New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ProxMox - No Internet on Guest VM.
dwnewyork5
Member
I have a Hetzner Server with 1 IPV4. I want to setup a couple of VMs running under Proxmox.
For me, at this moment, I am focusing on simply getting my guest VM Internet access. I checked a couple of websites and they suggested adding a Virtual Bridge, and then, connecting the Guest via that Bridge... Below are the settings on my host:
`
root@Debian-94 ~ # cat /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp2s0
iface enp2s0 inet static
address 136.X.X.X
netmask 255.255.255.19X
gateway 136.Y.Y.Y
up route add -net 136.X.X.X netmask 255.255.255.19X gw 136.Y.Y.Y dev enp2s0
iface enp2s0 inet6 static
address 2a01:VVV:AAAA:XXXX::2
netmask 64
gateway fe80::1
auto vmbr0
iface vmbr0 inet static
address 136.X.X.X
netmask 255.255.255.19X
bridge-ports none
bridge-stp off
bridge-fd 0
up ip route add 192.168.0.0/16 via 136.X.X.X dev vmbr0
`
I am running Windows 7 as my guest (I thought it will be easy configuration). I added the Virtio drivers. I assigned a static IP 192.168.0.10 with gateway as 192.168.0.1
But still, my guest OS is unable to access the Internet.
What am I missing here? Can someone please advise
Thanks!
Comments
Why you hiding the netmask for? Nothing sensitive about it.
To b honest, not sure... will keep original in future. Thanks
192.168.0.1 is not a valid hetzner IP.
If you want to NAT, you should configure your iptables to do NATing instead of bridging.
True. I thought it would be the ip of the bridge???
Any suggestions how please?
https://blog.7086.in/#!ks-vps.md#NAT_IPv4
For reference only, modify accordingly before execution.
TL;DR
Your public bridge and private bridge should be different, and then you can NAT traffic from vmbr1 internal IP to vmbr0 public IP.
What if you are a new user of Linux Debian and want to configure a bridge for virtualized environments (KVMs) running on Debian Linux. How to configure a network connection in / etc / network / interfaces on a Debian Linux 9.x server?
If you want to assign IP addresses to your virtual machines and make them accessible from the local network, you need to configure the network bridge. By default, a private network is created when using KVM. You need to configure the interfaces manually, to avoid conflicts with the network manager.
How to install brctl
Type the following apt / apt-get command:
$ sudo apt install bridge-utils
How to configure a network bridge on Debian Linux
You need to edit the / etc / network / interface file. However, I recommend that you abandon the new configuration in the /etc/network/interface.d/ directory. The procedure for configuring a network bridge on Debian Linux is as follows:
Step 1 - Learn your physical interface
Use the ip command:
$ ip -f inet a s
eno1 is my physical interface.
Step 2 - Update the file / etc / network / interface
Make sure that only lo (loopback is active in / etc / network / interface). Remove any configuration associated with eno1. Here is my configuration file output by the cat command:
$ cat / etc / network / interface
This file describes the network interfaces available on your system
and how to activate them. For more information, see Interfaces.
source /etc/network/interfaces.d/*
Network interface loopback
auto lo
iface lo inet loopback
Step 3 - Configuring the bridge (br0) in /etc/network/interfaces.d/br0
Create a text file using a text editor, such as vi:
$ sudo vi /etc/network/interfaces.d/br0
Add the following configuration:
static ip config file for br0
auto br0
iface br0 inet static
address 192.168.2.23
broadcast 192.168.2.255
netmask 255.255.255.0
gateway 192.168.2.254
If the resolvconf package is installed, you do not need to edit
The resolv.conf configuration file manually. Install the name server here
dns-nameservers 192.168.2.254
If you have multi-level interfaces, such as eth0 and eth1
bridge_ports eth0 eth1
bridge_ports eno1
bridge_stp off # disable the Spanning Tree protocol
bridge_waitport 0 # remove the delay before the port becomes available
bridge_fd 0 # remove redirect delay
If you need a bridge to obtain an IP address using DHCP:
DHCP ip config file for br0
auto br0
Bridge Configuration
iface br0 inet dhcp
bridge_ports eno1
Save and close the file in vi / vim.
