Hello
I have been strugling with my network setup for my network setup
I was trying to read and try to deal with it with this quide.
My plan was to setup two LXC for two different applications based form linuxgsm. Specificly CSGO and SCP sl. The guides required some modding due to a changed name for netcat (I used netcat-traditional instead). The host uses DHCP in preparation for a LAN event where I cannot get reserved IP’s.
I tried to follow this guide/thread here
Might be quite bit out of date…
Here what my network settings look like
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
auto lo
iface lo inet loopback
auto eno1
iface eno1 inet manual
#NIC1
auto eno2
iface eno2 inet manual
#NIC2
auto enxe61f135941cb
iface enxe61f135941cb inet manual
#IPMI management interfqace
auto vmbr0
iface vmbr0 inet dhcp
address 192.168.1.222
netmask 255.255.255.0
gateway 192.168.1.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
#Bridge for management
auto inet
iface inet inet manual
auto static
iface static inet manual
auto vmbr1
iface vmbr1 inet dhcp
address 192.168.1.224
netmask 255.255.255.0
bridge-ports eno2
bridge-stp off
bridge-fd 0
#Bridge for LXC/VM
#LXC131 SCP-SL-linux-gsm-server
#IP:192.168.1.225
#port 7777
post-up iptables -t nat -A PREROUTING -i vmbr1 -p tcp --dport 7777 -j DNAT --to 192.168.1.225:7777
post-down iptables -t nat -D PREROUTING -i vmbr1 -p tcp --dport 7777 -j DNAT --to 192.168.1.225:7777
#LXC132
#IP=192.168.1.228
#RCON & Query 27015 TCP
post-up iptables -t nat -A PREROUTING -i vmbr1 -p tcp --dport 27015 -j DNAT --to 192.168.1.228:27015
post-down iptables -t nat -D PREROUTING -i vmbr1 -p tcp --dport 27015 -j DNAT --to 192.168.1.228:27015
#Game 27015 udp
post-up iptables -t nat -A PREROUTING -i vmbr1 -p udp --dport 27015 -j DNAT --to 192.168.1.228:27015
post-down iptables -t nat -D PREROUTING -i vmbr1 -p udp --dport 27015 -j DNAT --to 192.168.1.228:27015
#sourceTV 27020 udp
post-up iptables -t nat -A PREROUTING -i vmbr1 -p udp --dport 27020 -j DNAT --to 192.168.1.228:27020
post-down iptables -t nat -D PREROUTING -i vmbr1 -p udp --dport 27020 -j DNAT --to 192.168.1.228:27020
#client 27005 udp
post-up iptables -t nat -A PREROUTING -i vmbr1 -p udp --dport 27005 -j DNAT --to 192.168.1.228:27005
post-down iptables -t nat -D PREROUTING -i vmbr1 -p udp --dport 27005 -j DNAT --to 192.168.1.228:27005
Looks like to me that there is a GUi within the proxmox for this, but I could not find any documentation. In short I was not able to get that working
Am I doing something stupid or missing something like a proper guide somewhere. Everyone that I have found seemed to have this via the /etc/network/interfaces file…
Thank you for reading this and if you have found a solution to this, please free to let me know. I was planning to make a guide on this, so any help would appriciated. But last of all, thank you for your time!
you should probably not be using ‘port forwarding’ here. your containers and VMs should have separate IP addresses that are different than the ProxMox host. (also NOT the bridge IP)
really the ProxMox firewall is for VERY specific conditions that you will not have. you should have NO rules there either.
what is the IP addresses of your containers?
just from what i can see above, you have 2 bridges and 2 containers, so there should be 4 separate IPs on your network just for that stuff.
The issue is that these server ports do not appear to the network. I can ICMP ping those Ip’s fine. But when checking for open ports with ss command on the LXC or by nmap on another device on the network, those ports are not open, or do not function (game does not recognise the server being availlable and open).
And the confusing thing for me is this masquaration of multiple different IP’s and MAC’s passed through a single NIC. Since the way I was thought was with a single MAC and IP going to a single NIC. In principle this is not that far off that, since the NIC is masquarating as a switch for those other IP’s & MAC’s but I still find this kinda confusing.
First one is for management and second one for LXC/VM hosts.
That is the way it is currently setup. Both of those ports are on the same broadcom dual-gigabit nic.
No it is not, each lxc container gets its own ip address on the same subnet as the main nic. If you want port forward then you need to asign a completely separated subnet to the LXC bridge, and then set up the proper port forward rules. Masquerading is for NAT and outgoing traffic, it has nothing to do with allowing external traffic to your containers, even if you decide to do port forward …