[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Tue Mar 11 14:38:57 CET 2014


>>First, please test on single host first now.
>>
>>Input filter for VM on VMBR1 will not work when traffic comes from vmbr14.

Well,If I remember,we don't allow traffic routing between taps on differents vmbrX when firewall is enabled.

Or maybe do you want that finally ?


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 11 Mars 2014 13:55:10 
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones 


> Ok,I have done some tests with simple bridge setup, and all is working fine 
> for me ???? 

First, please test on single host first now. 

Input filter for VM on VMBR1 will not work when traffic comes from vmbr14. 

But this is unrelated to MASQUERADING. 

> tap110i0 (10.2.0.100)---->vmbr14(10.2.0.1) <routing> (10.3.94.31)vmbr1----- 
> >eth0---------physical switch--------external host(10.3.94.47 + route add 
> 10.2.0.100/32 gw 10.3.94.31) 
> 
> 
> 
> host configuration 
> ------------------ 
> 
> auto vmbr1 
> iface vmbr1 inet static 
> bridge_ports eth0 
> address 10.3.94.31 
> netmask 255.255.255.0 
> gateway 10.3.94.1 
> bridge_stp off 
> bridge_fd 0 
> 
> auto vmbr14 
> iface vmbr14 inet static 
> address 10.2.0.1 
> netmask 255.255.255.0 
> bridge_stp off 
> bridge_fd 0 
> 
> iptables -t nat -A POSTROUTING -j LOG --log-prefix "POSTROUTING: " 
> iptables -t nat -A POSTROUTING -s '10.2.0.100/32' -o vmbr1 -j MASQUERADE 
> 



More information about the pve-devel mailing list