Step 4 - Restart the Network Service in Linux
Before restarting the network service, make sure that the firewall is disabled. A firewall can reference an older interface, such as eno1. After restarting the service, you must update the firewall rule for the br0 interface:
$ sudo systemctl restart network-manager
Verify that the service has been restarted:
$ systemctl status network-manager
Find the new br0 interface and the routing table with the ip command:
$ ip a s
$ ip r
$ ping -c 2 google.com
You can also use the brctl command to view information about your bridges:
$ brctl show
Let's look at the current bridges:
$ bridge link
@dwnewyork you want the vmbr0 bridge part in your /etc/network/interfaces look like this:
# NAT bridge auto vmbr0 iface vmbr0 inet static address 192.168.0.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o enp2s0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o enp2s0 -j MASQUERADEif you later on want to use permanent port forwardings you can add something like this for the according guest VMs IP:
post-up iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 456 -j DNAT --to 192.168.0.123:22 post-down iptables -t nat -D PREROUTING -i enp2s0 -p tcp --dport 456 -j DNAT --to 192.168.0.123:22PS: forgot to say, in your guest you assign an IP from that private subnet and use 192.168.0.1 as gateway
Thank you. This worked for my win/ centos guest. Will need to check other debian guest
Thanks a bunch
you're welcome, good to see it helped.
and sorry for the bad formatting, obviously the edit/PS broke it by adding > quote-tags in front of the lines. I noticed only now but can't edit again - but obviously you figured that already, haha ;-)
To b honest I am trying something similar. ... but would like to use the ipv6 range provided by hetzner.
Would you have some guidance on how to get ipv6 also working on guests?
Thanks in advance. Thanks op for original post.
I do use multiple bridges on of my nodes which I have setup like this:
make sure ipv6 forwarding is enabled, you can do so by issue
you might want to check /etc/sysctl.conf for this var and uncomment it/set it to 1 if needed.
also if vmbr0 is not your main interfaces you might want to add something for enp2s0 or whatever too.
on the guest VM (this would be the one on vmbr1) I have something like
the numbers of the rear groups are chosen quite arbitrarily, the IPv6 assigned to the bridge on the node has to be the gateway on the guest...
check first if your node has public access via IPv6, then check if you can ping6 the node/gateway from the guest and vice versa and if the forwarding is working you then should be able to access IPv6 from the guests too.
You mentioned you have multiple bridges. But does one need to create multiple bridges for each guest for IPv6?
I believe this is the first IPv6 which I will be using as a gateway for each of my guests.
What is this used for?
Thank you!
no you don't need multiple bridges. you need to assign IPv6 from the very same bridge your VM gets its IPv4 from...
I only use more than one in my setup to assign IPv4s from a subnet to individual bridges and VMs. this way I separate the VMs even more and avoid IP/MAC spoofing without ebtables.
so while I have every VM on a different bridge because of that, I need to assign different IPv6 per bridge too.
yes of course, if you only have and use one bridge, you only need one IPv6 entry for that too.
Hello back,
So, I added the ipv6 info on my host:
iface vmbr0 inet6 static address 2a01:4f8:111:222::2 netmask 128 gateway fe80::1Ping6 (on host) for ipv6 seems to work fine:
I enabled ipv6 forwarding on Host as you suggested and restarted my server once... If it helps, just vmbr0 (on host)
On my guest (debian), I cannot seem to access the host/ google.com:
Config:
Not sure what am I missing here.
Thanks for your help so far!
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o enp2s0 -j SNAT --to 136.X.X.XShould do the trick for ya =D
what output do you get for
on the guest? also the netmask should match on host and node (sorry, my example might have mixed that up for you)
Ran it on host, no luck. Thanks!
on the guest? also the netmask should match on host and node (sorry, my example might have mixed that up for you)
Ahh, I changed the netmask to match 128 (What i have on host). Now, on the guest I see:
Earlier, when I had a different netmask (100, which I used per your settings), I used to get:
Thanks!
