Internet in green interface

Hello!

I’m sorry for such a simple question, but I have no idea what is missing.

I had configured nethserver so only interface X (in green) has internet access. After that, I have added a bunch of other network interfaces in green, firewall rules, etc and interface X no longer has internet access. I have tried to fix that, but I cannot find the problem. I have seen the documentation, but something is missing, and I have tried everything that I can remember.

Do you have any link, information or idea of what I broke?

I have nethserver running on a proxmox. What I have said is kind of vague, feel free to ask for more information!

More information:

All other private interfaces get an private IP except for interface X where my vms don’t get a private ip.
Which I found to be odd.

Hi and welcome to NethServer Community.

I assume you use NethServer as gateway in your network.

Maybe you configured the provider gateway on a green interface instead of the red one?

Please explain the firewall rules you added…maybe the issue is there.

Do you want to share your config?

To output network config on command line:

db networks show

1 Like

I deleted eth5 to eth15 that follow the same pattern as eth3 and eth4, to shorten.
The interface that I want internet on is eth1.
The output of db networks show:

eth0=ethernet
    bootproto=none
    gateway=public_ip_gateway
    ipaddr=public_ip_address
    netmask=public_ip_netmask
    nslabel=
    role=red
eth1=ethernet
    bootproto=none
    gateway=
    ipaddr=192.168.100.1
    netmask=255.255.255.0
    role=green
eth2=ethernet
    bootproto=none
    gateway=
    ipaddr=192.168.10.1
    netmask=255.255.255.0
    nslabel=
    role=green
eth3=ethernet
    bootproto=none
    gateway=10.0.0.1
    ipaddr=10.0.0.1
    netmask=255.255.255.0
    nslabel=
    role=green
eth4=ethernet
    bootproto=none
    gateway=10.0.1.1
    ipaddr=10.0.1.1
    netmask=255.255.255.0
    nslabel=
    role=green
ppp0=xdsl-disabled
    AuthType=auto
    FwInBandwidth=
    FwOutBandwidth=
    Password=
    name=PPPoE
    provider=xDSL provider
    role=red
    user=
red1=provider
    interface=eth0
    weight=1

firewall rules:

The RED to private IPs are due to problems with hetzner saying that I am running pentests.
I have other firewall rules that say that vpnX can only reach eth4, for example. But they don’t affect eth1.

Thanks for answering so fast!

The firewall rule blocking any traffic from green to green seems wrong.

There’s no need for a gateway in green interfaces when you use at least a red one so please remove the gateway setting from the green interfaces.

I don’t want traffic from eth3 to eth4 for example, and that rule fixes that issue. I still disabled it in order to see if that’s the problem.

Also removed the gateway setting from all the interfaces like eth3 and eth4.

Should that fix my initial problem? I tested it and vms in eth1 still have no internet and no private ip.

I hoped so.

Is DHCP enabled for eth1?

Hi @DDD

This is what I set up on Hetzner since xmas. Hetzner is a bit tricky, as the Server can have a different set of IP than an additional pool of IPs allocated for routing via the first IP on the server. Sometimes these are on a seperate subnet, meaning you need to sacrifice an IP just for routing…

My firewall is OPNsense, which can handle a mix of 1:N and 1:1 NATs very well.

Good luck!

My 2 cents
Andy

3 Likes

DHCP for eth1:

192.168.100.1 is already in use by the interface itself so the IP range should start with 192.168.100.2.

192.168.100.0 is the default VPN network, maybe it overlaps?

I changed the default VPN network to 172.x.x.x, so I think there shouldn’t be any problem.

For DHCP changing to 2 still doesn’t fix the problem.

Tomorrow I’ll change the network from 192.168.100.x to something else to see if that solves the problem.
Is there anything else that I should configure in a interface so that it has internet access?

No, clients connected to green should have internet access.

Did you already try to manually setup IP and DNS on the client?

Sorry for saying this kinda late, but this setup was made so only vmbr1 has internet access and all other vmbr(2…15) don’t.

I didn’t set up this part of the nethserver so I am not sure what was done.
Things that I see:

  • It wasn’t via firewall rules since I set up those.
  • Traffic to the Internet (red interface) is allowed in the firewall

I tried to create a network interface in 192.168.5.0/24 and that one has a private ip but no internet.

How would one set up nethserver so only a certain range has internet?
Is it done in proxmox and not nethserver?

Did you already try to manually set up IP and DNS on the client?

Yes, but it still won’t have internet, only the private IP.

Thanks and sorry for the extra work!

Here’s some information about Proxmox and NethServer by @Andy_Wismer

Please try to remove/disable the firewall blocking rules from red to internal networks. NethServer blocks this traffic by default, so it’s not needed and may cause issues.

Disabled every firewall rule and the traffic is still blocked. I am using Shorewall if that matters.

Maybe the issue is at proxmox level, please share your proxmox network config.

Removed vmbr(5…15) that are similar to vmbr3 and vmb4

auto lo
iface lo inet loopback

iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address public_cidr
        gateway public_gateway
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet static
        address 192.168.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0


auto vmbr1
iface vmbr1 inet static
        address 192.168.100.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

auto vmbr3
iface vmbr3 inet static
        address 10.0.0.0/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

auto vmbr4
iface vmbr4 inet static
        address 10.0.1.0/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

Hi

Are there any firewall rules set at Proxmox?
It is possible (and standard) for Proxmox to have each VM NIC Firewall-enabled…

If there are any rules on Proxmox, for example to disallow access to Proxmox from the Internet, your VMs would also be affected!

My 2 cents
Andy

I have firewall rules to prohibit all traffic to 8006 of proxmox from external and allow to ssh port. That shouldn’t be the problem.

I agree, you also have no DENY rules…

Maybe still worth it to deactivate the Proxmox VM NIC firewall to see if it makes a difference…
At least on 1-2 VMs as check.

My 2 cents
Andy