VMs cannot access internet

hexadec

Active Member
Aug 28, 2018
5
0
41
37
Hi all, long time lurker first time poster. I have an issue where none of my VMs can access the internet (over 80/443). I can ping and nslookup and they each have the appropriate IP reserved through my router's DHCP function. I can access the Datacenter/ server over the internet and the server can reach HTTP content (via curl/wget).

Not sure where the issue may lay or where to start. It was working with the below config, not sure what happened.

Brief infra overview:
-Single server with DNS CNAME to a single URL
-5 VMs currently (each with own NAT'd IP)
-All can ping and DNS resolve, but no HTTP/HTTPS
-server has HTTP/HTTPS access
-iptables set to redirect inbound 80/443 to 8006 (iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8006, iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8006)
-edge router forwarding 80/443 to server
-Built in Proxmox Datacenter/ server firewall enabled, enabled in/out on 80/443, bottom rule is a reject on all other in TCP traffic (no firewall enabled on VM settings)
-One VM is running PiHole as a DNS server, router lists this as primary and OpenDNS as secondary
 
Edit with troubleshooting:

-tried turning off Datacenter/server level firewall in Proxmox GUI
-reset all network hardware (router, switch, modem, server)
-restarted all VMs

Also, new issue:
-getting continuous disconnect, moving the mouse or entering keys will disconnect with no error, shows 'Connecting...' again. Stable until mouse/keyboard usage. Very strange.
 
Last edited:
Maybe the connections from the VM also get NATed to port 8006 on the server ? (try to limit your Portforwarding rules based on incoming/outgoing interfaces/sourceip/destip)
 
After disabling NAT port forward and iptables rule, no change. VMs cannot access internet.
 
Great success, it seems the inbound HTTP/S was getting forwarded to server rather than VMs. Disabled iptables and persistent-iptables ruleset, don't forget to remove config from /etc/iptables/rules.v4 as well (then reboot).
 
Any ideas on setting iptables to forward inbound port 8006 requests to the server (0.0.0.1) on port 80/443 without impacting the VMs?
 
IMHO, you should try to add interface option to iptables rules '-i vmbr0' or something to specify interface to make redirect from.
Without that option, packet filter will redirect any traffic matched with '--dport 443' and '--dport 80', even from your VMs (agree with Stoiko Ivanov).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!