1

End goal (ASCII Diagram)

WAN->Router->Server->GRE Tunnel->VM network->VM #1, etc.

I should explain some things first.

I have a server running Proxmox (Debian 8.7 x64). It's connection to the internet is eth0 (behind NAT with GRE protocol forwarded)

The GRE interface (gre1) is created and monitored by a custom daemon running on the host, but otherwise doesn't touch firewall rules or routes. The IP of this machine in the GRE tunnel is 192.168.168.2 and the remote endpoint is 192.168.168.1

I have one network bridge setup (vmbr0). Here is the relevant config.

auto vmbr0
iface vmbr0 inet static
    address 10.2.0.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.2.0.0/24' -o gre1 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.2.0.0/24' -o gre1 -j MASQUERADE

On the machine that is the other end of the GRE tunnel I already have iptables configured to NAT properly and can ping 192.168.168.1 and outside destinations by using ping -I gre1 on the host however inside a VM I can ping 192.168.168.2 and .1 but not outside destinations.

I suspect the solution to this is some routing-table foo as I did get it working earlier by replacing the default gateway route on the host with 192.168.168.1 and manually creating a route for the GRE tunnel endpoint via 192.168.1.1 (my router), however this also forces all host traffic through the GRE tunnel, which I do not want, only VM traffic.

To force all traffic including host traffic over the GRE tunnel I did this.

ip route add GRE_TUNNEL_ENDPOINT via 192.168.1.1 # to avoid running the GRE tunnel in itself
ip route change default via 192.168.168.1

Maybe some source routing policies are in order?

Thanks

jtl999
  • 111
  • 5
  • Do you want send all VM traffic via GRE tunnel? – Mikhail Khirgiy Feb 13 '17 at 15:55
  • Yes. I just setup a Debian VM with two virtual NIC's (one is bridged to vmbr0, and the other is vmbr1 (a private VM-only network, 10.2.0.1/24) and also setup some egress filtering on the host to force this VM's traffic to go through the GRE tunnel (with some exceptions for local DNS, the GRE tunnel host itself, etc.) So all my other VM's use 10.2.0.1 as their "default gateway" and nameserver (as I setup DNS forwarding with Unbound to my other Unbound instance) It works but it would be interesting to learn routing policies to do what my question asked. – jtl999 Feb 16 '17 at 01:24
  • Connect gre interface to vmbr0 bridge and all traffic of first virtual network card will go through gre. – Mikhail Khirgiy Feb 16 '17 at 05:22
  • Right. Currently the way I have it setup above works fine. I'll give that a try later though. – jtl999 Feb 16 '17 at 20:56

0 Answers0