Issue with SNAT on SDN configuration

Hello community,

We need an hand to solve an issue that is driving us crazy. Please help us to find the missing piece of the puzzle
We are unable to contact public hosts using HTTP and HTTPS from LXC containers, although DNS and ICMP work.

Our proxmox configuration
1 public ip on vmbr0
SDN -> zone CTs -> Vnet0 -> subnet 192.168.18.0/24 - gtw 192.168.18.1 - dhcp on .200-.250 - SNAT ON
Datacenter firewall ON without configured rules
Host firewall ON with these configured rules:
iifname "Vnet0" udp dport 53 ip daddr 192.168.18.1 accept
iifname "Vnet0" tcp dport 53 ip daddr 192.168.18.1 accept
iifname "Vnet0" udp sport 67-68 udp dport 67-68 accept
tcp dport 8006 accept
tcp dport 6922 accept
tcp dport 443 ip daddr 192.168.18.0/24 accept
tcp dport 80 ip daddr 192.168.18.0/24 accept

NFTABLES ON
Additional nftables routing entries, because we want the all incoming https and http traffic to go to HaProxy
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
iifname "vmbr0" ip protocol tcp tcp dport 80 ip daddr PUBLICIP dnat ip to 192.168.18.10
iifname "vmbr0" ip protocol tcp tcp dport 443 ip daddr PUBLICIP dnat ip to 192.168.18.10
}

chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip daddr 192.168.18.0/24 return
ip saddr 192.168.18.0/24 masquerade
}
}

Firewall OFF for all lxc and VMs
FROM LXC "HA Proxy" eth0 bridge Vnet0 IP 192.168.0.10 -> all working as expected

Others LXC in the same Subnet are able to resolve DNS and make ICMP traffic trought the Vnet0 but all HTTP and HTTPS traffic don't work.

Following the tcpdump captured from the HOST for the traffic arriving from tha LXC with IP 192.168.18.58 trying to reach google.com - FAILED

LXC CT ~# curl -I https://google.com
.
HOST:
tcpdump -i Vnet0 host 192.168.18.58 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on Vnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:26:16.491541 IP 192.168.18.58.46745 > 213.186.33.99.53: 37054+ A? google.com. (28)
12:26:16.491559 IP 192.168.18.58.46745 > 213.186.33.99.53: 61375+ AAAA? google.com. (28)
12:26:16.495699 IP 213.186.33.99.53 > 192.168.18.58.46745: 37054 6/0/0 A 142.251.110.101, A 142.251.110.100, A 142.251.110.138, A 142.251.110.113, A 142.251.110.139, A 142.251.110.102 (124)
12:26:16.495831 IP 213.186.33.99.53 > 192.168.18.58.46745: 61375 4/0/0 AAAA 2a00:1450:4001:c1f::71, AAAA 2a00:1450:4001:c1f::8b, AAAA 2a00:1450:4001:c1f::65, AAAA 2a00:1450:4001:c1f::8a (140)
12:26:16.495942 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:17.548699 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:18.572698 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:19.596684 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:20.620687 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:21.644685 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:23.692688 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:27.724696 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:35.852684 IP 192.168.18.58.59382 > 142.251.110.101.443: Flags , seq 207633860, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel

Following the tcpdump captured from the HOST for the traffic arriving from the LXC with IP 192.168.18.58 trying to reach a public FTP host - SUCCESS
tcpdump -i Vnet0 host 192.168.18.58 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on Vnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:26:50.980959 IP 192.168.18.58.41764 > 213.186.33.99.53: 25955+ A? ftp.cluster128.hosting.ovh.net. (48)
12:26:50.980974 IP 192.168.18.58.41764 > 213.186.33.99.53: 59745+ AAAA? ftp.cluster128.hosting.ovh.net. (48)
12:26:51.011200 IP 213.186.33.99.53 > 192.168.18.58.41764: 25955 1/0/0 A 5.135.37.212 (64)
12:26:51.021123 IP 213.186.33.99.53 > 192.168.18.58.41764: 59745 0/1/0 (96)
12:26:51.021179 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags , seq 23797078, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 10], length 0
12:26:51.032576 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [S.], seq 604620498, ack 23797079, win 42340, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:26:51.032586 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [.], ack 1, win 63, length 0
12:26:51.046155 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [P.], seq 1:82, ack 1, win 83, length 81: FTP: 220- ~~~ Welcome to OVH ~~~
12:26:51.046159 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [.], ack 82, win 63, length 0
12:26:51.046171 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [P.], seq 1:17, ack 82, win 63, length 16: FTP:
12:26:51.057398 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [.], ack 17, win 83, length 0
12:26:51.057694 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [P.], seq 82:124, ack 17, win 83, length 42: Password required
12:26:51.057703 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [P.], seq 17:39, ack 124, win 63, length 22: FTP: PASS ftp@example.com
12:26:51.115508 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [.], ack 39, win 83, length 0
12:26:55.321924 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [P.], seq 124:157, ack 39, win 83, length 33: FTP: 530 Login authentication failed
12:26:55.321977 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [F.], seq 39, ack 157, win 63, length 0
12:26:55.333438 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [P.], seq 157:170, ack 40, win 83, length 13: FTP: 530 Logout.
12:26:55.333452 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [R], seq 23797118, win 0, length 0
12:26:55.334250 IP 5.135.37.212.21 > 192.168.18.58.49862: Flags [F.], seq 170, ack 40, win 83, length 0
12:26:55.334253 IP 192.168.18.58.49862 > 5.135.37.212.21: Flags [R], seq 23797118, win 0, length 0
12:26:56.332687 ARP, Request who-has 192.168.18.58 tell 192.168.18.1, length 28
12:26:56.332711 ARP, Reply 192.168.18.58 is-at bc:24:11:46:1f:0e, length 28
^C
22 packets captured
22 packets received by filter
0 packets dropped by kernel

Thank you!!

推荐订阅源

Proxmox Support Forum