[pve-devel] [PATCH docs] network: add note for possible fix/workaround in NAT setup

Stoiko Ivanov s.ivanov at proxmox.com
Wed Feb 5 17:14:54 CET 2020

On Wed,  5 Feb 2020 15:57:13 +0100
Oguz Bektas <o.bektas at proxmox.com> wrote:

> apparently sometimes users have problems reaching outside internet with
> some network setups. this is the workaround a user suggested that
> we should add in the wiki.

Thanks for the initiative - that does come up indeed every now and then in
our various support channels (and it usually takes me quite a while to
find the trustworthy forum-post by Alexandre (Thanks!!), which I quote on
that ;)

As an optional suggestion: I would try to add some more
rationale, as to why users should put those iptables rules in their
firewall - (maybe: due to the way packets are processed in the processed
by netfilter and the rules created by pve-firewall?) - Also the following
could be worth linking in the docs (or mentioning in the commit-message):

[0] https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg 
[1] https://lwn.net/Articles/370152/ (patch from 2010 on netdev-list
introducing the conntrack zones)
[2] https://blog.lobraun.de/2019/05/19/prox/ (a blog post with a good
explanation, by using the TRACE target in the raw table)
(the forum post I usually quote on those issues)

> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  pve-network.adoc | 9 +++++++++
>  1 file changed, 9 insertions(+)
> diff --git a/pve-network.adoc b/pve-network.adoc
> index c61cd42..471edb4 100644
> --- a/pve-network.adoc
> +++ b/pve-network.adoc
> @@ -248,6 +248,15 @@ iface vmbr0 inet static
>          post-down iptables -t nat -D POSTROUTING -s '' -o eno1 -j MASQUERADE
>  ----
> +NOTE: If you have firewall enabled for your CT/VM and you're having
> +connectivity problems with outgoing connections, you can add the following
> +lines in the interfaces config:
> +
> +----
> +post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
> +post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
> +----
> +
>  Linux Bond
>  ~~~~~~~~~~

More information about the pve-devel mailing list