.21-pve1
libproxmox-acme-perl: 1.3.0
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.0-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.0-6
libpve-guest-common-perl: 4.0-2
libpve-http-server-perl: 4.0-2
libpve-storage-perl: 7.0-10
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.9-4
lxcfs: 4.0.8-pve2
novnc-pve: 1.2.0-3
proxmox-backup-client: 2.0.9-2
proxmox-backup-file-restore: 2.0.9-2
proxmox-mini-journalreader: 1.2-1
proxmox-widget-toolkit: 3.3-6
pve-cluster: 7.0-3
pve-container: 4.0-9
pve-docs: 7.0-5
pve-edk2-firmware: 3.20200531-1
pve-firewall: 4.2-2
pve-firmware: 3.3-1
pve-ha-manager: 3.3-1
pve-i18n: 2.5-1
pve-qemu-kvm: 6.0.0-3
pve-xtermjs: 4.12.0-1
qemu-server: 7.0-13
smartmontools: 7.2-1
spiceterm: 3.2-2
vncterm: 1.7-1
zfsutils-linux: 2.0.5-pve1

############################
# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether 1c:69:7a:00:23:6c brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
3: wlp0s20f3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether d0:c6:37:27:63:cf brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1c:69:7a:00:23:6c brd ff:ff:ff:ff:ff:ff
inet 192.168.178.32/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::1e69:7aff:fe00:236c/64 scope link
valid_lft forever preferred_lft forever
5: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether e2:e7:cd:a2:c9:dd brd ff:ff:ff:ff:ff:ff
6: tap102i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr102i0 state UNKNOWN group default qlen 1000
link/ether aa:59:f4:37:9a:ce brd ff:ff:ff:ff:ff:ff
7: fwbr102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether de:d0:44:16:0f:4d brd ff:ff:ff:ff:ff:ff
8: fwpr102p0@fwln102i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether 4a:0a:ad:f8:5c:06 brd ff:ff:ff:ff:ff:ff
9: fwln102i0@fwpr102p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr102i0 state UP group default qlen 1000
link/ether 06:65:ca:b4:38:46 brd ff:ff:ff:ff:ff:ff
10: tap104i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr104i0 state UNKNOWN group default qlen 1000
link/ether 6e:62:a2:d2:63:b5 brd ff:ff:ff:ff:ff:ff
11: fwbr104i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7e:29:93:9d:d8:11 brd ff:ff:ff:ff:ff:ff
12: fwpr104p0@fwln104i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether 2e:2c:77:a4:3b:22 brd ff:ff:ff:ff:ff:ff
13: fwln104i0@fwpr104p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr104i0 state UP group default qlen 1000
link/ether 42:33:2a:12:1b:c3 brd ff:ff:ff:ff:ff:ff
14: tap105i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr105i0 state UNKNOWN group default qlen 1000
link/ether 1a:b1:cf:5a:0a:0a brd ff:ff:ff:ff:ff:ff
15: fwbr105i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 32:f9:a5:55:f4:4c brd ff:ff:ff:ff:ff:ff
16: fwpr105p0@fwln105i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
link/ether 96:11:23:c3:20:be brd ff:ff:ff:ff:ff:ff
17: fwln105i0@fwpr105p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr105i0 state UP group default qlen 1000
link/ether 4e:c0:02:74:ee:b1 brd ff:ff:ff:ff:ff:ff

############################
# ip route

default via 192.168.178.30 dev vmbr0 proto kernel onlink
192.168.178.0/24 dev vmbr0 proto kernel scope link src 192.168.178.32

############################
# ip neigh show
192.168.178.94 dev vmbr0 lladdr de:e2:bb:5f:d6:ab STALE
192.168.178.30 dev vmbr0 lladdr d2:21:f9:89:7b:04 STALE
192.168.178.131 dev vmbr0 lladdr c4:9d:ed:91:36:6e DELAY
fe80::3abf:c4bc:cdf3:b504 dev vmbr0 lladdr c4:9d:ed:91:36:6e STALE
fe80::8d7:e15a:6fb4:4ea2 dev vmbr0 lladdr e6:ef:c6:f4:65:ed STALE
fe80::822b:f9ff:fe49:1431 dev vmbr0 lladdr 80:2b:f9:49:14:31 STALE
fe80::cbf1:470:585:d67f dev vmbr0 lladdr c8:34:8e:72:22:8f STALE
fe80::e469:8cff:fe03:d294 dev vmbr0 lladdr e6:69:8c:03:d2:94 STALE
fe80::446:c794:c6e1:171d dev vmbr0 lladdr 82:7b:e1:2b:1a:92 STALE
fe80::8810:e6ff:feb7:f326 dev vmbr0 lladdr 8a:10:e6:b7:f3:26 STALE
fe80::5ec5:63ff:fe26:be9f dev vmbr0 lladdr 5c:c5:63:26:be:9f STALE
fe80::dce2:bbff:fe5f:d6ab dev vmbr0 lladdr de:e2:bb:5f:d6:ab STALE
fe80::14a8:978b:592d:d90f dev vmbr0 lladdr a2:9b:50:e3:58:d7 STALE
fe80::1479:7b5e:7379:70ad dev vmbr0 lladdr ba:e8:83:85:a8:4c STALE

Thanks in Advance,
~Bryan

 

[Chris]

192.168.178.30 dev vmbr0 lladdr d2:21:f9:89:7b:04 STALE

I suppose this is the correct mac address for your gateway? I cannot find anything wrong with your current network setup, so I would guess that the Unify Router might be blocking your traffic by arp filtering? Does ping work the other way around, so from your router to your PVE host?

 

[Spoonman2002]

maybe add extra nameservers in /etc/resolv.conf on pve host :

nameserver 192.168.178.94
nameserver 1.0.0.1
nameserver 9.9.9.9

 

[bryanbr23]

SOLVED

Hi Chris et al,
Shame on me. I re-imaged Proxmox (saving backups to my NAS), only to find out that Unifi was blocking the MAC address.
I discovered this only by looking at the Unifi Mobile app and seeing the addresses being blocked.
I just wanted to post back the results for future people.

And especially to say thank you for the hand-holding and support you have provided. Thank you!

Politely backing up while palming my face...

Thanks again,
~Bryan

 

[Chris]

Glad you could find the issue and resolve it, please mark the thread as solved, thx.