[PVE-User] pve-firewall and NAT
Jonas Borgström
jonas at borgstrom.se
Thu Mar 10 11:15:09 CET 2016
Hi,
I'm trying to figure out if pve-firewall and NAT is a supported
configuration or not.
The pve-firewall wiki [1] page does not mention NAT.
The NAT section of the Network model wiki page [2] does not mention
anything about pve-firewall.
I've been testing proxmox 4.1 with the following network configuration
and an LXC container running on vmbr1.
But as soon as I enable the firewall the network dies. Using tcpdump on
eth0 I see that once the firewall is enabled the NAT stops working and
untranslated 10.7.0.x addresses are sent out from eth0.
The only workaround I've found so far(from some proxmox forum) is:
$ iptables -t raw -A PREROUTING -i fwbr+ -j CT --zone 1
But that only works if I manually run it _after_ the firewall and the
container has been started, it does not work if I add it as a post-up
command to /etc/network/interfaces.
Has anyone else managed to get pve-firewall and NAT to work well together?
/ Jonas
----------------------------------------------------
auto eth0
iface eth0 inet static
address x.y.z.151
netmask 255.255.255.255
gateway x.y.z.129
pointopoint x.y.z.129
auto vmbr0
iface vmbr0 inet static
address x.y.z.151
netmask 255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_maxwait 0
up ip route add x.y.z.174/32 dev vmbr0
up ip route add x.y.z.175/32 dev vmbr0
auto vmbr1
iface vmbr1 inet static
address 10.7.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.7.0.0/24' -o eth0 -j
MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.7.0.0/24' -o eth0 -j
MASQUERADE
----------------------------------------------------
1: https://pve.proxmox.com/wiki/Proxmox_VE_Firewall
2: http://pve.proxmox.com/wiki/Network_Model
More information about the pve-user
mailing list