Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


NAT with multiple public ip address
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

NAT with multiple public ip address

davidavi Member
edited February 2022 in General

For me NATed LXD or proxmox works with single public ip address as follows

sudo nano /etc/network/interfaces

vmbr1 is used for nated ip address with port forwarding
auto vmbr1
iface vmbr1 inet static
address 192.168.51.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward

Then I have ip rules

Custom Open Ports
-A PREROUTING -i enp0s3 -p tcp -m multiport --dports 10100:10199 -j DNAT --to-destination 192.168.51.1
-A POSTROUTING -s 192.168.51.0/24 -o enp0s3 -j MASQUERADE

I create lxd container with ip address 192.168.51.1 and everything works.

Now I have second public ip address on enp1s0 so I add vmbr2 in /etc/network/interfaces

vmbr2 is used for nated ip address with port forwarding
auto vmbr2
iface vmbr2 inet static
address 192.168.52.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward

And add ip rules

Custom Open Ports
-A PREROUTING -i enp1s0 -p tcp -m multiport --dports 10100:10199 -j DNAT --to-destination 192.168.52.1
-A POSTROUTING -s 192.168.52.0/24 -o enp1s0 -j MASQUERADE

But now LXD container 192.168.52.1 cannot ping 8.8.8.8

And if I do

-A POSTROUTING -s 192.168.52.0/24 -o enp0s3 -j MASQUERADE

LXD container 192.168.52.1 can ping 8.8.8.8

And no port forwarding is working in 192.168.52.1

I think I am missing something basic and may be someone with good networking knowledge can help me

Comments

  • jmgcaguiclajmgcaguicla Member
    edited February 2022

    @davi said:
    -A PREROUTING -i enp1s0 -p tcp -m multiport --dports 10100:10199 -j DNAT --to-destination 192.168.52.1

    Are you really sure your IPs are on different interfaces? Shouldn't this be -i enp0s3 -d YOUR_SECOND_IP?

  • Yes I am sure I have two interfaces enp0s3 (main public ip) and enp1s0 (second public ip)

  • jmgcaguiclajmgcaguicla Member
    edited February 2022

    @davi said:
    Yes I am sure I have two interfaces enp0s3 (main public ip) and enp1s0 (second public ip)

    Have you confirmed that you have connectivity on the host node even without the iptables rules? (e.g. ping -I enp1s0/enp0s3 1.1.1.1)?

  • davidavi Member
    edited February 2022

    Thanks, ping -I enp0s3 1.1.1.1 is working but not ping -I enp1s0 1.1.1.1

    But this curl --interface enp1s0 ipecho.net/plain give me correct my public ip address so I thought it is working

Sign In or Register to comment.