VMs not getting an IPv4 address when using Masquerading (NAT) with iptables

[jsvazic]

Hello,

So I have a new server I'm migrating my VE environment to and plan on moving to a colo. As such, I'm trying to switch to using a NAT network per the documentation for my VMs. Unfortunately, I cannot get an IP address for my VMs! Does anyone have any ideas here? My network config looks like the following:

auto lo
iface lo inet loopback

iface enx0a94ef630557 inet manual

auto eno1
iface eno1 inet manual
        address 192.168.100.4/24
        gateway 192.168.100.1

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

iface ens1f0 inet manual

iface ens1f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

source /etc/network/interfaces.d/*

The VM doesn't get an IPv4 address at all, but seems to have an IPv6 address. I can't reach the gateway (192.168.100.1) at all either (which makes sense), and the system complains that the network is unavailable. Any help would be appreciated.

 

[shanreich]

How would the VM get an IP? Via DHCP? Do you have a DHCP server set up for 10.10.10.0/24 on vmbr0?

If you want to use MASQUERADING and DHCP, maybe the best solution for you would be to setup an SDN simple zone with SNAT enabled - see [1]. Please note that this is not a security feature if you want your VMs to be unreachable from the 192.168.100.0/24 network (but you can create firewall rules with the nftables firewall [tech preview!] that prevent that).

[1] https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP

 

[jsvazic]

How would the VM get an IP? Via DHCP? Do you have a DHCP server set up for 10.10.10.0/24 on vmbr0?

Yes, I realized that afterwards, and I feel like a fool. I have no idea why I thought it would "magically" work like that. :-/

If you want to use MASQUERADING and DHCP, maybe the best solution for you would be to setup an SDN simple zone with SNAT enabled - see [1]. Please note that this is not a security feature if you want your VMs to be unreachable from the 192.168.100.0/24 network (but you can create firewall rules with the nftables firewall [tech preview!] that prevent that).

[1] https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP

Thanks, I'll take a look and see if this will give me what I'm looking for.

 

[jsvazic]

So unfortunately this didn't work out either. I have the SDN elements setup and apparently working, but the VM does not have any network connectivity. Not sure what's happening, but sadly this isn't the solution I need either.

I take that back. I tested the above on my original PVE server (I'm migrating) and it worked just fine, so something is wrong in my new environment. I'm going to upgrade to PVE v9 and see if that helps instead. Sorry, I didn't want to discourage anyone from trying the above when it's likely an isolated issue on my end.

 

[jsvazic]

So unfortunately this didn't work out either. I have the SDN elements setup and apparently working, but the VM does not have any network connectivity. Not sure what's happening, but sadly this isn't the solution I need either.

I take that back. I tested the above on my original PVE server (I'm migrating) and it worked just fine, so something is wrong in my new environment. I'm going to upgrade to PVE v9 and see if that helps instead. Sorry, I didn't want to discourage anyone from trying the above when it's likely an isolated issue on my end.

So I did get this working. The problem was not the setup/instructions above, but rather me using ufw to do some very basic work. I'll put together a new post to describe what I'm seeing, but with no restrictive firewall rules via ufw, this is exactly the solution I was looking for.