2

Alright, I'm at my wits end.

I am trying to configure a ProxMox on dedicated server at Hetzner, which has one public IP, so I want to use NAT for VMs / containers.

I read all the manuals, and tried to follow Hetzner's manual to the letter. It simply doesn't work.

Here's my config:


source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp4s0
iface enp4s0 inet static
        address xxx.xxx.xxx.16/27
        gateway xxx.xxx.xxx.1
        pointopoint xxx.xxx.xxx.1

auto vmbr0
iface vmbr0 inet static
    address  xxx.xxx.xxx.16
    netmask  255.255.255.255
    bridge_ports none
    bridge_stp off
    bridge_fd 0

auto vmbr1
iface vmbr1 inet static
    address 10.0.0.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

iface eth0 inet manual

The guest is simply:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 10.0.0.2/24
        gateway 10.0.0.1

When I create an LXC with interface attached to vmbr1, it doesn't have internet connectivity. When I do ping -I vmbr1 google.com I get timeouts (and so it's for vmbr0 which is strange)

I think this is the most minimalistic configuration and is recommended everywhere. ip route shows that vmbr0 is linkdown - which AIUI means it's attached to an interface which is down - but it's not attached to anything really, and this is by design?

What am I doing wrong here?

sgzmd
  • 121
  • 1
  • 3
  • 2
    I do not think that you followed it to the letter, no offense. Host Bridged configuration says `bridge_ports enp1s0` for vmbr0. Yours does not. Host System Routed configuration says `up ip route add /32 dev vmbr0`. Yours does not. Which configuration example did you follow? In your configuration your bridge interface is not connected to any network interfaces, rendering it guest-only I think. – PhilMasteG Jul 02 '22 at 15:48
  • 1
    What `vmbr0` is for? Why you ever defined that interface? (Please, don't answer that "it was in the manual", because the follow-up would be "did you understand why it was in that manual".) // I don't see any place in your post where you actually create a NAT rule in the host. I don't see a place which describe how you instruct a host kernel to forward IP packets. Both are needed to route and NAT packets for VMs on the host. – Nikita Kipriyanov Jul 02 '22 at 16:24
  • Thanks for the comments - see the answer below. – sgzmd Jul 03 '22 at 18:06

2 Answers2

0

Alright, so I got to the answer:

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o ens3 -j MASQUERADE

No bridging is needed.

As Nikita pointed out above, vmbr0 in the example above was not needed, so I killed it and moved vmbr1 up the stack.

What surprises me most, is that Hetzner's manual doesn't mention the port forwarding part at all - which surprised me a great deal, even though I'm not really a networking guru by any stretch of imagination. So, here you go, hope it'll be helpful to someone.

sgzmd
  • 121
  • 1
  • 3
  • `-s 'public.ip.0/24'` seems very strange to me. I'd rather filter by the local network here, e.g. `-s 10.0.0.0/24`, so only local network (consisted of virtual machines) would be able to use this NAT rule. – Nikita Kipriyanov Jul 04 '22 at 04:58
  • You are right, I mistakenly dubbed that one out. Corrected. – sgzmd Jul 05 '22 at 07:40
0

On your vmbr0 block "post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o ens3 -j MASQUERADE"

Is -o ens3 correct? will it be enp4s0?

Thanks

Eugeni Macia
  • 1
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/528184) – ndemou Aug 26 '22 at 20:15