Iptabes-save
Then
Reboot to make sure they’re loaded.
Hmm, I am not sure if I am doing it correct then... Here is op of iptables-save:
shameless bump
@cam @Falzo
Any suggestions? Even I am stuck with the ipv6 config (even though I was not going for that earlier
@dwnewyork5 , as said above, please provide the output of
from the guest
the iptables rule @cam provided is a IPv4 one and has nothing to do with IPv6 though.
from the guest
Here is the op:
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever ens18: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 1a:f1:f6:42:d1:d8 brd ff:ff:ff:ff:ff:ff inet 192.168.0.20/24 brd 192.168.0.255 scope global ens18 valid_lft forever preferred_lft forever inet6 2a01:4f8:a:b::c/128 scope global valid_lft forever preferred_lft forever inet6 fe80::46:5f:f:8/64 scope link valid_lft forever preferred_lft foreverdoesn't look so bad, shows your ipv6 right there. can you try to ping6 the hosts (bridges) ipv6 from the guest?
also the sysctl -w command from above to enable ipv6 forwarding is not permanent, if you reboot you need to do it again on the host (hence the comment that ot needs to be adjusted in the sysctl-files to be permanent after booting ;-))
maybe I messed something up with the netmasks/prefixes, my ipv6 knowledge is still limited - as long as my own setups are working, I don't bother to dive depper into it, sorry ;-)
yeah, ipv6 fwd is all set.
weird thing is... if I keep the netmast as 100 (on guest) and try to ping google, it says:
But when its changed to 128 (similar to host), it says:
Thanks for your help!
do you still have a inet6 entry for enp2s0 in your interfaces file on the host?
hetzner suggests in their knowledgebase to do it this way on the host:
and then on the guest
most likely you can choose smaller netmask/prefix for the bridge but 128 might be to small because that's essentially a static route (afaik that's why I chose something like 100 with different subnets for my multiple bridges ;-))
as I have vmbr0 directly bridged with enp2s0 in my setup and you use enp2s0 instead this might make a difference.
maybe post a your full /etc/network/interfaces again, and I'll send an edit of what I believe might work for your case ...
Host /etc/network/interfaces:
source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface lo inet6 loopback auto enp2s0 iface enp2s0 inet static address 136.x.y.z netmask 255.255.255.k gateway 136.x.y.z up route add -net 136.x.y.z netmask 255.255.255.k gw 136.x.y.z dev enp2s0 iface enp2s0 inet6 static address 2a01:4f8:p:q::2 netmask 64 gateway fe80::1 # NAT bridge auto vmbr0 iface vmbr0 inet static address 192.168.0.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o enp2s0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o enp2s0 -j MASQUERADE iface vmbr0 inet6 static address 2a01:4f8:p:q::2 netmask 128 gateway fe80::1Guest /etc/network/interfaces
root@debian:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback iface lo inet6 loopback # The primary network interface allow-hotplug ens18 iface ens18 inet static address 192.168.0.20/24 gateway 192.168.0.1 iface ens18 inet6 static address 2a01:4f8:a:b::c netmask 128 gateway 2a01:4f8:x:y::zThanks!
okay, thx. so I'd try to change on the host:
iface enp2s0 inet6 static address 2a01:4f8:111:222::2 netmask 128 gateway fe80::1(change netmask to 128 for setting the hostroute correctly)
and use this as bridge-setting. subnet spec'd, no further gateway setting:
iface vmbr0 inet6 static address 2a01:4f8:111:222:333::2 netmask 100after changing/rebooting, check first if the host still can reach public internet via ipv6.
then change on the guest accordingly:
iface ens18 inet6 static address 2a01:4f8:111:222:333::123 netmask 100 gateway 2a01:4f8:111:222:333::2see if you can ping6 to the host address which is used as gateway and if that succeeds and the forwarding is enabled you also should reach everything else ;-)
Thanks. Let me try that tomorrow