The following configuration to MASQUERADE traffic is known to work:
------------
auto vmbr1
iface vmbr1 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j
MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o pm0 -j
MASQUERADE
--------------
But this is a 'routed' configuration, so 'physdev' match does not work
correctly.
So I tried to use the 'veth' workaround:
----------
auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j
MASQUERADE
post-down iptables -t nat -F POSTROUTING
----------
This works, but fails as soon as soon as I enable nf filter on the bridge
(starting pvefw).
I found out that I can make it work by using CT zones:
----------
auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j
CT --zone 1 # why do we need this?
post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j
CT --zone 1 # why do we need this?
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j
MASQUERADE
post-down iptables -t nat -F POSTROUTING
post-down iptables -t raw -F PREROUTING
----------
But I do not understand this. Why is that required? Is that the correct way to
do it?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
