[PVE-User] Routing puzzle !

Darquandier darquandier at gmail.com
Thu Apr 15 19:24:50 CEST 2010

Someone on the #openvz channel on Freenode suggested exactly the same, with
a something more :
On CT101 :
ip route add dev eth0

And now everything's works fine !

On Thu, Apr 15, 2010 at 6:48 PM, Tobias Limmer <
tobias.limmer at informatik.uni-erlangen.de> wrote:

> Hi Darquandier,
> most probably your problem is the default route on CT101 - it should send
> the response packets via the VPN. To avoid this problem, you must perform
> source and destination NAT on CT0, so that source and destination IP of
> arriving packets are replaced. The corresponding commands would be:
> iptables -t nat -A PREROUTING -d [public-ip-CT0] -p tcp --dport 2222 -j
> DNAT --to-destination
> iptables -t nat -A POSTROUTING -d -p tcp --dport 22 -j SNAT
> --to-source
> Now all TCP connections to [public-ip-CT0] and port 2222 are forwarded to
> CT101. One drawback: during the process the original IP address is lost and
> CT101 always assumes that the connections originate from CT0.
> This kind of setup is very tricky to get right, tcpdump helps a lot!
> Btw: We've been using Proxmox for about a year now, and it works great!
> Thanks a lot to the developers!
> bye,
> Tobi
> On 15.04.2010, at 17:32, Darquandier wrote:
>  Hello everyone, count me in on the proxmox ve ship !
>> Still, I'm having some troubles setting up port forwarding to a container,
>> here is my story :
>> I set up a proxmox server with a container inside having a bridged
>> ethernet
>> and it's own public ip.
>> Let's call the host server CT0 and the container CT101.
>> CT0 has a vmbr0 interface with an internet public address (call it
>> [public-ip-CT0].
>> CT101 has a bridged interface, called eth0, with it's own public address
>> ([public-ip-CT101]).
>> CT101 connects to a VPN, and therefore [public-ip-CT101] becomes
>> unreachable
>> (logical).
>> On CT0, I created an alias vmbr0:0 with ip
>> On CT101, I created an alias eth0:0 with ip
>> With or withour the vpn, CT0 can now see CT101 and ssh through it, etc.
>> using this LAN.
>> Now, I want to redirect some of the incoming traffic arriving on CT0 to
>> CT101. Maily an ssh port and some other network services, so that CT101
>> remains fully operatable even when connected to the VPN, and I cannot find
>> the good iptables command to put on the CT0.
>> The best I can do is forwarding the port, I see the packets arrive, but no
>> answer...
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20100415/a18e993e/attachment.htm>

More information about the pve-user mailing list