No internet on my CT in proxmox

    Good morning,

    I am a beginner, I rented a root server, I installed proxmox 8.1 that set up two interfaces, ens3 and vmbr0 bridged with ens3. The server works normally and connects well to the internet.

    Then I created a CT specifying vmbr0 as bridge but internet is not working in CT, I tried the dhcp and static ethernet configuration but no internet, nor ping 8.8.8.8.


    Here is the configuration

    proxmox root server:

    ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    ether "mac address" txqueuelen 1000 (Ethernet)

    RX packets 1036703 bytes 67489587 (64.3 MiB)

    RX errors 0 dropped 0 overruns 0 frame 0

    TX packets 16202 bytes 6560740 (6.2 MiB)

    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


    lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

    inet 127.0.0.1 netmask 255.0.0.0

    inet6::1 prefixlen 128 scopeid 0x10<host>

    loop txqueuelen 1000 (Local Loopback)

    RX packets 313 bytes 149706 (146.1 KiB)

    RX errors 0 dropped 0 overruns 0 frame 0

    TX packets 313 bytes 149706 (146.1 KiB)

    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


    vmbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

    inet "Public IP v4" netmask 255.255.252.0 broadcast 0.0.0.0

    inet6 "Public IP v6" prefixlen 64 scopeid 0x20<link>

    ether "mac address" txqueuelen 1000 (Ethernet)

    RX packets 1035600 bytes 52923725 (50.4 MiB)

    RX errors 0 dropped 0 overruns 0 frame 0

    TX packets 16202 bytes 6560740 (6.2 MiB)

    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



    CT:

    pct config 101

    arch: amd64

    cores: 2

    hostname: BB5

    memory: 8192

    net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr="virtual mac address",ip=dhcp,ip6=auto,type=veth

    ostype: ubuntu

    rootfs: local-lvm:vm-101-disk-0,size=100G

    swap: 1024


    Can you help me please ?

    Zitat von v200

    I am a beginner, I rented a root server, I installed proxmox 8.1 that set up two interfaces, ens3 and vmbr0 bridged with ens3. The server works normally and connects well to the internet.

    You need a routed setup for IPv4 and a Neighbor Discovery Proxy for IPv6.


    DHCP doesn't work when you don't install a DHCP server.


    I recommend you remove ens3 from the bridge, set it up normally and use RFC1918 addresses on the bridge and containers and use iptables for NAT into the internet.

    There are plenty of resources in the forum or online.

    Hello,

    Zitat von v200

    Then I created a CT specifying vmbr0 as bridge but internet is not working in CT, I tried the dhcp and static ethernet configuration but no internet, nor ping 8.8.8.8.

    In the case of IPv4, you must assign the container a static IP address from the RFC 1918 range. You also need NAT and, if necessary, port forwarding. If you are not familiar with the terms mentioned, then I would recommend that you first take a look at the network basics before you start working on a productive system.


    Best regards

    Example configuration without IPv6 (I have an additional IPv6 network)


    Bash: net init script
    #!/bin/sh

sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -s 10.68.3.0/24 -o ens3 -j SNAT --to 89.58.yyy.zzz
#                               vmbr network   output interface     server IP

    The script is loaded with a systemd service upon startup

    Thank you all. yes now it works

    I'm used to shorewall, but not iptables (the doctor banned me from iptable :)). Please how to translate the following rule for iptable syntax:

    ACTION SOURCE DEST PROTO DEST PORT(S)

    DNAT net loc:192.168.1.2:22 tcp 22


    I want to ssh the CT/lxc from internet

    Zitat von v200

    it will take more time. there are at least 4 files to configure. but ok

    I mean if you are familiar with it, why not?


    iptables is also not the latest tool - officially you would use nftables.

    But I use iptables, because I am familiar with it and I don't talk about Linux with my doctor. - but that's another story.


    You could also do a bit of switcheroo:

    DNAT is the opposite direction of SNAT, so POSTROUTING will change to PREROUTING, -o (output interface) will change to -i (input interface), -s (source) will change to -d (destination) SNAT to DNAT and --to to ??? - ha gotcha, it stays the same, just put in the CT address there.

    Slap in an -o vmbr0 for convenience and there you go.


    Thank you for the explanations. For security reasons, it is better to use a tool that we are sufficiently familiar with. you are right, i will install shorewall and take necessary time to configure it.