Hey there,
hopefully someone can help me here since after a bunch of hours asking my best friend google, I couldn manage to get this working.
What I want to achieve:
Ive got a server with three nics. The first nic is not interesting since its bound to a KVM-System. The other two nics shall be used for several things:
Code:
INTERNET ---NIC1(IPV4_1)eth0 --- USED FOR KVM
|----VM1(Linux) [IPV4_2] ID100
INTERNET ---NIC2 eth1(IPV4_2)---| |----VM2(Linux) [IPV4_2:80] ID101
-PROXMOX[IPV4_2:8006]---|
INTERNET ---NIC2 eth2(IPV4_3)---| |----VM3(Linux) [IPV4_3:8080] ID102
|----VM4(Windows) [IPV4_3] ID103
The "port"-routing is achieved via shorewall.
For each eth (eth1 and eth2) i configured a vmbr (vmbr0 and vmbr1).
The problem now is, that when i use the vmbr0 for a OpenVZ container, the container hat internet.
But if i use the vmbr1 for a container, there is no internet!
The following configs exist (IP-Addresses were changed):
Code:
# network interface settings
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 141.55.55.55
netmask 255.255.254.0
gateway 141.55.55.1
broadcast 141.55.55.255
up ip route add 141.55.55.0/24 dev eth1 src 141.55.55.55 table rt1
up ip route add default via 141.55.55.1 dev eth1 table rt1
up ip rule add from 141.55.55.55 table rt1
up ip route add 141.55.55.0/24 dev eth1 src 141.55.55.55
dns-nameservers 141.55.8.3 141.55.8.4
auto eth2
iface eth2 inet static
address 141.55.55.56
netmask 255.255.254.0
up ip route add 141.55.55.0/24 dev eth2 src 141.55.55.56 table rt2
up ip route add default via 141.55.55.1 dev eth2 table rt2
up ip rule add from 141.55.55.56 table rt2
up ip route add default via 141.55.55.1 dev eth2
up ip route add 141.55.55.0/24 dev eth2 src 141.55.55.56
iface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.0.0.1
netmask 255.255.255.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.255.0
broadcast 192.168.0.255
bridge_ports none
bridge_stp off
bridge_fd 0
The output of route -n:
Code:
Ziel Router Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr0
141.55.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.254.0 U 0 0 0 vmbr1
141.55.55.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
141.55.55.0 0.0.0.0 255.255.254.0 U 0 0 0 eth2
0.0.0.0 141.55.55.1 0.0.0.0 UG 0 0 0 eth1
For routing the IP's to the CT`s and VM`s i use shorewall, since it was the first one i found a good guide.
Here the files look as followed:
interfaces
Code:
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect blacklist,nosmurfs
net eth2 detect blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
dmz vmbr1 detect routeback,bridge
dmz venet1 detect routeback
masq
Code:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth1 10.0.0.0/24 141.55.55.55
eth2 192.168.0.0/24 141.55.55.56
#externe IP auf interne direkt binden
#+eth1 10.0.0.10 141.55.55.55
# LAST LINE -- DO NOT REMOVE
params
Code:
# Shorewall version 4 - Params File
#
# /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################
#LAST LINE -- DO NOT REMOVE
policy
Code:
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info
# From Net Policy
net fw DROP info
net dmz DROP info
#THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
rules
Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp 22,137:139,445,443,3389,8005,8006,8000,8002,8443,12001,10001,5900:5999
ACCEPT all fw tcp 3128,3389,61000:61010
ACCEPT all dmz tcp 3128,3389,61000:61010
# PING Rules
Ping/ACCEPT all all
#DNAT Rules
#CT ID100
DNAT net dmz:10.0.0.100:22 tcp 10022
DNAT net dmz:10.0.0.100:22 udp 10022
DNAT net dmz:10.0.0.100:445 tcp 445
DNAT net dmz:10.0.0.100:137 tcp 137
DNAT net dmz:10.0.0.100:138 tcp 138
DNAT net dmz:10.0.0.100:139 tcp 139
#VM ID103
DNAT net dmz:10.0.0.103:3389 tcp 3389
DNAT net dmz:10.0.0.103:3389 udp 3389
DNAT net dmz:10.0.0.103:80 tcp 80
DNAT net dmz:10.0.0.103:20000 tcp 20000
DNAT net dmz:10.0.0.103:30000 tcp 30000
DNAT net dmz:10.0.0.103:40000 tcp 40000
#RULE FUER ZWEITE PUBLIC IP
#ACCEPT net dmz:141.55.55.55 tcp 21,22,25,53,80,110,143,443,995 - 141.55.55.55
# CT ID102
DNAT net dmz:192.168.0.102:22 tcp 10222
DNAT net dmz:192.168.0.102:22 udp 10222
DNAT net dmz:192.168.0.102:25 tcp 25
DNAT net dmz:192.168.0.102:80 tcp 10280
DNAT net dmz:192.168.0.102:110 tcp 110
DNAT net dmz:192.168.0.102:143 tcp 143
DNAT net dmz:192.168.0.102:443 tcp 443
DNAT net dmz:192.168.0.102:465 tcp 465
DNAT net dmz:192.168.0.102:587 tcp 587
DNAT net dmz:192.168.0.102:993 tcp 993
DNAT net dmz:192.168.0.102:995 tcp 995
DNAT net dmz:192.168.0.102:9071 tcp 9071
# LAST LINE -- DO NOT REMOVE
zones
Code:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
In the shorewall.conf file i just changed the value of DISABLE_IPV6 = NO and IP_FORWADING = ON.
My Problem now is, that all the CT`s running with vmbr1 are working and do have internet-access whereas all the CT`s and VM`s running with vmbr2 dont.
For example the interfaces-file of a ct running on vmbr1 looks like this:
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.1
broadcast 10.0.0.255
The interfaces-file of a ct running on vmbr2 looks like this:
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.102
netmask 255.255.255.0
gateway 192.168.0.1
broadcast 192.168.0.255
Again my questions:
1. How can i achieve that all the traffic coming on IPV4_1 on eth1 is managed via eth1 and leaves via eth1. As well all the trafic coming from IPV4_2 on eth2 is managed via eth2 and leaves via eth2. How do i need to route isf the gateway of both IPV4-Addresses is the same? Hod does the route-config need to look like (or even the interfaces-file)?
2. Do i need to bond the interfaces and than add both IPV4 addresses to the bond?
I hope someone can help me on that. Im thankfull for any help!
