[pve-devel] [PATCH docs] network: add note for possible fix/workaround in NAT setup

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Feb 10 11:47:28 CET 2020


On 2/5/20 5:14 PM, Stoiko Ivanov wrote:
> On Wed,  5 Feb 2020 15:57:13 +0100
> Oguz Bektas <o.bektas at proxmox.com> wrote:
> 
>> apparently sometimes users have problems reaching outside internet with
>> some network setups. this is the workaround a user suggested that
>> we should add in the wiki.
> 
> Thanks for the initiative - that does come up indeed every now and then in
> our various support channels (and it usually takes me quite a while to
> find the trustworthy forum-post by Alexandre (Thanks!!), which I quote on
> that ;)
> 
> As an optional suggestion: I would try to add some more
> rationale, as to why users should put those iptables rules in their
> firewall - (maybe: due to the way packets are processed in the processed
> by netfilter and the rules created by pve-firewall?) - Also the following
> could be worth linking in the docs (or mentioning in the commit-message):

I agree with adding some rationale, Oguz, can you please followup on that in
a timely manner, thanks! :)

> 
> [0] https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg 
> [1] https://lwn.net/Articles/370152/ (patch from 2010 on netdev-list
> introducing the conntrack zones)
> [2] https://blog.lobraun.de/2019/05/19/prox/ (a blog post with a good
> explanation, by using the TRACE target in the raw table)
> [3]
> https://forum.proxmox.com/threads/firewall-stops-vm-ct-communication-also-have-to-reboot-to-fix.59811/#post-275921 
> (the forum post I usually quote on those issues)
>



More information about the pve-devel mailing list