[PVE-User] Unable to port forward to containers from external IPs (but can access containers from the Host Node)

ano-639d60e3 at enterto.com ano-639d60e3 at enterto.com
Wed May 20 09:38:03 CEST 2009


I am at my wits end trying to get ssh access to my container nodes from my
personal workstation. I have a single public (routable) IP for the HN and a
private network ( for the containers. It's not that ssh is so
important. Rather, I figured that would be an easy service with which to verify
whether port forwarding is working as opposed to a more complex service like apache.

I can ssh into the containers from the Host Node. But not from an external

I am running pve 1.1 on a dedicated server at a hosting provider. I'll upgrade
to 1.2 when my hosting company makes it available or earlier if you recommend.
My virtual machines are all containers -- I am not using any KVMs.

Right after a fresh install of pve 1.1, I create a couple of containers using the
Debian Lenny template. I ssh into the HN, vzctl enter into the containers, and
change their ssh ports so that each has a unique port. I can then ssh from the
HN to the containers using these ports. However, I am not able to ssh into the
containers from my personal workstation.

The interfaces on the system config screen of the PVE web interface are eht0 and
vmbr0. vmbr0 is not autostarted. However, the containers are automatically
created with venet0 as their interface. The containers are also automatically
given a vlan at venet0:0. The IP of the container is associated with venet0:0
not venet0.

ip route show for the HN: dev venet0 scope link dev venet0 scope link dev venet0 scope link dev venet0 scope link

212.xxx.xxx.0/24 dev eth0 proto kernel scope link src 212.xxx.xxx.xxx

venet0 is not part of the interfaces file. It seems to be created on the fly by

ip route show on containers dev venet0 scope link
default via dev venet0

Does anyone know why was selected for the venet0 IP? ProxMox refers to
it as a fake IP in their scripts but it appears to be a public, routable IP. It
is definitely not one of my IPs. I can't find much info. about it when I do a
whois but it appears to be a USA IP.

/etc/network/interfaces on the container

# Auto generated interfaces
auto lo
iface lo inet loopback

auto venet0
iface venet0 inet static
up route add -net netmask dev venet0
up route add default gw
auto venet0:0
iface venet0:0 inet static

In the excerpts from the iptables script below $INET_IFACE is eth0 and
$LOCAL_IFACE is venet0. I don't know much about vlans so I tried it with
venet0:0 too. Should I have created vmbr1 like shown in the ProxMox networking
howto? http://pve.proxmox.com/wiki/Network_Model If so, should i specify vmbr1
as the internal interface ($LOCAL_IFACE)?

# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port yy100 \
--destination -j ACCEPT

$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port yy100 \
--destination -j ACCEPT

and being snat'ed back like this:

IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port yy100 \
-j DNAT --to-destination

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port yy100 \
-j DNAT --to-destination

$IPT -t nat -A PREROUTING -p udp -i $LOCAL_IFACE --destination-port yy100 \
--destination $INET_ADDRESS -j DNAT --to-destination

$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE --destination-port yy100 \
--destination $INET_ADDRESS -j DNAT --to-destination

Prior to this I tried to add the masquerading directly to interfaces file by
editing vmbr0 like the example in the wiki.
http://pve.proxmox.com/wiki/Network_Model That didn't work either

Any guidance getting this setup would be greatly appreciated. Is it possible
that my hosting provider is somehow blocking access?


They can't spam you, if they can't find you.
Get the first REAL spam free email - http://mail.enterto.com/

Apartments for Rent and Homes for Rent

Search Apartments by City & Price. 
Real-time Listings & Availability.

To stop receiving email from this source, 
just reply with word "STOP" on  subject line

More information about the pve-user mailing list