[Solved] Linux - NAT is not working

Hello,

After searching a lot about my issue I finally decided to post here so…

I have two bridges on my proxmox installation, one for internal use and one for providing connection to the host as well was LXCs behind it.

The thing is that I don’t want all of the LXCs to have public IPs.
So I decided to make a NAT…
And this config works perfectly ok on my local setup, but on my server containers behind second (that internal use) bridge have no internet access:

host /etc/network/interfaces

auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  YYY
        netmask  255.255.255.0
        gateway  ZZZ
        broadcast  BBB
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        bridge_vlan_aware yes

auto vmbr0:1
iface vmbr0:1 inet static
        address XXX
        netmask 255.255.255.255
        pre-up modprobe iptable_nat
        pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
        pre-up iptables -t nat -A POSTROUTING -o vmbr1 -j MASQUERADE
        pre-up iptables -A FORWARD -i vmbr2 -j ACCEPT
        pre-up iptables -t nat -A PREROUTING -i vmbr1 -d XXX -p tcp --dport 80 -j DNAT --to-destination 10.10.10.2:80
        pre-up iptables -t nat -A PREROUTING -i vmbr1 -d XXX -p tcp --dport 8080 -j DNAT --to-destination 10.10.10.3:80

auto vmbr2
iface vmbr2 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

I can ping YYY but nothing else, even LXCs with public IPs.

Any ideas?

Bump?

Doesn’t it need a gateway?

This one?

auto vmbr0:1
iface vmbr0:1 inet static
        address XXX
        netmask 255.255.255.255

The gateway should be the same as

auto vmbr0
iface vmbr0 inet static
        address  YYY
        netmask  255.255.255.0
        gateway  ZZZ
....

therefore I skipped it in, shouldn’t I?

Frankly I’m not 100% sure. But there’s one way to find out. :grin:

Seems like an issue with routes. try adding your local subnet as a route to be sure??

Your MASQUERADE rule mentions “-o vmbr1” , is that what Debian/ubuntu/proxmox created as vmbr0:1 ?

Try doing “tcpdump -ni eth0 icmp” while attempting a ping.

1 Like

Ouhh f… I feel like an idiot, I didn’t change the iptables commands when copy-pasting from my test instance.
Now it works.

But now the other problem is that it’s using primary IP of that interface, and I want this thing to use IP of vmbr0:1 …

If your IPs are static (looks like they are) you can use SNAT instead of MASQUERADE.

Otherwise, an ipvlan or a macvlan interface, instead of vmbr0:1 could work.

Anotheroption (I’ve never tried this one, but could work maybe) is to still use masquerade, but have an IP rule that results in a packet being forwarded to a gateway using a route with an src parameter. That sounds convoluted.

1 Like