Ok,I have done some tests with simple bridge setup, and all is working fine for
me ????
tap110i0 (10.2.0.100)---->vmbr14(10.2.0.1) <routing>
(10.3.94.31)vmbr1----->eth0---------physical switch--------external
host(10.3.94.47 + route add 10.2.0.100/32 gw 10.3.94.31)
host configuration
------------------
auto vmbr1
iface vmbr1 inet static
bridge_ports eth0
address 10.3.94.31
netmask 255.255.255.0
gateway 10.3.94.1
bridge_stp off
bridge_fd 0
auto vmbr14
iface vmbr14 inet static
address 10.2.0.1
netmask 255.255.255.0
bridge_stp off
bridge_fd 0
iptables -t nat -A POSTROUTING -j LOG --log-prefix "POSTROUTING: "
iptables -t nat -A POSTROUTING -s '10.2.0.100/32' -o vmbr1 -j MASQUERADE
guest network configuration (tap on bridge vmbr14)
-----------------------------------
iface eth0 inet static
address 10.2.0.100
netmask 255.255.255.0
gateway 10.2.0.1
guest firewall
---------------
# Example VM firewall configuration
[OPTIONS]
# disable/enable the whole thing
enable: 1
# disable/enable MAC address filter
macfilter: 0
# default policy
policy_in: DROP
policy_out: REJECT
# log dropped incoming connection
log_level_in: info
# disable log for outgoing connections
log_level_out: info
# filter SMURFS
nosmurfs: 1
# filter illegal combinations of TCP flags
tcpflags: 1
# enable DHCP
dhcp: 1
[RULES]
OUT Ping(ACCEPT) net0
ping test from guest (ping 10.3.94.47)
---------------------------------
if I don't authorize out ping,packet is dropped in forward chain
tap110i0-OUT-reject: IN=vmbr14 OUT=vmbr1 PHYSIN=tap110i0
MAC=66:21:64:58:7b:b4:1e:0b:85:27:8d:65:08:00 SRC=10.2.0.100 DST=8.8.8.8 LEN=84
TOS=0x00 PREC=0x00 TTL=63 ID=62770 DF PROTO=ICMP TYPE=8 CODE=0 ID=2012 SEQ=1
If I allow ping,I see the packet going in POSTROUTING
POSTROUTING: IN= OUT=vmbr1 PHYSIN=tap110i0 SRC=10.2.0.100 DST=8.8.8.8 LEN=84
TOS=0x00 PREC=0x00 TTL=63 ID=62719 DF PROTO=ICMP TYPE=8 CODE=0 ID=2010 SEQ=1
MARK=0x1
on target host, without masquerade:
10:42:13.181907 IP 10.2.0.100 > 10.3.94.47: ICMP echo request, id 2024, seq 1,
length 64
on target host, with masquerade:
10:42:13.181907 IP 10.3.94.31 > 10.3.94.47: ICMP echo request, id 2024, seq 1,
length 64
so routing is working fine, with or without snat.
----- Mail original -----
De: "Alexandre DERUMIER" <aderum...@odiso.com>
À: "Dietmar Maurer" <diet...@proxmox.com>
Cc: pve-devel@pve.proxmox.com
Envoyé: Mardi 11 Mars 2014 09:20:08
Objet: Re: [pve-devel] pvefw: masquerade problems and conntrack zones
ok perfect.
last question, why don't we setup public ip directly on eth0 interface, instead
of using pm0-pm1peer ?
----- Mail original -----
De: "Dietmar Maurer" <diet...@proxmox.com>
À: "Alexandre DERUMIER" <aderum...@odiso.com>
Cc: pve-devel@pve.proxmox.com
Envoyé: Mardi 11 Mars 2014 09:10:37
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones
> ok, thanks, I'll build the same setup,
> (is pm0 address in the same range than pm1 ? )
No, that is another network (public internet)
> If I understand, the vm tap is plugged on vmbr1, and nat must be done on
> veth pair ?
yes
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
