[pve-devel] [PATCH docs] network: add note for possible fix/workaround in NAT setup
Stoiko Ivanov
s.ivanov at proxmox.com
Wed Feb 5 17:14:54 CET 2020
On Wed, 5 Feb 2020 15:57:13 +0100
Oguz Bektas <o.bektas at proxmox.com> wrote:
> apparently sometimes users have problems reaching outside internet with
> some network setups. this is the workaround a user suggested that
> we should add in the wiki.
Thanks for the initiative - that does come up indeed every now and then in
our various support channels (and it usually takes me quite a while to
find the trustworthy forum-post by Alexandre (Thanks!!), which I quote on
that ;)
As an optional suggestion: I would try to add some more
rationale, as to why users should put those iptables rules in their
firewall - (maybe: due to the way packets are processed in the processed
by netfilter and the rules created by pve-firewall?) - Also the following
could be worth linking in the docs (or mentioning in the commit-message):
[0] https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg
[1] https://lwn.net/Articles/370152/ (patch from 2010 on netdev-list
introducing the conntrack zones)
[2] https://blog.lobraun.de/2019/05/19/prox/ (a blog post with a good
explanation, by using the TRACE target in the raw table)
[3]
https://forum.proxmox.com/threads/firewall-stops-vm-ct-communication-also-have-to-reboot-to-fix.59811/#post-275921
(the forum post I usually quote on those issues)
>
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> pve-network.adoc | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/pve-network.adoc b/pve-network.adoc
> index c61cd42..471edb4 100644
> --- a/pve-network.adoc
> +++ b/pve-network.adoc
> @@ -248,6 +248,15 @@ iface vmbr0 inet static
> post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
> ----
>
> +NOTE: If you have firewall enabled for your CT/VM and you're having
> +connectivity problems with outgoing connections, you can add the following
> +lines in the interfaces config:
> +
> +----
> +post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
> +post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
> +----
> +
>
> Linux Bond
> ~~~~~~~~~~
More information about the pve-devel
mailing list