[PVE-User] NAT Problems with PVE Firewall

Elias Werberich elias at werberich.de
Wed Jun 21 18:26:50 CEST 2017 

Dear Proxmox Group,

I am currently trying to configure a simple NAT with PVE Firewall enabled.
As long as I do not enable the firewall on the VM network interface, the
wiki solution [1] works perfectly.
PVE Firewall is enabled on datacenter and node level.

--- BEGIN: /etc/network/interfaces (PVE) ---

    auto lo
    iface lo inet loopback

    allow-hotplug eth0

    auto eth0
    iface eth0 inet static
        address  xxx.yyy.zzz.aaa
        netmask  255.255.255.255
        gateway  xxx.yyy.zzz.bbb
        pointopoint xxx.yyy.zzz.bbb

    auto vmbr12
    iface vmbr12 inet static
        address 10.0.0.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0
    -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o
    eth0 -j MASQUERADE

--- END: /etc/network/interfaces (PVE) ---

--- BEGIN: /etc/network/interfaces (VM) ---

    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet static
        address  10.0.0.100
        netmask  255.255.255.0
        gateway  10.0.0.1

--- END: /etc/network/interfaces (VM) ---

It seems that POSTROUTING is called too early so internal addresses are
not translated.
Using SNAT instead of MASQUERADE does not solve the problem.
In a pve-devel thread [2] I read that the following rules should help,
but it does not work either.

    post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12 -j CT --zone 1
    post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12 -j CT --zone 1

Using NAT "and" PVE Firewall is not an unusal scenario. It looks like some kind of "pvefw bug".

Yours sincerely,

Elias Werberich

-----
[1]:
https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables
[2]: https://pve.proxmox.com/pipermail/pve-devel/2014-March/010406.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20170621/9e9eee8e/attachment.sig>

More information about the pve-user mailing list